Password-sharing case divides Ninth Circuit in Nosal II
Orin Kerr writes:
The Ninth Circuit has handed down United States v. Nosal (“Nosal II“), a case on the scope of the Computer Fraud and Abuse Act that I blogged about here and here. The court held 2-1 that former employees of a company who had their company accounts revoked violated the CFAA when they subsequently used the passwords of a current employee, with the current employee’s permission, to access the company’s computers.
I think that the majority’s result is right on its facts but that its analysis is less helpful than it could be. This post explains my thinking, and it then explains the likely importance of the Ninth Circuit’s still-pending case in Facebook v. Power Ventures.
Read more on The Volokh Conspiracy.
From the opinion:
Embracing our earlier precedent and joining our sister circuits, we conclude that “without authorization” is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.
I think the majority’s notion that “unauthorized access” means “accessing a protected computer without permission” and that’s somehow unambiguous may be an overstatement. Should publication of a site in public areas of the Internet constitute permission or authorization, or do we need to write to every site and ask “Mother, may I?” before we read a site or download materials from it? Look at the controversy over white-hat or grey-hat researchers who find unsecured sites or databases. By my standard, if they have no intend to defraud or use the material for fraud, they should not be considered to have violated CFAA. That, however, has not stopped some entities from trying to accuse them of hacking under CFAA.
Perhaps some of the confusion could be eliminated if the courts remembered the second part of the statute that states that “and by means of such conduct furthers the intended fraud and obtains anything of value.” In Nosal, that wasn’t really an issue, but in other situations, it is. Keep watching the ACLU’s lawsuit on behalf of researchers.