In addition to punishing one who accesses a computer without authorization (e.g., , a non-employee who "hacks" into a corporate network), the Computer Fraud & Abuse Act ("CFAA") also punishes one who "exceeds authorized access" to a computer by "access[ing] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. 1030(a)(4), 1030(e)(6) (emphasis added). In United States v. Nosal, the Ninth Circuit recently limited the reach of the latter portion of the statute. When David Nosal left an executive search firm, he convinced his former colleagues to help him start a competing business by providing him with proprietary information -- including source lists and contact information -- from his former firm's confidential database. Nosal's colleagues were authorized to access the database, but were not authorized to share it outside the company. Nosal was charged with aiding and abetting violations of the CFAA. In Nosal, a divided en banc Ninth Circuit upheld the District Court's dismissal of the counts. The government argued that the statute's "exceeds authorized access" prong should be interpreted to cover not only users authorized to view certain files, but who access other, unauthorized files, but also users with unrestricted access who make unauthorized use of the information. Writing for the majority, Judge Alex Kozinski held that to interpret the statute in that way would make it a "sweeping Internet-policing mandate." He noted that such an interpretation would criminalize violations of corporate computer use policies (for example, using a work computer to send personal email) or website terms of service (such as lying on dating sites). In dissent, Judge Barry Silverman accused the majority of "knocking down straw men," pointing out that the CFAA's requirement of intent to defraud would prevent the majority's "parade of horribles" from occurring. Judge Kozinski, however, wrote that whether or not Congress could criminalize unauthorized use of computer information, the CFAA must be limited to unauthorized access.
Ninth Circuit Limits Reach of Computer Fraud & Abuse Act
- The cy pres morass and In re BankAmerica Corp. Securities Litigation
- Cy pres in SCOTUS? Facebook Beacon settlement certiorari petition
- Opening brief in In re EasySaver Rewards Litigation
- En banc denied in Inkjet, but attorneys still evading CAFA
- Update in Kitagawa v. Apple, Inc. (9th Cir.)
- Ninth Circuit refuses to extend Caronia
- No en banc in Lane v. Facebook
- Briefing complete in In re Online DVD Antitrust Lit. (9th Cir.)
- Opening brief in Kitagawa v. Apple (9th Cir.)
- "The death penalty is a joke."
- Schwartz et al. on climate-change litigation
- Around the web, September 5
- In re Online DVD Rental Antitrust Litigation
- Bluetooth ripples: Dennis v. Kellogg Co.
- Access to justice for me, but not for thee department
Center for Legal Policy at the