elonbet casino login
elonbet casino login
elonbet casino login
elonbet casino login
elonbet casino login
elonbet casino login
elonbet casino login
elonbet casino login
elonbet casino login
elonbet casino login
elonbet casino login
bonanza sweet

Jun 04, 2012 / Insight

Ninth Circuit Strongly Rejects Expansive Interpretation of the Computer Fraud and Abuse Act

May 2012
by Carlo D’Itri

As I’ve written before, the federal Computer Fraud and Abuse Act (“CFAA”) may provide companies with a tool to punish employees (and customers) who take information from protected computers.

The CFAA makes it a federal crime to obtain information from a computer without authorization or by exceeding authorized access. The CFAA was originally intended to be an anti-hacking statute, but today it’s been expansively used to prosecute people who are entitled to access the computer and the information at issue, but who subsequently use the information in violation of the computer owner’s policies.

In April 2012, the Ninth Circuit rejected that expansive application of the CFAA in a forceful en banc decision. Before getting into the particulars of the decision, let’s understand why this issue affects nearly every single person who uses the Internet.

Almost every commercial website has “terms of use.” Most people don’t have time or any desire to read them or would have trouble deciphering them if they did. Even if people did have time and could understand everything in website terms of use, almost all of them provide that they can be changed at any time and without any notice. So the terms of use on a website right now might be completely different from those on the same website tomorrow or even an hour later.

As the Ninth Circuit explains, under the expansive interpretation of the CFAA, any violation of a private website’s terms of use could constitute a federal crime. This is troubling. It effectively confers upon private parties the power to make federal criminal laws. It also likely means that every single person who uses the Internet violates federal criminal law every day.

The Circuit Split and Uncertainty in the Ninth Circuit

While some courts embrace the expansive interpretation of the CFAA discussed above, others take a narrower approach, holding that once someone is authorized to access information, subsequent misuse in violation of the owner’s policies does not constitute a federal crime under the CFAA.

Prior to April 2012, the law in the Ninth Circuit was uncertain. The Court’s decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), was widely cited as an example of the narrow interpretation.

Then came U.S. v. Nosal . In that case, employees of a company who were authorized to access the company’s computers went onto those computers, took information they were entitled to access, and sent it to one of the company’s competitors in violation of the company’s policy forbidding disclosure of confidential information. The district court, applying Brekka, followed the narrow approach and found no violation of the CFAA. 2010 WL 934257 (N.D. Cal. Jan. 6, 2010). The government then appealed to the Ninth Circuit, which initially reversed the district court and applied the problematic expansive approach. 642 F.3d 781 (9th Cir. 2011). But then the Court agreed to rehear the appeal en banc, and on April 10, 2012, the panel strongly affirmed the district court’s application of the narrow approach.

The Opinion

In affirming the narrow approach as the law of the Ninth Circuit, the en banc panel closely parsed the language of the statute. But the most interesting part of the panel’s analysis was the discussion of the implications if the expansive approach were found to be the correct one:

The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. …

The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. 581 F.3d at 858-859.

As the panel explained, the broad approach to the CFAA would turn every minor violation of employee handbooks or commercial terms of use into a federal crime:

Employer-employee and company-consumer relationships are traditionally governed by tort and contract law; the government’s proposed interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law. Significant notice problems arise if we allow criminal liability to turn on the vagaries of private policies that are lengthy, opaque, subject to change and seldom read. …

Basing criminal liability on violations of private computer use policies can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Id. at 860.

The implications of the expansive approach are staggering. As the panel pointed out, if you were to describe yourself on a dating website as “tall, dark and handsome” when in reality you are “short and homely”, and if the website required all statements about yourself to be accurate and truthful, your self-description could constitute a federal crime under the expansive approach. Another example – many companies’ terms of use prohibit users from sharing their password with others, so if you give your assistant your password to such a company’s website, you might have committed a federal crime under the expansive approach.

If these results weren’t bad enough as is, think about how difficult it would be to try to comply with private companies’ ever-changing policies and conditions. Most companies reserve the right to change their employee handbooks or website terms of use at any time without any notice. Under the expansive view, this would mean that “behavior that wasn’t criminal yesterday [could] become criminal today without an act of Congress, and without any notice whatsoever.”Id.at 862.

The Ninth Circuit soundly decided to limit the CFAA’s application. If companies want to protect their information, they can rely on contractual arrangements or, when appropriate, sue for misappropriation of trade secrets. Private companies should not be deputized to make criminal laws, especially not by the simple posting of website terms of use or adoption of employment policies.

Even though the Ninth Circuit reached a sound decision, the troubling expansive view remains the law in several circuits, and it is possible the Supreme Court could weigh in on this matter.