I had though the world was safe from the nuttiness of the Justice Department’s broad theories of the Computer Fraud and Abuse Act in the Lori Drew case. Not so. Readers may recall I once blogged about a similar case, United States v. Nosal, that raised similar issues in the context of an employee who breached his employer’s written restrictions on computer use. What I didn’t realize is that DOJ appealed a district court’s order in Nosal and brought the issue to the Ninth Circuit.
In a divided opinion today by Judge Trott, joined by Judge O’Scannlain, United States v. Nosal, the Ninth Circuit held that “an employee ‘exceeds authorized access’ under § 1030 when he or she violates the employer’s computer access restrictions — including use restrictions.” From the opinion:
Korn/Ferry employees were subject to a computer use policy that placed clear and conspicuous restrictions on the employees’ access both to the system in general and to the Searcher database in particular. . . . . For this reason, we conclude that the rule of lenity, which applied with particular force in interpreting the phrase “without authorization,” does not support ignoring the statutory language and the core rationale of Brekka.
Nosal’s argument that the government’s “Orwellian” interpretation would improperly criminalize certain actions depending only on the vagaries and whims of the employer is foreclosed by Brekka, which held unequivocally that under § 1030 the employer determines whether an employee is authorized. Therefore, as long as the employee has knowledge of the employer’s limitations on that authorization, the employee “exceeds authorized access” when the employee violates those limitations. It is as simple as that.
.... [W]e clarify that under the CFAA, an employee accesses a computer in excess of his or her authorization when that access violates the employer’s access restrictions, which may include restrictions on the employee’s use of the computer or of the information contained in that computer.
I think this reading of the statute is unconstitutional, as I have argued specifically in a discussion of Nosal in this article: Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1584-87 (2010). Here’s what I wrote about the government’s theory in Nosal:
[M]any employees routinely use protected computers in the course of their day for a tremendously wide range of functions. Employee use of computers tracks employee attention spans. Attention wanders, and our computer use wanders with it. We think, therefore we Google. As a result, it is rare, if not inconceivable, for every keystroke to be clearly and strictly in the course of furthering an employment relationship. The best employee in a larger company might spend thirty minutes writing up a report, and then spend one minute checking personal e-mail and twenty seconds to check the weather to see if the baseball game after work might be rained out. He might then spend ten more minutes working on the report followed by two minutes to check the online news. Over the course of the day, he might use the computer for primarily personal reasons dozens or even hundreds of times.
The checking of personal e-mail, viewing a weather report, or loading up a new site is the modern equivalent of getting up to stretch, or to talk briefly with a coworker. It is downtime, time spent recharging mental batteries. And yet because it uses a computer, it is also technically “accessing” a protected computer. Each visit, each checking, and each viewing involves entering a command into a computer network and retrieving information from a server. Assuming that using a computer to retrieve information “accesses” that computer, the interpretation that courts give to lack of authorization ends up determining whether these keystrokes amount to federal crimes.
The interpretation of unauthorized access must give employees sufficient notice of what is criminal and also provide sufficient guidelines to law enforcement to avoid discriminatory enforcement. Interpreting the CFAA to prohibit employee access of an employer’s computer for reasons outside the employment context runs afoul of that command. First, the theory gives employees insufficient notice of what line distinguishes computer use that is allowed from computer use that is prohibited. The key consideration seems to be motive, but the employee has no way to determine what motives are illicit–and in the case of mixed motives, what proportion are illicit. Is use of an employer’s computer for personal reasons always prohibited? Sometimes prohibited? If sometimes, when? And if some amount of personal use is permitted, where is the line? If use of an employer’s computer directly contrary to the employer’s interest is required, how contrary is directly contrary? Is mere waste of the employee’s time enough? The cases generally deal with the dramatic facts of an employee who accessed a sensitive and valuable database to gather data that could be used to establish a competing company. But how sensitive does the database need to be? How valuable does the data need to be? The agency theory of liability under the CFAA does not appear to answer these questions. It does not answer what kind of employee conduct is actually prohibited, and it therefore does not provide sufficient notice to employees as to what is prohibited to satisfy the void-for-vagueness doctrine.
To the extent the agency theory prohibits any access to an employer’s computer that does not further the employer’s interests, and is therefore outside the scope of employment, the law does not “establish minimal guidelines to govern law enforcement” and therefore “encourage[s] arbitrary and discriminatory enforcement.” Employees routinely use their employers’ computers for personal reasons. The question is not whether employees use employers’ computers for personal reasons; it is how often and for how long. But under the agency theory of authorization, the question of how often and how long is irrelevant. A single unauthorized use, even if just for an instant, amounts to either an access without authorization or exceeding authorized access. As a result, a broad agency theory of authorization would turn millions of employees into criminals. It would give the government the power to arrest almost anyone who had a computer at work[.]
I’m glad to see that the dissent by Judge Campbell realized all of this. Unfortunately, there was only one vote for this position, not the needed two.
The majority makes the point that the government in this case chose to prosecute Nosal under the felony provisions of 1030(a)(4), which require more than exceeding authorized access. But as Judge Campbell properly points, the real action here is 1030(a)(2)(C), which makes it a federal crime to exceeding authorized access to any computer anywhere in the world (it does require obtaining information, but any information counts, so it covers almost everything). So it seems to me that under the majority’s reading of the statute, whenever any employer anywhere in the world puts any clear restriction of any kind on any computer — computer including anything with a microchip, and even perhaps just a thumb drive — it is now a crime if the employee breaks the restriction. Sheesh, be careful out there, people. Whatever you do, don’t get on the wrong side of any Assistant U.S. Attorneys. And don’t tick off your boss.
Anyway, Nosal strikes me as a ripe case for rehearing, both because I think it’s hard to reconcile with Brekka and because Nosal has such astonishing implications for the scope of government power. Either way, stay tuned. And if you have to go to the Ninth Circuit, remember, don’t consent to anything and tell the cops you need to speak with a lawyer.
For more on the interpretation of the CFAA, I had an article in 2003 that predicted this sort of thing and explained why I think it is based on an erreonous interpretation of the statute: Cybercrime’s Scope: Intepreting “Access” and “Authorization” in Computer Misuse Statutes.