Ninth Circuit: CFAA’s Prohibition on Accessing Computer Without Authorization “Unambiguous”
In a decision released Tuesday, the Ninth Circuit held that the Computer Fraud and Abuse Act’s (“CFAA”) prohibition on accessing a computer “without authorization” is violated when a person whose access to a computer system has been “affirmatively revoked” nonetheless accesses that computer system by other means.
In United States v. Nosal, the Ninth Circuit focused on the CFAA’s prohibition on accessing a computer “without authorization.” The court described that term as “unambiguous” and “non-technical,” meaning “accessing a protected computer without permission.” Given this plain meaning, the court found that “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the [CFAA] by going through the back door and accessing the computer through a third party.”
The decision upheld the conviction of former recruiting firm executive David Nosal, who was accused of obtaining information from his former company’s internal network without permission. Nosal’s credentials and those of two other former employees were revoked when they left the company, but they nevertheless accessed and received information from the company’s internal network by borrowing credentials of a current employee.
The Ninth Circuit found that there was “no question” the company “owned and controlled access to its computers . . . and that it retained exclusive discretion to issue or revoke access to the database.” Accordingly, after Nosal’s login credentials were revoked, he was “no longer authorized” to access the company’s computers. The court noted that “[i]mplicit in the definition of authorization is the notion that someone, including an entity, can grant or revoke permission.”
This is the second time the Ninth Circuit addressed the CFAA issues raised by Nosal’s case. In 2012, in Nosal I, the en banc Ninth Circuit considered the CFAA’s prohibition on “exceed[ing] authorized access” to a computer. Nosal I held that the CFAA’s “exceeding authorized access” prong does not criminalize “violations of [a company’s] use restrictions.” The court therefore dismissed five CFAA counts relating to Nosal’s aiding and abetting the misuse of data accessed by his co-workers with their own passwords.
Unlike the CFAA’s “exceeds authorized access” prong, which the Ninth Circuit recognized “has been the subject of much debate among the federal courts,” the statute’s “without authorization” prong “has not engendered dispute,” the court said. Instead, it said, “multiple circuits . . . agree with our plain meaning of the construction of the statute.”
In dissent, Judge Stephen Reinhardt argued the decision criminalized too much conduct, and characterized the issue as “about password sharing.” According to Judge Reinhardt, the CFAA “does not make the millions of people who engage in this ubiquitous, useful and generally harmless conduct into unwitting federal criminals.” Judge Reinhart read the majority’s opinion to find access “without authorization” if it is made without the permission of the computer system’s owner. In contrast, Judge Reinhardt would read the CFAA more narrowly, so that it would only be violated if a user accesses a computer without the authorization of either the system owner or a legitimate account holder.