Yesterday the U.S. Court of Appeals for the 9th Circuit rejected an interpretation of the Computer Fraud and Abuse Act (CFAA) that could have transformed most Americans—probably including you, if you are reading this at work—into criminals. The case involved David Nosal, who shortly after he stopped working at Korn/Ferry, an executive search firm, asked former colleagues there to obtain confidential client information for him, with an eye toward starting his own business. In addition to conspiracy, mail fraud, and trade secret theft, Nosal was charged with violating a provision of the CFAA that imposes a penalty of up to five years in prison on anyone who, "knowingly and with intent to defraud," "accesses a protected computer without authorization, or exceeds authorized access," and thereby "obtains anything of value." The Justice Department argued that Nosal's former co-workers exceeded their authorized access on his behalf. The 9th Circuit disagreed, saying the offense of exceeding authorized access refers to the manner in which information is obtained, as opposed to the way it is used after it is obtained. Writing for the majority, Chief Judge Alex Kozinski noted that the CFAA, which was enacted in 1984, was aimed at computer hackers. He said it is therefore plausible to conclude that the ban on unauthorized access refers to outsiders who peruse computers without permission, while the ban on exceeding authorized access refers to insiders who go beyond the material they are allowed to see—neither of which happened in this case.
Because the prohibition of unauthorized access is repeated in sections of the CFAA that do not require fraudulent intent, Kozinski noted, "the government's interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute":
If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose….
The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.
In the case of the CFAA, the broadest provision is subsection 1030(a)(2)(C), which makes it a crime to exceed authorized access of a computer connected to the Internet without any culpable intent. Were we to adopt the government's proposed interpretation, millions of unsuspecting individuals would find that they are engaging in criminal conduct.
Anyone who violated workplace rules about the use of company computers, for example, would be guilty of a federal crime (emphasis added):
Minds have wandered since the beginning of time, and the computer gives employees new ways to procrastinate, by gchatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it's unlikely that you'll be prosecuted for watching Reason.TV on your work computer, you could be….
Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they'd better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.
Even people who never commit such indiscretions could be prosecuted for violating websites' terms of service, knowingly or not. Internet access, Kozinski notes, "is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or understands." According to the government's interpretation of the CFAA, he said, common violations such as fibbing on eHarmony, ignoring age restrictions on social networking sites, and letting other people log onto your Facebook account could earn Internet users up to a year in jail.
Kozinski noted that "ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement." Although "the government assures us that, whatever the scope of the CFAA, it won't prosecute minor violations," he said, "we shouldn't have to live at the mercy of our local prosecutor." People commonly lie on social networking sites, for instance, so "the difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after."
That sort of danger is no mere figment of Kozinski's imagination. Remember Lori Drew, the Missouri woman who was widely vilified after she played a nasty MySpace prank on a 13-year-old girl who later committed suicide? After Missouri prosecutors concluded that Drew had broken no laws, Thomas O'Brien, then the U.S. attorney in Los Angeles, took it upon himself to prosecute her for violating the CFAA by disregarding MySpace's terms of service. (He claimed jurisdiction because MySpace had servers in his district.) After a jury convicted Drew, U.S. District Judge George Wu threw out the CFAA charges, noting that O'Brien's interpretation of the law "basically leaves it up to a website owner to determine what is a crime" and therefore "criminalizes what would be a breach of contract."
The 9th Circuit's decision is here (PDF). As Reuters notes, other appeals courts have been friendlier to the Justice Department's broad reading of the CFAA, so the issue may end up in the Supreme Court.