Last week's decision by the Ninth Circuit’s decision to grant rehearing in United States v. Nosal, 642 F.3d 781 (9th Cir. 2011), is shaping up to be the best available opportunity to sharpen the definition of an important phrase in the Computer Fraud and Abuse Act. Namely, the meaning of “exceeds authorized access,” a key CFAA term that can narrow the reach of the statute to outside hackers only or expand its reach to potentially anyone who violates a website terms of use agreement.

Similar to the 1986 Electronic Communications Privacy Act, the CFAA is an aging cyberlaw statute in need of legislative attention. The amount of judicial energy spent fathoming the meaning of “exceeds authorized access,” at 18 U.S.C. 1030(e)(6), has been substantial in the last decade, with very little in the way of clarity to show for the effort.

The meaning of this term is important not just for criminal prosecutions but in the civil context as well, where employers are using the CFAA to enforce acceptable use agreements against departing employees and where online businesses are using the law to protect their public-facing sites from data-mining by competitors.

A handful in Congress would like to rein in the breadth of the CFAA. However, scaling back the country's principal cybersecurity law is not the way the wind is blowing right now, and there seems to be little likelihood of congressional action on this issue in the near future.

Nosal: Use Agreements Can Define Authorization
In United States v. Nosal, the Ninth Circuit held that company employees who accessed data stored on corporate networks and, in so doing, violated prominent warnings about restrictions on their use and disclosure of information stored there can be criminally prosecuted under the CFAA. The court held that an employee “exceeds authorized access” to a computer network when he or she obtains data and uses it for a purpose that violates company restrictions on data use.

According to the panel opinion in Nosal, "an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has 'exceed [ed] authorized access.' "

This holding drew a dissent from District Judge Tena Campbell, who, echoing concerns expressed in United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009), argued that the CFAA would be unconstitutionally vague if criminal liability attached to mere violations of computer use policies. In Drew, the court held that the prosecution and conviction of a person for intentionally accessing a computer without authorization or in excess of authorization, in violation of the CFAA, based only on that person's intentional violation of a website's terms of service, offended the constitution's void-for-vagueness doctrine.

The government decided not to appeal the Drew ruling, depriving the Ninth Circuit of an opportunity to speak on this question.

MaxBounty Builds on Nosal

 
Because the CFAA provides for civil liability as well, the meaning of “exceeds authorized access” is important beyond the context of criminal prosecutions. A recent example is the case of Facebook Inc. v. MaxBounty Inc., No. 10-cv-4712 (N.D. Cal. Sept. 14, 2011), in which the court relied on Nosal to hold that MaxBounty operatives "exceeded authorized access" within the meaning of the CFAA when, after registering for Facebook accounts and accepting the Facebook terms of use, they engaged in an advertising campaign forbidden by Facebook’s user agreement.

The Nosal ruling was greeted warmly by employers and online businesses who would like to see their non-disclosure and computer use agreements backstopped by CFAA liability. The MaxBounty case shows why. The en banc Ninth Circuit panel assigned to Nosal is likely to enjoy considerable amicus assistance in this case.

In the Circuits
Outside the Ninth Circuit, appellate courts appear to be trending in favor of finding that computer use policies can establish which sorts of conduct will “exceed authorized use” under the CFAA.

In United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010), the Eleventh Circuit held that an employee exceeded authorized access by accessing employer database records of various individuals for nonbusiness reasons in violation of a policy prohibiting employees from obtaining information from its databases without a business reason.

In United States v. John, 597 F.3d 263 (5th Cir. 2010), the Fifth Circuit held that “exceeds authorized access” may include exceeding the purposes for which access is “authorized.” In John, a credit card company gave the defendant authority to access its computer system for certain intended uses, and her use of the computer system to perpetrate fraud was not an intended use of that system.

In EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 582-84 (1st Cir. 2001), the First Circuit held that a former employee likely exceeded authorized access to the plaintiff's website where the former employee used proprietary information about the website to obtain data from it in violation of an employer confidentiality agreement.

And then there is International Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006), in which the Seventh Circuit held that an employee was acting “without authorization” when he deleted files from his company-issued laptop before he quit. The court reasoned that the employee's breach of his common law duty of loyalty effectively terminated his authority to access the company laptop. Citrin's "duty of loyalty" approach to defining CFAA authorization has not caught on outside the Seventh Circuit.

Citrin was a civil case. The government has not (to my knowledge) initiated a criminal CFAA prosecution based on a breach of a common law duty of loyalty.

The situation in the district courts is a mixed bag. In circuits where there is no circuit-level guidance, there are numerous rulings rejecting CFAA liability if the act of accessing a computer was authorized but the computer user subsequently used the information obtained for an improper purpose.

However things turn out in the en banc panel rehearing, Nosal is a case that could go still higher. As candidate for U.S. Supreme Court review, Nosal has a lot of factors in its favor. It's from the Ninth Circuit, a fertile source of certiorari grants. Nosal concerns a matter of national importance and involves the interpretation of a federal statute. The issue presented in this case has confounded numerous courts, and there are circuit splits on the meaning of the CFAA's "authorized access" language. Finally, if the government loses in the Ninth Circuit, the influential Solicitor General's office could very well get behind a cert petition.

On Capitol Hill
The Senate Judiciary Committee held a hearing Sept. 7, 2011, to consider the Department of Justice's request for expanding and toughening the CFAA. During the course of that hearing, Associate Deputy Attorney General James A. Baker contended that the government's ability to prosecute company insiders for misuse of data to which they have access is an important prosecutorial tool. Baker told the committee that it would be difficult, and unwise, to amend the statute in a way that limited the government's ability bring CFAA prosecutions in cases in which a website or network terms of use document was the basis for alleging that an individual had exceeded authorized access.

Democrats on the committee were not impressed with this argument. On Sept. 22, 2011, the committee reported S. 1151, a comprehensive data security measure, on a 10-8 party line vote. A late amendment would prohibit CFAA prosecutions based on violations of website terms:

    Section 1030(e)(6) of title 18, United States Code, is amended by striking "alter;" and inserting "alter, but does not include access in violation of     a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet     website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is     unauthorized;"

The prospects for passage of S. 1151 appear dim, however. No Republican on the Judiciary Committee supported it, and the business community's representatives in Washington have a lot of problems with S. 1151. Albeit for reasons unrelated to the CFAA amendment regarding website terms.

By Thomas O'Toole

Follow this blogger on Twitter at @tjotoole.