Computer Fraud Law May Go Under Supreme Court Microscope

Keep up with the latest developments and legal issues in the telecommunications and emerging technology sectors, with exclusive access to a comprehensive collection of telecommunications law news,...

By Alexis Kramer

The U.S. Supreme Court may decide in its new term if someone who uses a work computer or takes social media data without authorization can be found guilty of breaking a 31-year-old federal law originally designed to criminalize hacking.

The high court has been asked to review two lower court decisions that held a defendant can run afoul of the Computer Fraud and Abuse Act (CFAA) by accessing a computer or social media data without permission—or when permission has been explicitly revoked.

The justices have the chance to clarify the scope of a law that plaintiffs have invoked in scenarios that go well beyond an outside hacker breaking into a computer. The court plans to consider the petitions for review at its Oct. 6 conference.

Courts have struggled to define what constitutes the term “without authorization” under the law in the face of changing technology. The pending petitions present opportunities for the high court to bring the law up to speed with the modern computer age, Jeffrey D. Neuburger, a partner and co-head of the technology, media and communications group at Proskauer Rose LLP, told Bloomberg BNA.

“The Supreme Court could add a level of consistency and uniformity across jurisdictions, hopefully in a way that would apply in a variety of factual circumstances,” Neuburger said.

The U.S. Court of Appeals for the Ninth Circuit attempted to define “without authorization” under the law, but critics argue its interpretation could criminalize password sharing and stifle the growth of cloud computing and other technologies.

In United States v. Nosal (Nosal II), petitioner David Nosal is asking the Supreme Court to determine if accessing a computer with an account holder’s permission—but without the computer owner’s permission—constitutes “access without authorization” under the CFAA ( No. 16-1344, cert. petition filed 5/5/17 ).

In Facebook Inc. v. Power Ventures Inc., social media aggregator Power Venture Inc. wants the court to determine whether a company that accesses social media users’ data with their permission—but without that of the social media site—would be held liable under the law ( No. 16-01105, cert. petition filed 3/9/17 ).

The two cases have created confusion over the types of conduct that the statute covers, Jamie Lee Williams, staff attorney at the Electronic Frontier Foundation (EFF), told Bloomberg BNA. The EFF filed an amicus brief supporting Nosal. Now the court could clarify that the law wasn’t intended as a “tool for policing internet use,” Williams said.

Unintended Consequences?

The Ninth Circuit ruled in Nosal II that defendant Nosal violated the CFAA by using a past colleague’s password to access a former employer’s computers after the employer expressly revoked Nosal’s computer access credentials. The CFAA prohibits access without authorization of a protected computer for the purposes of obtaining information.

Nosal argued in a May 5 Supreme Court petition that if computer owners have “exclusive discretion” to revoke authorization, people could be held criminally liable for a number of day-to-day activities. For example, using a spouse’s password to log into a family banking account, or using a colleague’s email account to print a presentation, could constitute violations of the statute under the Ninth Circuit’s ruling, he said.

“The Ninth Circuit’s construction of the CFAA threatens to criminalize a broad swath of innocuous activity that ordinary people engage in every day,” Nosal said. “That alone is reason enough for this Court’s immediate review.”

The Justice Department, argued in an opposition brief that the Ninth Circuit didn’t hold that a computer owner has exclusive discretion to revoke authorization in all cases. Nothing in the Ninth Circuit’s opinion suggests that the hypotheticals Nosal used would violate the CFAA, the department said.

“The court emphasized that its holding was limited to the facts of petitioner’s case,” the department said.

Nosal said the decision, if allowed to stand, could have “unintended consequences” for password sharing as well as cloud computing, in which cloud service providers allow users to store data remotely on the service’s computers.

According to an amicus brief the BSA | The Software Alliance filed in the Ninth Circuit, users may provide one cloud provider with their credentials to access computers owned by a second cloud provider. But sharing access credentials without a cloud provider’s permission could be a federal crime under the Ninth Circuit’s ruling, Nosal argued.

Application to Social Networks

The Ninth Circuit held in Power Ventures that social media aggregator Power Ventures violated the CFAA by accessing Facebook user data with permission from users but not Facebook.

Power Ventures argued in a March 9 petition that the Ninth Circuit’s decision was “clearly erroneous” because Facebook isn’t a “protected computer” within the meaning of the statute but a social networking site that lets users share their personal data. “In this context, the ‘authorization’ the CFAA refers to is plainly that of the data owners and users,” Power Ventures said.

Facebook said in an opposition brief that Power Ventures waived that argument because it didn’t bring it up in its briefs to the Ninth Circuit. The argument was “neither pressed nor passed upon below—or, indeed, at any point during the 8½ years this case has been pending,” Facebook said.

Power Ventures also said the Ninth Circuit’s decision could have “immense implications” across the nation, where millions of people use Facebook and other social networking and cloud service providers to share content.

“Facebook and other data controllers already have outsized influence over individual users as gatekeepers,” Power Ventures said. “Judicial decisions like the one below will aggrandize their power even more by handing them veto power over online entrepreneurs like Petitioners who seek to enable data portability for users.”

To contact the reporter on this story: Alexis Kramer in Washington at akramer@bna.com

To contact the editor responsible for this story: Keith Perine at kperine@bna.com

For More Information

Nosal cert. petition is available at http://src.bna.com/oDF.

Nosal opposition brief is available at http://src.bna.com/sSo.

Power Ventures cert. petition is available at http://src.bna.com/sPh.

Power Ventures opposition brief is available at http://src.bna.com/sSp.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Tech & Telecom on Bloomberg Law