The Ninth Circuit Court of Appeals dismissed a federal hacking charge against a California man on Tuesday, finding that the Computer Fraud and Abuse Act (CFAA), which outlaws computer use that "exceeds authorized access," was inapplicable to the case.
Chief Judge Alex Kozinski, writing for the majority, reasoned that "exceeds authorized access" is limited to violations of restrictions on access to information, and not restrictions on its use.
Shortly after the defendant, David Nosal, left his job at Korn/Ferry, he convinced some of his former colleagues who were still working for the company to help him start a competing business. The employees used their log-in credentials to download information from a confidential company database, and transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry policies prohibited disclosing confidential information.
The government indicted Nosal on 20 counts for his role in the data acquisition, including trade secret theft, mail fraud, conspiracy and violations of the CFAA, The Wall Street Journal reports. A district court dismissed the CFAA charge in an interlocutory appeal, and the Ninth Circuit Court of Appeals affirmed that decision.
The CFAA defines "exceeds authorized access" as "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." The government claimed that provision could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. (In Nosal's case, that would extend to an employee who was authorized to access customer lists in order to do his job, but not to send them to a competitor.)
Kozinski observed that the CFAA was designed to penalize hackers, and the government's interpretation of the "exceeds authorized access" provision could yield absurd results. "The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer." According to Kozinski, that interpretation would make criminals of unsuspecting people who shop online, watch video clips, or use social networks during the work day in violation of their employers' computer-use policies.
The decision conflicts with rulings from the Fifth, Seventh, and Eleventh Circuits. (Both the Fifth and Eleventh Circuits have explicitly held that employees who knowingly violate clear company computer restrictions agreements "exceed authorized access" under the CFAA.) While the Ninth Circuit is no stranger to life as an outlier, Judge Kozinski noted the conflict, and urged the other circuits to reconsider their CFAA interpretation.
- U.S. v. Nosal (Ninth Circuit Court of Appeals)
- Appeals Court Rules That Violating Corporate Policy Is Not a Computer Crime (Electronic Frontier Foundation)
- U.S. v. Rodriguez (FindLaw's CaseLaw)
- U.S. v. John (FindLaw's CaseLaw)