Ninth Circuit hears arguments on IP address blocking and shared accounts under the CFAA

On Wednesday, the Ninth Circuit heard argument in Facebook v. Power Ventures, an important case on the Computer Fraud and Abuse Act ("CFAA"). The case considers whether a company violated the CFAA by accessing Facebook accounts with user permission in violation of Facebook's Terms of Service, even after Facebook sent a cease-and-desist letter to the company and blocked its IP address. And that's not the only CFAA case the Ninth Circuit recently heard on using shared passwords. A different panel heard argument in United States v. Nosal on a similar question but involving very different facts.

Let's start with the Facebook case. Power Ventures ("Power") allowed Facebook users to set up an account at the Power website and to give Power permission to access the user's Facebook account on the user's behalf. Facebook didn't like this, as it wanted to maintain control of Facebook's system. So Facebook told Power to stop accessing its website and also blocked an IP address used by the Power website. Power continued to access Facebook's site anyway. The legal question: Did the subsequent access by Power, with Facebook user permission but against the permission of Facebook, constitute a criminal unauthorized access under the CFAA?

The very interesting oral argument video is below.

Last month's oral argument in United States v. Nosal ("Nosal II") provides an intruiging contrast. Nosal II considers whether a former employee violated the CFAA when he persuaded a current employee to give him the employee's username and password to the company network and then used the account for his own purposes.

You can watch that (somewhat less illuminating) argument here:

In a forthcoming essay on the CFAA, "Norms of Computer Trespass," to be published in the Columbia Law Review, I offer an approach to deciding both of these cases. I've mentioned the draft before, but I posted an improved version of the still-forthcoming article two weeks ago. (According to the Facebook argument around the 34-minute mark, counsel for Power recently submitted a copy of the article to the panel; I don't know whether it was the latest version.)

Here's a brief rundown of my approach.

First, access to an authenticated account should be considered authorized under the CFAA if the access is within the scope of agency of the account holder. Here's the basic idea: When a computer owner creates a password-protected account and confers that account on the account holder, that act authorizes the account holder to use the computer. That's what creating an account does, after all: It grants access rights to the legitimate account holder. The account holder and his legal agents are therefore authorized. As a result, the account holder can give a third party the authorization to access his account as his agent but cannot give the third party rights to use the account outside the scope of agency.

Under this approach, if a Facebook user gave Power permission to access the user's Facebook account, Power was accessing Facebook as the user's agent and was authorized just as the user was authorized. Sure, if the Facebook canceled the user's account, that would revoke authorization. That revocation of authorization would apply equally to the user and the agent. But as long as the account was not canceled, the user had authorization. Necessarily, the user's agents had authorization, too.

On the other hand, if a company employee gives her corporate account credentials to an outsider to use for the outsider's purposes, the outsider's access to the account for his own purposes is unauthorized. In that case, the third-party access is not access as the account holder. The third party is not authorized to access the computer because the access is not within the delegated authorization given to the account holder. That access upsets the basic delegation of access rights to the account holder and his agents and is therefore unauthorized.

Second, I think IP address blocking is irrelevant to authorization under the CFAA. From my article:

[A]n IP block is not a real barrier. A user's IP address is not fixed. Users can change their IP addresses easily. For some users, turning on and off their modems at home will lead their IP addresses to change. For more sophisticated users, accessing the web using TOR or a virtual private network allows them to change their IP addresses with the click of a button. Even a novice user will often use several different IP addresses over the course of a day. A person might surf the web from his phone (using his cell phone's IP address), from his laptop at home (using his home connection's IP address), and from work (using the company's IP address). There is nothing untoward or blameworthy about using different IP addresses. It is a routine part of using the Internet.

Because of these technical realities, bypassing an IP block is no more culpable than bending your neck to see around someone who has temporarily blocked your view. To be sure, an IP block indicates that the computer owner does not want at least someone at the IP address to visit the website. But that subjective desire is not enough to establish a criminal trespass in light of the open nature of the web. A computer owner cannot both publish data to the world and yet keep specific users out just by expressing that intent. It is something like publishing a newspaper but then forbidding someone to read it. Publishing on the web means publishing to all, and IP blocking cannot keep anyone out. Merely circumventing an IP block does not violate trespass norms.

The final question in the Facebook case is the relevance of cease-and-desist letters. First, if a computer owner cancels an account, that revokes authorization to access the account. (Courts have widely recognized this; in the Ninth Circuit, see Brekka.) On the other hand, sending a letter to someone telling him to stop visiting a public website is irrelevant to authorization for the same reason that violating clear Terms of Service is irrelevant. True, it expresses the computer owner's wishes. But the norms of computer trespass can't just be about what the computer owner subjectively wants; they have to be about what the computer owner actually does. The computer owner can't simultaneously authorize the account and deny the account. It has to either allow the account, making access authorized, or else revoke the account, making access unauthorized. If the computer owner wants its preferences to be backed by the federal criminal law of computer trespass, it has to cancel the account that is being accessed. Canceling the account is analogous to the homeowner who tells the guest to leave; that's the act that revokes authorization.

Applying that principle is complicated a bit in the Facebook case because Power was not just accessing a public website. Power was actually accessing the private user accounts, which required bypassing the authentication gate of the username and passwords of the Facebook users. In that case, a cease-and-desist letter gets closer to an account revocation than would be the case with a cease-and-desist letter concerning only the public parts of a website. But as far as I know, the letter did not actually revoke the accounts. So I would think the answer is that the letter is still irrelevant for CFAA purposes.

Finally, it's worth noting that the Facebook case also raises issues under the California unauthorized access law, Section 502, which is essentially a state version of the CFAA. Until recently, the trend in the cases was to interpret Section 502 quite narrowly. But the Ninth Circuit's recent Christensen case has a puzzling passage that seems to adopt a very broad interpretation of Section 502. It's a very brief discussion (see pages 38-39) and to my mind pretty unpersuasive. (Christensen has the feel of an opinion trying to decide too many hard issues at once and not getting all of them right; the Section 502 part of the opinion seemed weak.) But given the size and significance of California, and the fact that Ninth Circuit interpretations of Section 502 are binding on other federal courts in California, it means that the Facebook case will have significance not just for the CFAA but also for the potentially similar ground covered by Section 502.

As always, stay tuned.