Friday, July 15, 2016

Legal Geek No. 79: Computer Fraud and Abuse Act in the Crosshairs

Welcome back to Legal Geek. This week, we cover the new scrutiny placed on the Computer Fraud and Abuse Act after that federal criminal law was interpreted broadly in a 9th Circuit Court of Appeals decision last week.

https://archive.org/details/LegalGeekEp79

The Computer Fraud and Abuse Act was written in 1986 to criminalize hacking activities with respect to government computers and computers of financial institutions. The law also has a catch-all provision added in 2008 that also prohibits access "without authorization" or "by exceeding authorized access" to any protected computer which is used in interstate commerce, which can be read as anything connected to the Internet.

This amendment, while made by Congress in efforts to solidify the anti-hacking law, have created questions of how broadly this law should be interpreted. If broadly interpreted, seemingly innocuous things like breaking a social network's code of conduct or letting someone use your Netflix password would be a federal felony, while if narrowly interpreted, such conduct would fall well outside the scope of this law. The 9th Circuit's decision this week in U.S. v. Nosal illustrates both sides of the argument well.

The facts in Nosal are pretty simple. Nosal left an executive recruiting firm to open his own competitor firm, and over time, he took a couple of former co-workers and his assistant from the original company as well. To get a leg up on leads and information, Nosal instructed the former co-workers while they still had access to pull confidential lead information from the old company's servers and give it to his new company. Then after those co-workers also left and had their own access revoked, Nosal had his former assistant give her password to them and they accessed similar information again to deliver it to the new firm. The former assistant left for the new firm shortly thereafter.

Clearly these are bad actors in the Nosal case, so why is this case such a fuss? This is actually the second time this case and set of facts has been decided by the 9th Circuit. The first time, back in 2012, the full en banc panel considered specifically the actions of the former co-workers who downloaded and transferred confidential data and gave it to Nosal while they were still employed by the original company and still had full access to the information. That panel determined that these employees did have access, so the conduct was clearly not "without authorization" and it also was not deemed "exceeding authorized access" because they did have full access to the information. Certainly the transfer to Nosal broke employee codes and therefore violated contract or trade secret laws, but not a law designed to stop outside or inside hacking.

Yet just four years later, a smaller 3-judge panel of the 9th Circuit essentially reversed this decision based solely on a small change in the facts considered. Specifically, this year the Court focused on the activities of the co-workers after they had been fired with access revoked, but they used the assistant's authorized password anyway to access the database and pull more information from the original company.  Instead of focusing on the fact that this was just another type of password sharing and essentially the same access by the assistant, the new panel decided to call this slightly altered conduct as clearly falling under the "without authorization" prong of the law, generalizing this story as a hacking scheme with an inside man. A small fact difference totally flipped the outcome.

However, as the dissent of the current decision notes, this decision could be extended to apply to all password sharing, which would mean giving your buddy an HBO GO password is a felony. Or other things like companies forcing employees out for minor violations of using work computers for personal tasks like e-mail during work hours, by threatening to turn them over to the FBI.

This case is not necessarily over, as a full en banc panel of the 9th Circuit could go back and reverse this new decision to make it more consistent with the first one which narrowly interpreted the scope of the CFAA. Moreover, as the 2nd and 4th Circuits have sided with the narrow interpretation of the law while three other Circuits have sided with the broad interpretation, this is a classic case of circuit split of opinion, which usually brings swift action by the Supreme Court to settle an issue. So stay tuned for further developments.

The Bottom Line is, the cries that sharing passwords for consumer things like streaming services is now a felony is not exactly true, as that type of fact scenario has not been applied to this law yet. Even though it can be painful to watch the judicial branch labor over how to interpret what laws Congress enacts when trying to keep up with technology, this is how the process is supposed to work. With so many other potential laws like contract, tort, and trade secret laws being available to stop smaller breaches like password sharing, and the original intent to stop hacking with the CFAA, it seems likely that the eventual solution of the judiciary will be a narrow interpretation of this law. It just takes a while and some bumps on the road to get there.

-----------------------------------

Thanks for reading. Please provide feedback and legal-themed questions as segment suggestions to me on Twitter @BuckeyeFitzy

------------------------------------
TEMPORARY CLOSER
If you will be at GenCon in Indianapolis in August, come check out my seminars on IP law and game design there, or message me on Twitter @BuckeyeFitzy and we can meet up for a drink or a game.

No comments:

Post a Comment