Ninth Circuit Creates Circuit Split by Narrowly Construing the Computer Fraud and Abuse Act
By Abby Lauer – Edited by Charlie Stiernberg
United States v. Nosal, No. 10-10038 (9th Cir. April 10, 2012)
The Ninth Circuit affirmed the Northern District of California in an en banc decision construing the scope of the Computer Fraud and Abuse Act (“CFAA”). The court held that a person who violates an employer’s computer use policy is not criminally liable for federal penalties under the Act.
The Ninth Circuit held that the provision of the CFAA that prohibits a person from “exceed[ing] authorized access” to information on the Internet does not extend to violations of use restrictions, such as an employer’s computer use policy or a website’s terms of service. In so holding, the court applied the rule of lenity to this provision of the CFAA. The court expressed concern that adopting a broader interpretation of “exceeds authorized access,” which appears five times in the first seven subsections of the statute, would inadvertently criminalize innocuous activity that was not intended to be captured. For example, the court noted that “lying on social media websites is common,” and concluded this is not the type of behavior that Congress intended to punish by passing the CFAA.
Federal prosecutors brought criminal charges under 18 U.S.C. § 1030(a)(4) against a former employee of an executive search firm who had convinced some of his former colleagues to download and transmit names and contact information from the company’s confidential database. A district court judge initially dismissed the CFAA charges against the defendant on the grounds that his former colleagues were legally authorized to access the information and only violated the firm’s policy regarding how the information could be used. A Ninth Circuit panel reversed the district court and reinstated the CFAA charges before the court agreed to hear the case en banc.
The en banc decision limited the scope of the “exceeds authorized access” language in the CFAA to apply only to violations of restrictions on access to information, not restrictions on its use. Chief Judge Kozinski’s majority opinion emphasized the rule of lenity: “We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals.” U.S. v. Nosal, No. 10-10038 at 3872. To hold otherwise, the court reasoned, would criminalize even casual violations of terms of service imposed by social networking sites, online retailers, and search engines.
Judge Barry G. Silverman, joined by Judge Richard C. Tallman, dissented. The dissent accused the majority of construing the CFAA in a “hyper-complicated way that distorts the obvious intent of Congress.” Id. at 3873-74. The dissent argued that the court should have focused on the serious crimes committed by the defendant and his former colleagues, rather than deciding the case based on “far-fetched hypotheticals involving neither theft nor intentional fraudulent conduct.” Id. at 3873.
The decision is significant because it creates a circuit split. Three circuit courts—the Fifth, Seventh, and Eleventh—have interpreted the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty. The Ninth Circuit accused these other circuits of looking “only at the culpable behavior of the defendants before them, and fail[ing] to consider the effect on millions of ordinary citizens.” Id. at 3871. The circuit split renders the scope of “exceeds authorized access” within the CFAA ripe for review by the Supreme Court.