Thursday, April 28, 2011
When the Right Interpretation of the Law is a Scary One (CFAA Edition)
A divided 9th Circuit panel decided U.S. v. Nosal today. The case initially looks like a simple employee trade secret theft case, but the Court's interpretation of the Computer Fraud and Abuse Act has potentially far reaching ramifications. Here's the thing - the court (in my view) reached the right ruling with the right statutory interpretation. However, that interpretation could possibly make many people liable under the CFAA that probably shouldn't be.
I discuss more below.Here are the basic facts: Nosal is charged with conspiracy to violate the CFAA, 18 U.S.C. 1030 because he conspired with employees at his former employer. Those employees accessed a database to obtain secret information that Nosal allegedly used in a competing business. Importantly, those employees had full access rights to that database. They didn't hack, steal a password, rummage around, or anything else. They just logged on and copied information. Those employees had agreements that said they would not use the information for purposes other than their employment. I suspect that the agreement would not have even been necessary if it were reasonably clear that the information was trade secret, but that's an issue for another post.
The provision at issue is 1030(a)(4), which outlaws: "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value...."
The district court dismissed the indictment, ruling that the employees could not have exceeded authorization. The court relied on a prior case, called LVRC HoldingsLLC v. Brekka, to rule that the employees could not have exceeded authorized access because database access was within their employment. According to the lower court, one can only exceed authorization if one wanders into an area where there is no authorized access. The appellate panel talks about drive letters. If the employees could access the F: drive, but not the G: drive, then any data taken from the F: drive for any purpose could not exceed authorized access, but gathering data from the G: drive would exceed because the employees were not supposed to go there. By analogy here, there could be no exceeded authority because the database was part of the employee access rights.
The Ninth Circuit panel disagreed. It starts with the definition in 1030(e)(6):
the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter
The Court focuses on the "so" term. It argues that "so" would be superfluous under the district court's reading. After all, exceeding authorized access means you must have had the right to be there in the first place. To limit this to different areas of the database doesn't work, since the statute plainly outlaws access to the computer when such access is then used to obtain information that the accessor is not entitled to obtain.
The problem with this reading, of course, is that the employees arguable were entitled to obtain the information. Not so, says the Court - and this is where the trade secret angle comes in. The employees were decidedly (or at least allegedly) not entitled to access the information if the purpose was to leak it to Nosal.
How does the court deal with LVRC? It appears that the two cases are consistent:
1. LVRC says that "without authorization" requires no access at all to a drive, not exceeded authorization (there are some parts of the statute with require no authorization, and some where exceeded authorization is enough).
2. LVRC makes clear that where employers set access policies and communicate them, then employees may be deemed to have acted without authorization.
3. LVRC envisions exactly the result in this case:
Section 1030(e)(6) provides: "the term `exceeds authorized access' means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6). As this definition makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has "exceed[ed] authorized access." On the other hand, a person who uses a computer "without authorization" has no rights, limited or otherwise, to access the computer in question.
Of course, it is not this easy. LVRC had a footnote:
On appeal, LVRC argues only that Brekka was "without authorization" to access LVRC's computer and documents. To the extent LVRC implicitly argues that Brekka's emailing of documents to himself and to his wife violated §§ 1030(a)(2) and (4) because the document transfer "exceed[ed] authorized access," such an argument also fails. As stated by the district court, it is undisputed that Brekka was entitled to obtain the documents at issue. Moreover, nothing in the CFAA suggests that a defendant's authorization to obtain information stored in a company computer is "exceeded" if the defendant breaches a state law duty of loyalty to an employer, and we decline to read such a meaning into the statute for the reasons explained above. Accordingly, Brekka did not "obtain or alter information in the computer that the accesser is not entitled so to obtain or alter," see 18 U.S.C. § 1030(e)(6), and therefore did not "exceed[ ] authorized access" for purposes of §§ 1030(a)(2) and (4).
This footnote seems directly contrary to the outome in Nosal. It is also an example of something I tell my cyberlaw students - make every argument you can! How could LVRC not have made the exceeded authorization argument directly on appeal? Surely that issue merited more than a footnote.
The court doesn't deal with this footnote, but instead makes some factual distinctions that work for me. First, in LVRC the defendant had unfettered access with no clear rules about the data. Second, in this case there is a clear trade secret misappropriation, whereas in LVRC the allegation was a nebulous "breach of duty" argument without any real showing that the email accessed would be competitively used against LVRC.
Maybe it is because of my background in trade secret law, and I suspect that I may be in the minority among my cyberlaw colleagues, because I think this was the right interpretation and the right outcome. Exceeding authorized access has no meaning if it does not apply in this case. To me, at least, this was a textbook case of access that starts authorized, but becomes unauthorized as soone as the nefarious purpose for the access is revealed.
And now the scary part
That said, this is still scary - but the problem is with the law, not the court's ruling. Why is it scary?
First, employees who look where they shouldn't could now be considered a criminal under the CFAA, so long as they are looking at material they know they shouldn't be accessing.
Second, this is not necessarily limited to employees. Anyone using a website who starts using information from it in a way that the web operator clearly does not desire could theoretically be criminally liable.
Now that's scary.
The Nosal court tries to explain this away by saying that fraudulent intent and obtaining something of value are required under 1030(a)(4). True enough, but that's not the only subsection in the CFAA. Section 1030(a)(2), for example, outlaws simply obtaining information. Sure, the penalties may not be as severe, but it is still barred.
So, how do we reconcile this case with common sense? Are all web users now criminals if they lie about their age or otherwise commit minor violations? I doubt it.
First, I think there must be some independent wrongful action associated with the action - a tort that common folk would understand to be wrongful. In this case, trade secret misappropriation was clear. LVRC v. Brekka went the other way because it was not at all clear the action was independently wrongful and thus something the employer would never authorize. I tend to think that browsewrap agreements on websites won't cut it.
Second, the wrongful action has to be tied somehow to the unauthorized access. In other words, lying about your age shouldn't affect access rights generally, but lying about your age might very well be a problem if the reason you did so was to prey on young children. I'll leave others to debate how this might apply to the Lori Drew case. The recent case of MDY v. Blizzard makes this connection for the Digital Millenium Copyright Act, and it seems like a reasonable one under the CFAA as well.
The CFAA scares me, and it should scare you, too. But its not as scary as many make it out to be - at least I hope not.
TrackBack URL for this entry:
Listed below are links to weblogs that reference When the Right Interpretation of the Law is a Scary One (CFAA Edition):
Posted by: Orin Kerr | Apr 28, 2011 5:13:26 PM
Oh, wait, I just realized you said that this brazenly unconstitional misreading of the statute was "the right one." Never mind.
Posted by: Orin Kerr | Apr 28, 2011 5:38:56 PM
Ouch. I didn't say it was constitutional - only that it was the right interpretation of the language of the statute. After all, I do say: "this is still scary - but the problem is with the law, not the court's ruling." I'm not convinced that there's no way to save the statute, but I would also not argue with others that would say this reading renders it void for vagueness.
Posted by: Michael Risch | Apr 28, 2011 5:50:57 PM
In my view, the core problem with the textual definition of exceeding authorized access is that it is circular: You exceed authorized accesss when you, well, exceeed what you're authorized to do. The definition doesn't answer the pressing question: What governs authorization? There's legislative history that hints at what Congress might have had in mind, but it's pretty unclear. In any event, in light of this circularity, I tend to think the void for vagueness doctrine requires courts to adopt narrow statutory readings to avoid rendering it unconstitutional. Or so I have argued.
Posted by: Orin Kerr | Apr 28, 2011 6:09:56 PM
Orin - I hear you - and I'm a fan of your work on this. Since I'm not a con law guy, I tend to be more purist on the reading of the statute, and then the chips fall where they may on whether that's too vague.
I agree that the real question is what governs authorization - I give two clues I have in mind above, but they don't really answer the question satisfactorily. The theoretical question for me is how this case and Brekka can both be right - because I think they are, while cases like Explorica and related cases that rely on posted notices (like the one in your comment thread at VC) are clearly wrong. Perhaps they can't be reconciled, and perhaps many (including you, it appears) think they shouldn't be.
Posted by: Michael Risch | Apr 28, 2011 6:19:44 PM
It occurs to me that patent law must influence my outlook - we typically interpret patent claims for what they are, and then determine whether they are overbroad...
Posted by: Michael Risch | Apr 28, 2011 7:35:27 PM
Ah, that's interesting. In contrast, with criminal statutes the void for vagueness doctrine can be akin to a canon of construction. See, e.g., Skilling v. United States.
Posted by: Orin Kerr | Apr 28, 2011 9:18:48 PM
Is the important question the intent at the time of access, or the use the information is ultimately put to?
Consider the hypo: Person A accesses a database and either downloads some data or takes some notes for job purposes. He uses that information appropriately for his job, but doesn't then delete the downloaded information or destroy the notes. Later, Person B pays Person A for the information that A had downloaded and/or his notes. It's uncontroverted that Person A could not access the database at the behest of B. But can he share information that he had previously, legitimately downloaded? (Only within this act, of course; leave aside other possible criminal or civil liability for A).
Posted by: Andrew MacKie-Mason | Apr 29, 2011 12:40:27 PM
Andrew - your question is the reason why most folks think that the broad reading is problematic (including me). I'm not convinced that it's vague, because whichever rule you pick can be known in advance and applied evenly, though it is scarily overbroad, as I note.
I think the right answer has to be the intent at the time of the data gathering. This is certainly true of (a)(4) which requires access with intent to defraud. But I think it also applies to (a)(2), which applies to anyone who "intentionally accesses a computer without authorization or exceeds authorized access" - I think that if you do not "intentionally exceed authorized access" then you are not liable/guilty. Thus, downloading source code as you exit would violate the CFAA, but running out the door with a CD-Rom would not.
Posted by: Michael Risch | Apr 29, 2011 2:35:23 PM
I think I agree with you on the statutory interpretation, but it creates a bit of a nonsensical situation. There's no good one to be treated differently from the other, since both involve information from the same source being given to the same person in violation of the same rules.
Posted by: Andrew MacKie-Mason | Apr 29, 2011 6:07:19 PM