United States v. Nosal

Last updated

United States of America v. David Nosal
Seal of the United States Courts, Ninth Judicial Circuit.svg
CourtUnited States Court of Appeals for the Ninth Circuit
Full case nameUnited States of America v. David Nosal
ArguedFebruary 14th 2011
DecidedApril 28th 2011
Holding
The court held that employees who violate the computer use policies of their employers have not "exceeded their authorization" for the purposes of prosecution under the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030.
Court membership
Judge(s) sitting Diarmuid F. O'Scannlain, Stephen S. Trott, and Tena Campbell
Case opinions
MajorityJudge O'Scannlain, Judge Trott
DissentJudge Campbell
Laws applied
Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030

United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) [1] was a United States Court of Appeals for the Ninth Circuit decision dealing with the scope of criminal prosecutions of former employees under the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit's first ruling (Nosal I) established that employees have not "exceeded authorization" for the purposes of the CFAA if they access a computer in a manner that violates the company's computer use policies if they are authorized to access the computer and do not circumvent any protection mechanisms.

Contents

On April 24, 2013, U.S. Attorney Melinda Haag announced that Nosal was convicted by a federal jury of all charges contained in a six-count indictment. [2] Nosal appealed his conviction to the Ninth Circuit. [3] On July 5, 2016, a three-judge panel held 2-1 that Nosal had acted "without authorization" and affirmed his conviction. In this second decision (Nosal II), the Ninth Circuit attempted to clarify the meaning of "without authorization" in the context of the CFAA. [4]

Background

In October 2004, David Nosal resigned from his position at Korn/Ferry, an executive search and recruiting company. As part of his separation agreement, Nosal agreed to serve as an independent contractor for Korn/Ferry and not to compete with them for one year; in exchange, Korn/Ferry agreed to compensate Nosal with two lump-sum payments and twelve monthly payments of $25,000. [1] A few months after leaving Korn/Ferry, Nosal solicited three Korn/Ferry employees to help him start a competing executive search business. Before leaving the company, the employees downloaded a large volume of "highly confidential and proprietary" data from Korn/Ferry's computers, including source lists, names, and contact information for executives. [1]

On June 26, 2008, Nosal and the three employees were indicted by the federal government on twenty counts of violations of the Computer Fraud and Abuse Act. The government alleged that the defendants "knowingly and with intent to defraud" exceeded authorized access to Korn/Ferry's computers.

Nosal appealed the indictment, claiming that the CFAA was "aimed primarily at computer hackers" and that it "does not cover employees who misappropriate information or who violate contractual confidentiality agreements". [1] Nosal further argued that the employees were, in principle, permitted to access the information in their role as Korn/Ferry employees, and thus they did not "act without authorization" or "exceed authorized access" as written in Section (a)(4) of the CFAA. [1]

After initially rejecting these arguments, the district court eventually agreed with Nosal and dismissed the five counts of the indictment arising from Section (a)(4). [1] The government appealed this decision, arguing that Nosal and his accomplices did indeed exceed authorized access because they violated the company's computer access policies, which restricted the "use and disclosure of all [database] information, except for legitimate Korn/Ferry business". [5]

Court case

The case was based heavily on the Ninth Circuit's interpretation of language in the CFAA statute, especially Section (a)(4), under which the more serious charges against the defendants stemmed.

Section (a)(4) of the CFAA makes liable anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value." [6] Neither party disputed that Nosal's accomplices were authorized to access Korn/Ferry computers, so the case hinged on whether or not they exceeded their authorized access when they downloaded the information for fraudulent purposes.

The Ninth Circuit Court relied on their earlier decision in LVRC Holdings v. Brekka , [7] which centered on an employee who transferred business documents from his employer's computer to his personal email account and was later sued by the employer under a civil provision in the CFAA. In their ruling for that case, the court emphasized a distinction between the phrases "without authorization" and "exceeding authorized access" from CFAA Section (a)(4), and in so doing, provided an interpretation of the statutory language. They wrote, "an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has 'exceed[ed] authorized access.' On the other hand, a person who uses a computer 'without authorization' has no rights, limited or otherwise, to access the computer in question." [7]

The court adopted this interpretation and expanded its scope, ruling that an employee "exceeds authorized access" under the CFAA when they use a computer in way that violates an employer's access restrictionsincluding policies governing how information on the computer may be used. [7]

Regarding the question of how to determine when a violation occurs, the court rejected the approach used in International Airport Centers v. Citrin , [8] which asserted that an employee loses authorization when he or she "violates a state law duty of loyalty because...the employee's actions [terminate] the employer-employee relationship 'and with it his [or her] authority to access the [computer]'". [1]

Instead, the court cited their finding from Brekka that for purposes of the CFAA, it is the action of the employer that determines whether an employee is authorized to access the computer. They decided that, as a logical extension of this finding, the question of whether an employee "exceeds authorized access" is likewise determined by the employer's actions, including (but not limited to) the promulgation of computer use restrictions. Since Korn/Ferry indeed had such computer use restrictions, which the defendants violated when they accessed the executive database for fraudulent purposes, the Ninth Circuit court reversed the district court's decision and remanded the district court to reinstate the five counts under Section (a)(4).

Dissent

Judge Campbell dissented, arguing that the court's decision renders the CFAA's provisions unconstitutionally vague, since computer use policies are not written "with the definiteness or precision that would be required for a criminal statute" and they can be changed without notice. The ruling, she argued, places an undue burden on employees to stay current on such policies in order to protect themselves against possible criminal prosecution. [1]

Impact and criticism

Nosal argued that the ruling would make criminals out of millions of employees who use their work computer to do trivial tasks such as checking basketball scores on the internet or reading personal emailbehaviors that (technically) violate typical computer use policies. Many online law pundits expressed similar concerns, fearing that one could be prosecuted under federal law for violating a website's terms of servicefor example, lying about one's age on Facebook. [9] [10]

The court defended its ruling, noting that such benign behaviors lack the requisite conditions of "intent to defraud" and "furthering fraud by obtaining something of value" as required for prosecution under CFAA Section (a)(4). [1] However, other provisions in the CFAA do not include such requirements, so the current ruling may still admit prosecution of trivial behaviors that had previously been considered out of the scope of the CFAA.

Follow up

On October 27, 2011, the Ninth Circuit agreed to rehear the case en banc . The new case was presented in front of the entire Ninth Circuit panel on December 15, 2011, in San Francisco. [11] The result of the hearing was published April 10, 2012, and states that the court chose a narrow interpretation of the CFAA, holding that the phrase "exceeds authorized access" in the CFAA does not extend to violations of use restrictions. [12]

See also

Related Research Articles

<span class="mw-page-title-main">Computer Fraud and Abuse Act</span> 1986 United States cybersecurity law

The Computer Fraud and Abuse Act of 1986 (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.

<span class="mw-page-title-main">Milan Smith</span> American judge (born 1942)

Milan Dale Smith Jr. is an American attorney and jurist serving as a United States circuit judge of the United States Court of Appeals for the Ninth Circuit. Smith's brother, Gordon H. Smith, was a Republican U.S. Senator from 1997 to 2009. Milan Smith is neither a Republican nor a Democrat.

Dennis Jacobs is a senior United States circuit judge of the United States Court of Appeals for the Second Circuit.

United States v. Drew, 259 F.R.D. 449, was an American federal criminal case in which the U.S. government charged Lori Drew with violations of the Computer Fraud and Abuse Act (CFAA) over her alleged cyberbullying of her 13-year-old neighbor, Megan Meier, who had committed suicide. The jury deadlocked on a felony conspiracy count and acquitted Drew of three felony CFAA violations, but found her guilty of lesser included misdemeanor violations; the judge overturned these convictions in response to a subsequent motion for acquittal by Drew.

<i>Doe v. Unocal Corp.</i>

Doe v. Unocal, 395 F.3d 932, opinion vacated and rehearing en banc granted, 395 F.3d 978, was a lawsuit filed against Unocal for alleged human rights violations.

<span class="mw-page-title-main">Honest services fraud</span> Crime in the United States

Honest services fraud is a crime defined in 18 U.S.C. § 1346, added by the United States Congress in 1988, which states "For the purposes of this chapter, the term scheme or artifice to defraud includes a scheme or artifice to deprive another of the intangible right of honest services."

<i>Navajo Nation v. United States Forest Service</i>

Navajo Nation v. United States Forest Service, 479 F.3d 1024, reversed after rehearing en banc, 535 F.3d 1058 was brought to the United States Court of Appeals for the Ninth Circuit in 2007. It was a case that was brought about by previous cases dealing with the expansion of the Snowbowl ski resort on the government-owned sacred lands of the Navajo peoples located in northern Arizona. In Navajo Nation v. U.S. Forest Service, the conflict escalated with the Federal government's use of artificial snow containing treated sewage on the sacred San Francisco Peaks, an area that is owned by the Federal government. The Navajo people, along with twelve other nations, made the appeal, citing that the use of sewage water violated the Religious Freedom Restoration Act.

<i>United States v. Morris</i> (1991) American legal case

United States v. Morris was an appeal of the conviction of Robert Tappan Morris for creating and releasing the Morris worm, one of the first Internet-based worms. This case resulted in the first conviction under the Computer Fraud and Abuse Act. In the process, the dispute clarified much of the language used in the law, which had been heavily revised in a number of updates passed in the years after its initial drafting. Also clarified was the concept of "unauthorized access," which is central in the United States' computer security laws. The decision was the first by a U.S. court to refer to "the Internet", which it described simply as "a national computer network."

<i>LVRC Holdings LLC v. Brekka</i>

LVRC Holdings v. Brekka 581 F.3d 1127, 1135 is a Ninth Circuit Court of Appeals Decision that deals with the scope of the concept of "authorization" in the Computer Fraud and Abuse Act. The major finding of this case is that even if an employee accesses a computer for an improper purpose, such as one that violates the duty of loyalty to their employer, the employee remains authorized to access the computer until the employer revokes the employee's access. The findings of this case were upheld by another Ninth Circuit decision in United States v. Nosal, 676 F.3d 854 and are the current law in this circuit.

<i>Fair Housing Council of San Fernando Valley v. Roommates.com, LLC</i>

Fair Housing Council of San Fernando Valley v. Roommates.com, LLC, 521 F.3d 1157, is a case in which the United States Court of Appeals for the Ninth Circuit, sitting en banc, held that immunity under Section 230 of the Communications Decency Act (CDA) did not apply to an interactive online operator whose questionnaire violated the Fair Housing Act. However, the court found that Roommates.com was immune under Section 230 of the CDA for the “additional comments” portion of the website. This case was the first to place a limit on the broad immunity that Section 230(c) gives to service providers that has been established under Zeran v. AOL (1997).

<i>United States v. John</i> (2010)

In United States v. John, 597 F.3d 263 (2010) United States Court of Appeals for the Fifth Circuit interpreted the term "exceeds authorized access" in the Computer Fraud and Abuse Act 18 U.S.C. §1030(e)(6) and concluded that access to a computer may be exceeded if the purposes for which access has been given are exceeded.

<i>International Airport Centers, L.L.C. v. Citrin</i>

In International Airport Centers, L.L.C. v. Citrin, the Seventh Circuit Court of Appeals evaluated the dismissal of the plaintiffs' lawsuit for failure to state a claim based upon the interpretation of the word "transmission" in the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. Jacob Citrin had been employed by IAC, who had lent him a laptop for use while under their employment. Upon leaving IAC, he deleted the data on the laptop before returning it to IAC. The Court of Appeals decided to reverse the decision and reinstated IAC's lawsuit.

<i>Jespersen v. Harrahs Operating Co.</i>

Jespersen v. Harrah's Operating Co., 444 F.3d 1104 was a United States federal employment law sex discrimination case.

Lee v. PMSI, Inc., No. 10-2094, was a case in the United States District Court for the Middle District of Florida about whether the Computer Fraud and Abuse Act (CFAA) makes it illegal for an employee to violate an employer's acceptable use policy. The court ruled that violating an employer's policy did not "exceed authorization" as defined by the CFAA and was not illegal under the act.

<i>Craigslist Inc. v. 3Taps Inc.</i> 2013 Northern District of California Court case

Craigslist Inc. v. 3Taps Inc., 942 F.Supp.2d 962 was a Northern District of California Court case in which the court held that sending a cease-and-desist letter and enacting an IP address block is sufficient notice of online trespassing, which a plaintiff can use to claim a violation of the Computer Fraud and Abuse Act.

<i>Pulte Homes, Inc. v. Laborers International Union</i>

Pulte Homes, Inc. v. Laborers' International Union of North America, 648 F.3d 295, is a Sixth Circuit Court of Appeals case that reinstated a Computer Fraud and Abuse Act ("CFAA") claim brought by an employer against a labor union for "bombarding" the company's phone and computer systems with emails and voicemail, making it impossible for the company to communicate with customers. It held that causing a transmission that diminishes a plaintiff's ability to use its systems and data constitutes "causing damage" in violation of the CFAA.

<i>Garcia v. Google, Inc.</i>

Garcia v. Google, Inc., 786 F.3d 733, is an ongoing dispute that arose when Cindy Lee Garcia sued Google and its video-sharing website, YouTube, to have the controversial film, Innocence of Muslims, taken down from the site. A California district court denied Garcia's motion for preliminary injunction, but, on appeal, a panel of the United States Court of Appeals for the Ninth Circuit reversed the lower court's decision, ordered YouTube to take down all copies of Innocence of Muslims, and remanded the case to the district court for reconsideration. In May 2015, in an en banc opinion, the Ninth Circuit reversed the panel's decision, vacating the order for the preliminary injunction.

<i>United States v. Kane</i> United States federal court case involving video poker software

United States v. Kane, No 11-mj-00001, is a court case where a software bug in a video poker machine was exploited to win several hundred thousand dollars. Central to the case was whether a video poker machine constituted a protected computer and whether the exploitation of a software bug constituted exceeding authorized access under Title 18 U.S.C. § 1030(a)(4) of the Computer Fraud and Abuse Act (CFAA). Ultimately, the Court ruled that the government’s argument failed to sufficiently meet the “exceeding authorized access” requirement of Title 18 U.S.C. § 1030(a)(4) and granted the Defendants’ Motions to Dismiss.

<i>hiQ Labs v. LinkedIn</i> 2019 United States court case

hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, was a United States Ninth Circuit case about web scraping. The 9th Circuit affirmed the district court's preliminary injunction, preventing LinkedIn from denying the plaintiff, hiQ Labs, from accessing LinkedIn's publicly available LinkedIn member profiles. hiQ is a small data analytics company that used automated bots to scrape information from public LinkedIn profiles.

Van Buren v. United States, 593 U.S. ___ (2021), was a United States Supreme Court case dealing with the Computer Fraud and Abuse Act (CFAA) and its definition of "exceeds authorized access" in relation to one intentionally accessing a computer system they have authorization to access. In June 2021, the Supreme Court ruled in a 6–3 opinion that one "exceeds authorized access" by accessing off-limit files and other information on a computer system they were otherwise authorized to access. The CFAA's language had long created a circuit split in case law, and the Court's decision narrowed the applicability of CFAA in prosecuting cybersecurity and computer crime.

References

  1. 1 2 3 4 5 6 7 8 9 United States v. Nosal, United States v. Nosal 642F.3d781 (9th Cir.2011).
  2. "Executive Recruiter David Nosal Convicted of Computer Intrusion and Trade Secret Charges." (Archive) Federal Bureau of Investigation. Retrieved on June 19, 2013.
  3. Guilty Verdict In Critical Computer Fraud And Abuse Act Trial
  4. “United States v. Nosal” (“Nosal II”) Decision ~ Ninth Circuit
  5. Akerman, Nick (December 19, 2011). "U.S. v. Nosal Re-Argued Before the 9th Circuit". Computer Fraud/Data Protection. Retrieved March 19, 2012.
  6. The Computer Fraud and Abuse Act 18 U.S.C.   § 1030
  7. 1 2 3 LVRC Holdings v. Brekka , 581F.3d1127 (9th Cir.2009).
  8. International Airport Centers v. Citrin , 440F.3d418 (7th Cir.2006).[ dead link ]
  9. Akerman, Nick (December 21, 2011). "Can You Go to Jail for Lying on Facebook?". Computer Fraud/Data Protection. Retrieved March 19, 2012.
  10. Marsh, John (November 23, 2011). "Better Read the Fine Print: Are We All at Risk Under the Computer Fraud and Abuse Act?". Hahn Loeser. Archived from the original on January 25, 2013. Retrieved March 19, 2012.
  11. United States v. Nosal (en banc), 661F.3d1180 (9th Cir.2011).
  12. United States v. Nosal (en banc) opinion(9th Cir.2012). Text

External references

Parties

Articles

En banc hearing

2013

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.