If you’re reading this at work, you may be committing a federal crime (depending on where you are reading it, and you’re employer’s policies about reading the internet). Here’s hoping you don’t get charged!
If you’d willing to brave the threat of Johnny Law, or you’re at home, please read on.
Mr. Nosal Wanted To Start A New Company
David Nosal worked at an executive search firm. He left to start a competitor. He had some of his friends log in to his prior employer’s computer to download confidential information about that company’s business contacts. He used these contacts to launch his new company.
Importantly, the employees were allowed to log on to the database, but the company had a policy that prohibited them from sharing the company’s information.
Mr. Nosal was charged in federal court with violating the Computer Fraud and Abuse Act (the CFAA, for those in the business), 18 U.S.C. § 1030(a)(4). He was also charged with a number of other federal crimes.
Mr. Nosal filed a motion to dismiss the CFAA violation. The district court granted it. The government appealed.
In United States v. Nosal, an en banc Ninth Circuit affirmed, in an opinion by Chief Judge Kozinski.
The Computer Fraud and Abuse Act
The CFAA criminalizes accessing a computer in a way that “exceeds authorized access.” “Exceeds authorized access,” in turn, is a defined term in the statute, in subsection (e)(6):
the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter
Mr. Nosal’s friends were allowed to access their company’s computer. They simply weren’t allowed to share the information that they found on the computer outside of the company. Does such conduct exceed the authorized access as the term is used in the CFAA.
Here’s how Chief Judge Kozinski framed the issue:
This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files–what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed[ ] authorized access” if he looks at the customer lists. Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.
Of course, the way we interpret statutes these days is clear – if the language is unambiguous, you go with that language. If it isn’t, you revert to a number of rules about statutory construction.
The Language of the Statute
The government had to argue that the statute is unambiguous – that it only supports a reading that bars both accessing information that a person isn’t allowed to access and using any of the accessed information in a way that the person isn’t allowed to.
The court, though, found that the statute can plausibly be read to limit just access beyond that allowed – just going onto a part of a database that a person doesn’t have permission to be in.
As the court summarized it,
the government argues that [the company]’s computer use policy gives employees certain rights, and when the employees violated that policy, they “exceed[ed] authorized access.” But “entitled” in the statutory text refers to how an accesser “obtain[s] or alter[s]” the information, whereas the computer use policy uses “entitled” to limit how the information is used after it is obtained. This is a poor fit with the statutory language. An equally or more sensible reading of “entitled” is as a synonym for “authorized.” So read, “exceeds authorized access” would refer to data or files on a computer that one is not authorized to access.
So, phew, the statutory language is ambiguous. Now we can get to the fun stuff (especially when Kozinski is writing).
How Absurd Is The Government’s Reading Of The Statute?
Here’s the starting point:
If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions — which may well include everyone who uses a computer — we would expect it to use language better suited to that purpose.
Chief Judge Kozinski, in a style reminiscent of his opinion on the Stolen Valor Act, celebrates computer misuse.
Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit.
By way of background, the CFAA has a separate provision that criminalizes exceeding authorized access to any computer that’s connected to the internet. That provision, subsection (a)(2)(C), doesn’t require that the person have any particular intent. So it doesn’t have to be in furtherance of any fraudulent or otherwise wrongful activity.
Though as the opinion points out,
This concern persists even if intent to defraud is required. Suppose an employee spends six hours tending his FarmVille stable on his work computer. The employee has full access to his computer and the Internet, but the company has a policy that work computers may be used only for business purposes. The employer should be able to fire the employee, but that’s quite different from having him arrested as a federal criminal. Yet, under the government’s construction of the statute, the employee “exceeds authorized access” by using the computer for non-work activities. Given that the employee deprives his company of six hours of work a day, an aggressive prosecutor might claim that he’s defrauding the company, and thereby violating section 1030(a)(4).
But, assume the intent requirement isn’t there and we’re dealing with subsection (a)(2)(C). If so,
[b]asing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.
The effect this broad construction of the CFAA has on workplace conduct pales by comparison with its effect on everyone else who uses a computer, smart-phone, iPad, Kindle, Nook, X-box, BluRay player or any other Internet-enabled device. The Internet is a means for communicating via computers: Whenever we access a web page, commence a download, post a message on somebody’s Facebook wall, shop on Amazon, bid on eBay, publish a blog, rate a movie on IMDb, read www.NYT.com, watch YouTube and do the thousands of other things we routinely do online, we are using one computer to send commands to other computers at remote locations.
I suppose that’s one reason to turn the wireless off on your Kindle at work.
It gets worse though,
Our access to those remote computers is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or under- stands.
For example, it’s not widely known that, up until very recently, Google forbade minors from using its services. See Google Terms of Service, effective April 16, 2007–March 1, 2012, §2.3, http://www.google.com/intl/en/ policies/terms/ archive/20070416 (“You may not use the Services and may not accept the Terms if . . . you are not of legal age to form a binding contract with Google . . . .”) (last visited Mar. 4, 2012).9 Adopting the government’s interpretation would turn vast numbers of teens and pre-teens into juvenile delinquents– and their parents and teachers into delinquency contributors.
I suppose I should talk to a criminal defense lawyer before I tell anyone about a Google search I did with my son as a part of his schoolwork (and because we were curious who would win a fight between a shark and an octopus (spoiler alert – the octopus)).
But, the opinion’s bottom line is that we’re all guilty of stepping over the line – surely this stuff can’t be a federal crime?
The Department of Justice’s response was familiar – “Trust us”. Judge Posner rejected this a few weeks ago. Chief Judge Kozinski does too:
The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations. But we shouldn’t have to live at the mercy of our local prosecutor. Cf. United States v. Stevens, 130 S. Ct. 1577, 1591 (2010) (“We would not uphold an unconstitutional statute merely because the Government promised to use it responsibly.”). And it’s not clear we can trust the government when a tempting target comes along. Take the case of the mom who posed as a 17- year-old boy and cyber-bullied her daughter’s classmate. The Justice Department prosecuted her under 18 U.S.C. §1030(a)(2)(C) for violating MySpace’s terms of service, which prohibited lying about identifying information, including age. See United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009). Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.
It’s a lovely opinion. I could block quote the whole thing.
The dissent, by Judge Silverman, begins in the most curious way:
This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values.
The majority rightly values “fibbing on dating sites”? It must be hard to be in dissent against a writer like Judge Kozinski, but do you really want to concede the point that way?
In any event, the district court was affirmed, and the case remanded so Mr. Nosal could be prosecuted for the remaining counts.
I should note, for readers in the 11th, 5th, and 7th Circuits, that it appears that your federal circuit courts do not agree with Chief Judge Kozinski’s analysis. Apparently, in those parts of the country, you might be prosecuted for using your work computer for nonwork purposes.
Perhaps you should have waited to read this until you get home.