In addition to punishing one who accesses a computer without authorization (e.g., , a non-employee who "hacks" into a corporate network), the Computer Fraud & Abuse Act ("CFAA") also punishes one who "exceeds authorized access" to a computer by "access[ing] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. 1030(a)(4), 1030(e)(6) (emphasis added). In United States v. Nosal, the Ninth Circuit recently limited the reach of the latter portion of the statute. When David Nosal left an executive search firm, he convinced his former colleagues to help him start a competing business by providing him with proprietary information -- including source lists and contact information -- from his former firm's confidential database. Nosal's colleagues were authorized to access the database, but were not authorized to share it outside the company. Nosal was charged with aiding and abetting violations of the CFAA. In Nosal, a divided en banc Ninth Circuit upheld the District Court's dismissal of the counts. The government argued that the statute's "exceeds authorized access" prong should be interpreted to cover not only users authorized to view certain files, but who access other, unauthorized files, but also users with unrestricted access who make unauthorized use of the information. Writing for the majority, Judge Alex Kozinski held that to interpret the statute in that way would make it a "sweeping Internet-policing mandate." He noted that such an interpretation would criminalize violations of corporate computer use policies (for example, using a work computer to send personal email) or website terms of service (such as lying on dating sites). In dissent, Judge Barry Silverman accused the majority of "knocking down straw men," pointing out that the CFAA's requirement of intent to defraud would prevent the majority's "parade of horribles" from occurring. Judge Kozinski, however, wrote that whether or not Congress could criminalize unauthorized use of computer information, the CFAA must be limited to unauthorized access.
Ninth Circuit Limits Reach of Computer Fraud & Abuse Act
- Around the web, May 7
- Evading CAFA's scrutiny of coupons: In re Online DVD Rental
- $7M for attorneys, $0.5M for class
- How much is the Bluetooth settlement injunction worth?
- Update on California foreign policy efforts
- Ninth Circuit finds Proposition 8 same-sex marriage ban unconstitutional
- NY Times partisan hackery department: filibuster division
- Compucredit v. Greenwood
- Wherein George Soros wastes his money
- Hans Bader on challenging class-action abuses
- Fifth and Ninth Circuits crack down on cy pres abuse
- CCAF Ninth Circuit brief: In re HP Inkjet Printer Litigation
- Bluetooth ripples: "kicker" provisions
- "Days numbered for trial lawyers getting outrageous paydays"?
Center for Legal Policy at the