Subscribe Subscribe   Find us on Twitter Follow POL on Twitter  



Ninth Circuit Limits Reach of Computer Fraud & Abuse Act

| No Comments

In addition to punishing one who accesses a computer without authorization (e.g., , a non-employee who "hacks" into a corporate network), the Computer Fraud & Abuse Act ("CFAA") also punishes one who "exceeds authorized access" to a computer by "access[ing] a computer with authorization and [using] such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. 1030(a)(4), 1030(e)(6) (emphasis added). In United States v. Nosal, the Ninth Circuit recently limited the reach of the latter portion of the statute. When David Nosal left an executive search firm, he convinced his former colleagues to help him start a competing business by providing him with proprietary information -- including source lists and contact information -- from his former firm's confidential database. Nosal's colleagues were authorized to access the database, but were not authorized to share it outside the company. Nosal was charged with aiding and abetting violations of the CFAA. In Nosal, a divided en banc Ninth Circuit upheld the District Court's dismissal of the counts. The government argued that the statute's "exceeds authorized access" prong should be interpreted to cover not only users authorized to view certain files, but who access other, unauthorized files, but also users with unrestricted access who make unauthorized use of the information. Writing for the majority, Judge Alex Kozinski held that to interpret the statute in that way would make it a "sweeping Internet-policing mandate." He noted that such an interpretation would criminalize violations of corporate computer use policies (for example, using a work computer to send personal email) or website terms of service (such as lying on dating sites). In dissent, Judge Barry Silverman accused the majority of "knocking down straw men," pointing out that the CFAA's requirement of intent to defraud would prevent the majority's "parade of horribles" from occurring. Judge Kozinski, however, wrote that whether or not Congress could criminalize unauthorized use of computer information, the CFAA must be limited to unauthorized access.

Leave a comment

Once submitted, the comment will first be reviewed by our editors and is not guaranteed to be published. Point of Law editors reserve the right to edit, delete, move, or mark as spam any and all comments. They also have the right to block access to any one or group from commenting or from the entire blog. A comment which does not add to the conversation, runs of on an inappropriate tangent, or kills the conversation may be edited, moved, or deleted.

The views and opinions of those providing comments are those of the author of the comment alone, and even if allowed onto the site do not reflect the opinions of Point of Law bloggers or the Manhattan Institute for Policy Research or any employee thereof. Comments submitted to Point of Law are the sole responsibility of their authors, and the author will take full responsibility for the comment, including any asserted liability for defamation or any other cause of action, and neither the Manhattan Institute nor its insurance carriers will assume responsibility for the comment merely because the Institute has provided the forum for its posting.

Related Entries:



Rafael Mangual
Project Manager,
Legal Policy

Manhattan Institute


Published by the Manhattan Institute

The Manhattan Insitute's Center for Legal Policy.