I’ve blogged a lot about the Ninth Circuit’s en banc case in United States v. Nosal, on the scope of the Computer Fraud and Abuse Act — and more specifically, on whether it’s a federal crime to violate an express written restriction on using a computer. You can watch last Thursday’s oral argument in the case here:
Chief Judge Kozinski presided, and he seemed pretty clearly on the side that I’ve been advocating here at the blog, in the Drew case, in my recent testimony, and in my law review articles. I was very pleased to see that, although I wasn’t surprised in light of Judge Kozinski’s libertarian streak. At the same time, I don’t think we have enough information to count votes accurately, as only about four judges spoke in ways that might have indicated their views (two for Nosal, two for the United States, I believe). I’m cautiously optimistic, but we’ll have to see how the votes shake out in the end.
I’ll hide my more detailed reactions below the break for the handful of CFAA nerds in the VC readership .....
Welcome, nerds: I hope dad has the old cruise control set at 35. Ok, now on to the details:
(1) In her argument for the United States, DOJ lawyer Jenny Ellickson argued that intentionally violating a Term of Service on Facebook or Match.com was in fact a federal crime under 18 U.S.C. 1030(a)(2)(C). She stated that DOJ would never prosecute such a case, however, and that the big practical problem was proof: DOJ would need proof that the defendant actually knew of the Term of Service violated, such that the act of violating the Term of Service was an intentional exceeding of authorized access.
Judge Kozinski wasn’t impressed by that argument, and I think the Lori Drew prosecution shows why he is right to be underwhelmed. In Drew, the Justice Department did in fact authorize and bring such a prosecution. Further, there was no evidence that Drew knew of the Term of Service that had been violated. Drew hadn’t even been the one using the computer when the profile was created, and even the person who created the profile (the government’s own witness) had testified that she never read the Term of Service. Indeed, in Drew, the Justice Department argued that requiring proof that Drew knew of the Terms of Service would “raise the scienter requirement” of the statute “in an unprecedented fashion beyond that found in securities, tax, or other white collar cases.” (See DOJ Surreply filed 1/5/09 at p.5). According to the Justice Department in the Drew case, it was sufficient that Drew had later tried to hide her role in creating the profile: That showed that Drew knew it was wrong to lie on MySpace, and thus was proof she had intentionally exceeded authorized access. Given the difference between DOJ’s assurance in Nosal that it would never bring such a case and that the burden of proving intent would be high, and the fact that DOJ did bring such a case and took a very different view of the intent standard when it did, I think Judge Kozinski was right to be skeptical.
(2) Nosal’s basic argument was the argument I made in my 2003 Cybercrime’s Scope article: That the scope of 1030 should be limited to the circumvention of code-based restrictions. Nosal also argued that vagueness concerns require a limiting construction of the statute, a position I argued in this 2010 Minnesota Law Review article and that was subsequently given more heft by Skilling v. United States, which applied a similar approach to limit the honest services statute. Some of the judges were puzzled by the reference to vagueness doctrine, apparently because they had forgotten the overbreadth aspect to vagueness doctrine; while most people remember the facial vagueness test, the overbreadth/discriminatory enforcement test is the one that is often more important in practice (see page 14-15 of the Minnesota draft linked to above). In my view, both the statutory interpretation argument and the vagueness argument work together: Both the rule of lenity concerns and the need to construe the statute to avoid potential vagueness problems both point to the need to adopt a narrow interpretation of the statute.
(3) The judges spent a lot of time trying to figure out if 1030(a)(2)(C) is a lesser included offense of 1030(a)(4). I wasn’t entirely sure why that was supposed to be relevant: Nosal’s argument is an argument of law about the proper interpretation of “exceeding authorized access,” which is common to both sections and must have the same interpretation throughout the statute.
(4) Judge Kozinski asked Nosal’s lawyer what to make of Theofel v. Farey-Jones, which held that serving an overly broad subpoena on a company that has a en a-mail server exceeded authorized access in the context of an 18 US.C. 2701 civil claim. This is a tricky question because Judge Kozinski authored Theofel, and yet Theofel is arguably a good case for the government: In holding that serving an overly broad subpoena had exceeded authorized access into the computer where the e-mails sought were stored, Theofel hints at a broad scope of “exceeds authorized access.” I’m no fan of this aspect of Theofel, but I don’t think Theofel is inconsistent with Nosal’s position for two reasons. First, it’s arguable that 2701 and 1030 are sufficiently different that different principles should govern their interpretation. They have somewhat different text, and vastly different scope: The scope of 2701 is very narrow, while 1030 is extremely broad. Second, even if you accept that the 2701 framework of Theofel should govern the 1030 framework of Nosal, the analytic framework of Theofel is sufficiently flexible that you can reach Nosal’s position using it (see the argument we made in the Lori Drew case in this Supplement to Rule 29 Motion on pages 4-7).
(5) One of the judges asked if accepting Nosal’s position would require creating a clear circuit split with the 11th Circuit in United States v. Rodriguez, a case I blogged about here. I think it’s possible to try to write an opinion for Nosal in a way that avoids a clear split with Rodriguez, but it would require some fancy footwork: You’d have to have to argue that the vagueness concerns are less pressing in the government employment setting than in the private sector setting. More broadly, I think this issue has caused so much uncertainty in the lower courts that a Supreme Court cert grant to settle the issue might not be a bad thing. At the same time, whether a clear 5th/9th split generated by an affirmance in Nosal would be cert-worthy may depend on what happens in Congress. If Congress goes ahead and amends the definition of exceeds authorized access, as there are signs may soon happen, then the Court would very likely stay out and let the split stay on the books: If the split is as to an amended statute, there is little point in the Supreme Court stepping in. But then that dynamic can work both ways: If Congress sees a clear split it may stay its hand and wait for the Court to sort it out before amending the statute. Stay tuned, as always.