Is it a federal crime to use a co-worker’s password with permission in order to access information for an improper purpose? What about those who get usernames and passwords from unwitting victims in an email scam? What does it mean to have authority to access a computer system, and who can give that authority? Could Congress have anticipated these questions in 1986 when it passed the Computer Fraud and Abuse Act (“CFAA”)? A three judge panel of the Ninth Circuit Court of Appeal wrestled with these questions recently as they tried to augur the limits of the CFAA during oral argument in United States v. Nosal.
The CFAA makes it a criminal offense to use a computer without authorized access or in a manner that exceeds authorized access. The Act also provides a civil right of action to hacking victims. The same prohibition applies to both criminal and civil causes of action, and requires proof on the issue of whether the activities of the alleged hacker either accessed the computer without authorization or exceeded the authorization he or she had.
Defendant David Nosal worked for an executive search firm. The federal government alleged that Mr. Nosal used his login permissions to access valuable data on the network for personal gain. In addition, when he was working as an independent contractor for the firm, he asked an employee to obtain information for him. That employee asked a co-worker for her username and password, and then used that login information to collect the information for Mr. Nosal.
Relevant to this discussion, the United States Attorney’s Office charged Mr. Nosal with violating the Computer Fraud and Abuse Act under two theories: first, that he violated the CFAA when he used his own login information to access information for an unauthorized purpose, and second, that he conspired to violate the CFAA when he asked an employee of the firm to get the information, and the employee used the password of a third person to access the data for an unauthorized purpose.
The contentious part of the CFAA for both theories is what sort of behavior is “without authorization or exceeds authorized access” to a computer system. The Ninth Circuit, in an en banc decision in 2012, addressed the first theory when it held that Mr. Nosal’s use of his login credentials to use information he was authorized to access in an unauthorized fashion did not exceed authorized access. The oral argument on October 20th addressed the second CFAA theory.
Circuit Courts of Appeals are still struggling with the interpretation of the CFAA, and have come to different decisions. The preceding Ninth Circuit opinion expressly disagreed with the decisions of three of its sister circuits who gave a broad interpretation of the CFAA. But the Fourth Circuit has since sided with the Ninth Circuit’s narrower definition. The Second Circuit held oral argument on the CFAA issue in May in United States v. Valle.