Keep up with the latest developments and legal issues in the telecommunications and emerging technology sectors, with exclusive access to a comprehensive collection of telecommunications law news,...
The U.S. Supreme Court may decide in its new term if someone who uses a work computer or takes social media data without authorization can be found guilty of breaking a 31-year-old federal law originally designed to criminalize hacking.
The high court has been asked to review two lower court decisions that held a defendant can run afoul of the Computer Fraud and Abuse Act (CFAA) by accessing a computer or social media data without permission—or when permission has been explicitly revoked.
The justices have the chance to clarify the scope of a law that plaintiffs have invoked in scenarios that go well beyond an outside hacker breaking into a computer. The court plans to consider the petitions for review at its Oct. 6 conference.
Courts have struggled to define what constitutes the term “without authorization” under the law in the face of changing technology. The pending petitions present opportunities for the high court to bring the law up to speed with the modern computer age, Jeffrey D. Neuburger, a partner and co-head of the technology, media and communications group at Proskauer Rose LLP, told Bloomberg BNA.
“The Supreme Court could add a level of consistency and uniformity across jurisdictions, hopefully in a way that would apply in a variety of factual circumstances,” Neuburger said.
The U.S. Court of Appeals for the Ninth Circuit attempted to define “without authorization” under the law, but critics argue its interpretation could criminalize password sharing and stifle the growth of cloud computing and other technologies.
In United States v. Nosal (Nosal II), petitioner David Nosal is asking the Supreme Court to determine if accessing a computer with an account holder’s permission—but without the computer owner’s permission—constitutes “access without authorization” under the CFAA ( No. 16-1344, cert. petition filed 5/5/17 ).
In Facebook Inc. v. Power Ventures Inc., social media aggregator Power Venture Inc. wants the court to determine whether a company that accesses social media users’ data with their permission—but without that of the social media site—would be held liable under the law ( No. 16-01105, cert. petition filed 3/9/17 ).
The two cases have created confusion over the types of conduct that the statute covers, Jamie Lee Williams, staff attorney at the Electronic Frontier Foundation (EFF), told Bloomberg BNA. The EFF filed an amicus brief supporting Nosal. Now the court could clarify that the law wasn’t intended as a “tool for policing internet use,” Williams said.
The Ninth Circuit ruled in Nosal II that defendant Nosal violated the CFAA by using a past colleague’s password to access a former employer’s computers after the employer expressly revoked Nosal’s computer access credentials. The CFAA prohibits access without authorization of a protected computer for the purposes of obtaining information.
Nosal argued in a May 5 Supreme Court petition that if computer owners have “exclusive discretion” to revoke authorization, people could be held criminally liable for a number of day-to-day activities. For example, using a spouse’s password to log into a family banking account, or using a colleague’s email account to print a presentation, could constitute violations of the statute under the Ninth Circuit’s ruling, he said.
“The Ninth Circuit’s construction of the CFAA threatens to criminalize a broad swath of innocuous activity that ordinary people engage in every day,” Nosal said. “That alone is reason enough for this Court’s immediate review.”
The Justice Department, argued in an opposition brief that the Ninth Circuit didn’t hold that a computer owner has exclusive discretion to revoke authorization in all cases. Nothing in the Ninth Circuit’s opinion suggests that the hypotheticals Nosal used would violate the CFAA, the department said.
“The court emphasized that its holding was limited to the facts of petitioner’s case,” the department said.
Nosal said the decision, if allowed to stand, could have “unintended consequences” for password sharing as well as cloud computing, in which cloud service providers allow users to store data remotely on the service’s computers.
According to an amicus brief the BSA | The Software Alliance filed in the Ninth Circuit, users may provide one cloud provider with their credentials to access computers owned by a second cloud provider. But sharing access credentials without a cloud provider’s permission could be a federal crime under the Ninth Circuit’s ruling, Nosal argued.
The Ninth Circuit held in Power Ventures that social media aggregator Power Ventures violated the CFAA by accessing Facebook user data with permission from users but not Facebook.
Power Ventures argued in a March 9 petition that the Ninth Circuit’s decision was “clearly erroneous” because Facebook isn’t a “protected computer” within the meaning of the statute but a social networking site that lets users share their personal data. “In this context, the ‘authorization’ the CFAA refers to is plainly that of the data owners and users,” Power Ventures said.
Facebook said in an opposition brief that Power Ventures waived that argument because it didn’t bring it up in its briefs to the Ninth Circuit. The argument was “neither pressed nor passed upon below—or, indeed, at any point during the 8½ years this case has been pending,” Facebook said.
Power Ventures also said the Ninth Circuit’s decision could have “immense implications” across the nation, where millions of people use Facebook and other social networking and cloud service providers to share content.
“Facebook and other data controllers already have outsized influence over individual users as gatekeepers,” Power Ventures said. “Judicial decisions like the one below will aggrandize their power even more by handing them veto power over online entrepreneurs like Petitioners who seek to enable data portability for users.”
To contact the reporter on this story: Alexis Kramer in Washington at email@example.com
To contact the editor responsible for this story: Keith Perine at firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)