Technologist - The FindLaw Legal Technology Blog

Ninth Circuit Vastly Expands Reach of Federal Anti-Hacking Law

Using the internet just got a bit riskier, thanks to the Ninth Circuit. In two recent rulings, separated by only one week, the Ninth Circuit has greatly expanded the reach of the Computer Fraud and Abuse Act, a federal anti-hacking law from 1986.

Under the Ninth Circuit's new interpretation of the CFAA, you can violate the law by using someone else's password to access a computer database, or simply by using a website you've been told to stay off of. And, if the Ninth's opinions are read broadly, a lot of your online behavior could be considered illegal hacking.

The CFAA and Unauthorized Access

The CFAA provides civil and criminal penalties for anyone who "intentionally accesses a computer without authorization or exceeds authorized access" and thereby "obtains information," causing (for civil liability to apply) more than $5,000 is damages or loss. The CFAA was passed in 1986, when U.S. cybersecurity law was guided by Hollywood Cold War computer thrillers like "WarGames." (Really, it's true.)

But the law's been stretched way beyond the type of hacking as it was understood in the late 80's, to reach former employees accessing work email after they've left the company, or deleting files from your work computer. The Seventh Circuit, for example, has held that one accesses a computer "without authorization" once he has violated his duty to his employer or failed to disclose an adverse interest. Some, like the Ninth, don't go that far, but they don't take a narrow reading, either.

The Ninth's Busy CFAA Summer

In the last two weeks, the Ninth Circuit has released two decisions that could make CFAA-violators out of many of us. In the first, United States v. Nosil (Nosil II), the court held that accessing a computer database with someone else's username and password, after your own access has been revoked, violates the CFAA.

"Once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party," the court explained. There, a former employee had used his assistant's login information to access the company's database, after he'd left. The Ninth rejected his argument that his assistant's permission counted as a "authorization" under the CFAA.

Nosil II was a criminal case, but just a week later it was applied in a civil dispute between Facebook and the defunct social network aggregator Power.com, Facebook v. Vachani. Power had encouraged its users to recruit others on Facebook, and continued to do so after being told to cease and desist. That too, the Ninth ruled, counted as unauthorized access.

Troubling Implications

Nosil II inspired hundreds of articles declaring that sharing your Netflix password was now a federal crime. That's probably not the case. (Netflix would have to tell you to knock it off first, and the company is famously lax with password sharing, so go ahead with your Netflix and chill.) But it could lead to increased prosecution of former employees who access something as innocuous as their old email after they've left a job.

Vachani, too, has troubling implications. Though the Ninth said that violating a site's terms of service wouldn't result in a CFAA violation, the court's logic doesn't seem to support that distinction. (Terms of service and demand letters both are simply a request not to do something; the Ninth doesn't do much of a job explaining why violating one would be fine, while ignoring the other would be "unauthorized access.")

And, as the Hollywood Reporter has wagered, under Vachani websites could simply send out cease and desist orders to parties they dislike, warning them to stay off or get sued. Trump, for example, could ban Hillary from his website as easily as Facebook kicked off Power.

Related Resources: