The Computer Fraud and Abuse Act1 (CFAA), which addresses computer hacking, broadly criminalizes intrusion into computer systems, including all computers “used in or affecting interstate or foreign commerce or communication.”2 Among other provisions, the CFAA imposes criminal penalties on whoever “accesses a protected computer without authorization, or exceeds authorized access” to perpetrate a fraud.3 Recently, in United States v. Nosal (Nosal II),4 the Ninth Circuit affirmed the conviction of a defendant whose co-conspirators used someone else’s login credentials to access the computers of the defendant’s former employer.5 In doing so, the court held that “without authorization” is an unambiguous term with a plain meaning; the court’s interpretation meant that in this case only the system owner — and not a legitimate user of the system — could grant authorization.6 The court could have minimized the CFAA’s risk of overcriminalization by articulating a distinction between individuals who are explicitly denied or revoked access, and those who lack authorization from the system owner but may claim authorization from a legitimate user.
David Nosal was an employee of Korn/Ferry International (KFI), an executive search firm.7 After he announced in 2004 that he intended to leave the company, he continued to work as a contractor under a noncompetition agreement.8 Meanwhile, Nosal and other KFI employees were secretly launching a competing business.9 KFI’s “core asset” was a proprietary database called Searcher, hosted on KFI’s internal network, which held information about over a million executive search candidates.10 Nosal and his partners had downloaded data from Searcher while they were employees at KFI, using their own credentials, for use in their competing business.11 Because KFI revoked their logins when they ceased to work for the firm, they then asked Nosal’s former assistant, Jacqueline Froehlich-L’Heureaux (FH), who remained employed at KFI, for her username and password.12 She gave her credentials to Nosal’s partners, who used those credentials to continue accessing Searcher on at least three discrete occasions.13 After an anonymous tip, KFI launched an investigation and referred the matter to authorities.14 The government indicted Nosal on nineteen criminal counts, five of which alleged CFAA violations under the “exceeds authorized access” clause of § 1030(a)(4) while Nosal was a KFI employee;15 those CFAA counts were dismissed in Nosal I.16 In 2013, the government filed a superseding indictment with three CFAA counts resting on accomplice liability for the three times Nosal’s partners, without authorization, accessed Searcher with FH’s credentials after they had left the firm.17 The government also indicted Nosal on two trade secret misappropriation counts under the Economic Espionage Act18 and one count of conspiracy.19 A jury found him guilty on all counts.20 Nosal moved for acquittal and for a new trial.21
The United States District Court for the Northern District of California denied the motions.22 The court rejected Nosal’s argument that a CFAA violation requires “circumvention of technological barriers,” such as evading a firewall by pretending to connect from somewhere else, because neither the statute nor Nosal I requires such circumvention.23 The court also rejected Nosal’s argument that FH’s permission to use her credentials to access Searcher was sufficient authorization,24 explaining that the employer determines authorization, not a password holder defying the employer.25 Nosal timely appealed.26
A divided panel of the Ninth Circuit affirmed Nosal’s conviction on all counts.27 Writing for the majority, Judge McKeown28 noted that LVRC Holdings LLC v. Brekka29 had interpreted the phrase “intentionally accesses a computer without authorization.”30 Brekka “directly” resolved the issue: accessing a computer after the employer has rescinded permission is clearly “without authorization.”31 Judge McKeown further gave “without authorization” its plain and ordinary meaning, concluding, consistently with other circuits,32 that the term was unambiguous.33 Because authorization implicitly comes from “an authority,” only the computer owner holds the power to allow or disallow access to its systems.34 After KFI revoked their credentials, Nosal and his partners became “outsiders” no longer authorized to access Searcher.35 FH, the assistant who supplied her credentials, “had no mantle or authority to give permission to former employees whose access had been categorically revoked by the company.”36 Therefore, Nosal violated the CFAA as an accomplice to his partners’ unauthorized access to Searcher using FH’s credentials.37 The majority then rejected Nosal’s objection that the jury instructions failed to require circumvention of a “technological access barrier.”38 Nothing in the statute requires hacking in the sense of breaking down virtual walls.39 As for his accomplice liability, the facts supported a finding of deliberate ignorance, given an “unequivocal statement” in his partner’s testimony.40
The majority also affirmed Nosal’s conviction for trade secret theft under the Economic Espionage Act of 1996,41 given the evidence presented at trial.42 The court rejected Nosal’s contention that the data taken were not trade secrets, because even compilations of public information can be trade secrets if they are commercially valuable and sufficiently protected.43 Finally, the panel vacated and remanded the restitution award for further consideration of reasonableness.44
Judge Reinhardt dissented.45 He would have reframed the question to avoid the risk of making criminals out of innocents.46 As Judge Reinhardt noted, the same “without authorization” language is used throughout the CFAA, including in broad provisions that do not require fraud or specific intent — merely “obtain[ing] . . . information” from a computer system.47 Thus, the majority’s view that only the owner of the system has authority to grant access undermines the authorization upon which many forms of commonplace computer access depend: it could be a crime for an individual to log in to someone else’s Facebook account with that person’s permission, simply because the system owner prohibits it.48 Judge Reinhardt would have permitted the common practice of “password sharing,” in which legitimate users delegate access to the system.49 According to Judge Reinhardt, nothing in the dictionary or the statutory text supported the position that only the system owner has authority to grant authorization — perhaps “without authorization” just means that the outsider has neither the permission of the owner nor that of a legitimate user.50 At worst, the statute is ambiguous, in which case the rule of lenity favors interpreting the statute in favor of a criminal defendant.51 Finally, he questioned the wisdom of relying on private entities and prosecutors, who are more likely to compound than to minimize these problems.52
The conflict between the majority and dissent highlights the difficulties courts face when interpreting the CFAA. The majority, concluding that users could not grant authorization, preferred to give force to the CFAA by limiting the power to grant authorization to owners. The dissent, concluding to the contrary, was motivated by the lurking risk of overcriminalization under a dated and unclear statute. But there is a middle ground superior to both the majority and the dissent’s divergent approaches. The court could have articulated a distinction based on the status of the outsider. Outsiders who have never been affirmatively denied authorization by the system owner should be able to rely on the authorization of subordinate users. But an outsider who has been banned from the system cannot circumvent that ban by getting a valid password from an individual user. Such a distinction coheres with the plain and ordinary meaning of “without authorization,” the Ninth Circuit’s prior CFAA jurisprudence, and its most recent cases. Importantly, this approach would have preserved the CFAA’s deterrent goals without overcriminalizing common practices and would allow for economically beneficial forms of outsider access beyond household password sharing.
The court could have categorized outsiders who claim a subordinate user’s authorization into two groups: those who have neither been explicitly granted nor affirmatively denied access by the system owner (“neutral outsiders”) and those to whom the system owner has explicitly denied or revoked authorization (“banned outsiders”). Neutral outsiders can be thought of as strangers. Banned outsiders, by contrast, are known to the system owner, whether by name or electronic identifier (for example, IP address); a particularized determination resulted in their affirmative exclusion from the system. Neutral outsiders may rely on authorization from users subordinate to the system owner, because for them, even a user’s permission to access the system is a discrete piece of authorization within the plain meaning of the term; hence, they are not “without” (that is, lacking) authorization. But banned outsiders may not similarly rely on such authorization, because for them a user’s permission creates a conflict with the system owner’s denial or revocation; the owner’s judgment takes precedence for reasons of control and efficiency — not because the user never has the authority to let someone in.53 The corollary of this distinction is that individual users may delegate authorization to neutral outsiders, but not to banned outsiders.54 Of course, any authorization must be scrutinized for other potential defects, like misrepresentation and coercion, just as consent would be scrutinized in physical trespass. And the system owner may always turn a neutral outsider into a banned one by explicitly blocking them or communicating a revocation.
Another Ninth Circuit decision by a different panel only a week after Nosal II signaled a similar approach to deciding who may grant and receive authorization. The court held in Facebook, Inc. v. Power Ventures, Inc.59 that users could delegate authorization, but a system owner could supersede and revoke that authorization.60 Users of Power’s site had given the site their Facebook login credentials and permission to access Facebook’s services on their behalf.61 Facebook sent a cease-and-desist letter prohibiting Power from accessing Facebook’s systems and instituted a technological block,62 turning Power into a banned outsider. Facebook then sued when Power continued to access and misuse Facebook’s systems, and the court affirmed Power’s liability under the CFAA.63 Nosal II and Power Ventures are consistent in that the system owner’s revocation of a specific outsider’s authorization prevented the outsider from asserting valid authorization from individual users;64 read together, both cases made banned outsiders liable. In fact, by allowing the system owner to have the final say, even though the system owner is not the only one with a say, Power Ventures arguably adopted a methodology very similar to the one advocated here: until Facebook made Power a banned outsider, the users’ delegated authorization was valid.65 Thus, applying the neutral/banned distinction would not change the disposition of the two cases.
This framework would appropriately balance the risk of overcriminalization against the need for effective legal deterrents and penalties for hacking. It reaches the right result for the kind of password sharing Judge Reinhardt cited. For example, if a company employee purports to authorize her spouse to check her work email, then so long as the company has not explicitly banned her spouse, her spouse would not commit a crime under this meaning of the CFAA by accessing the employee’s email. On the other hand, this framework might conceivably allow some outsiders to conspire with insiders and then claim their access was authorized — but if such conspiracy is possible, whether the insider sends the treasure trove to the outsider or gives the password to retrieve it should not create a difference in whether a crime has been committed.66 Even if some hackers were to assert a defense on the grounds that they received authorization from a legitimate user, this defense would be limited by the validity of the user’s authorization. And the CFAA is not the only grounds for liability: state statutes67 and trade secret laws,68 among others, may still be enough to prosecute, and computer owners may still assert common law torts. Nosal is a perfect example: the defendant was also convicted of trade secret theft,69 demonstrating that the CFAA need not be a catch-all-criminals statute.
Though the vagueness of the CFAA has long been noted,70 concerns about delegated access are relatively novel. Few approaches to limiting the overbreadth of the CFAA explicitly consider the possibility of users delegating to anyone71 — hence the novel question of law confronted in Nosal II. Professor Orin Kerr proposes that a user should always be able to delegate to an outsider authorization for anything the user may access, though Kerr would impose an agency relationship between the user and the outsider, limiting what can be done with delegated authorization.72 But while Kerr’s proposal soundly permits household password sharing, its agency limitation may be fatal to all third-party websites and tools like Power. Agency strongly limits what the outsider may do even once inside the system, because acting for self-gain violates common law duties and terminates the agency, once again rendering the access unauthorized — and criminal.73 Because third-party websites and tools, such as social media aggregators, often sustain their endeavors by extracting value from the user’s data, conditioning the validity of their delegated authorization on agency principles may discourage the development of interoperable tools that interact with existing computer systems. Conversely, this neutral/banned outsider inquiry results in an essentially binary rule, hinging on the plain meaning of “without,” while advantageously tilting toward permissiveness in the gray zone where the system owner has not said either yes or no. Third parties providing “add-on” features, like Power, should be able to experiment without first seeking affirmative approval from the system owner — subject to a later no.
The majority’s failure to recognize a neutral/banned outsider distinction risks criminalizing innocuous activity. But since the distinction can be cleanly applied to this case, the Nosal II panel decision should be narrowly read as a case about banned outsiders.74 Cabining the scope of the decision to this half of the neutral/banned distinction avoids the risk of criminalizing household password sharing and supplies a limiting principle.