CFAA Is Not Prosecution’s One Size Fits All Corporate Espionage Cure

In United States v. Nosal, 642 F.3d 781 (9th Cir. 2011), the court was asked to determine if employees violated the Computer Fraud and Abuse Act (CFAA) by disobeying their employer’s computer use policies. Specifically, the ruling questioned whether an employee who accesses a computer in a manner that violates the company’s computer use policies, even if they typically have access, “exceeds authorization” under the CFAA.
In U.S. v. Nosal, an employee named David Nosal quit his job at the executive search and recruiting company Korn/Ferry. Nosal struck an agreement with three Korn/Ferry employee’s to steal information from Korn/Ferry and start a new executive search and recruiting company. His “partners to be” downloaded names, contact information and source lists for executives from the Korn/Ferry server. In 2008, Nosal and his three accomplices were charged with twenty violations of the CFAA.
The CFAA defines exceeding authorized access as gaining “access to a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). U.S. v. Nosal explains that this language can be interpreted two different ways – it could be interpreted to refer to someone who is authorized to access some files but accesses files or data that they are not permitted access to, or it could be interpreted to refer to someone who has unrestricted physical access to data or files, but is limited as to what he can do with the information.
The government focused on the word “so” in the same phrase. See 18 U.S.C. § 1030(e)(6) (“accesser is not entitled so to obtain or alter”). The government reads “so” to mean, “in that manner,” which would grossly morph the legislator’s intent into an overarching restriction on computer usage that would make nearly every un-thought-of computer usage a crime.
“The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. This places a great deal of weight on a two-letter word that is essentially a conjunction. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer — we would expect it to use language better suited to that purpose.”
The Court sided with Nosal, finding that the CFAA couldn’t be so broadly interpreted as to encompass every unauthorized computer usage, and therefore, restricting the use of the CFAA in the prosecution of corporate espionage in United States companies.
Congress has recently heard from many witnesses who testify that the threat posed by foreign computer hackers, who hack U.S. companies’ computers and steal corporate property, will soon be characterized as the largest thefts in history. However, little attention is being given to the threats that lay within the companies. Employees and other insiders are stealing and selling the secrets of their corporate employers to foreign governments and foreign companies. While the rationale of this case is sound, the legitimate interests of corporations and their employees require for legislators to create legislation that will more narrowly constrict the ability of illegitimate employees (corporate spies) to steal and sell ill-gotten intellectual property. Without new legislation, little will stand between our corporations’ intellectual property and the highest bidder on a black market.

Advertisements

~ by ame06c on September 23, 2012.

8 Responses to “CFAA Is Not Prosecution’s One Size Fits All Corporate Espionage Cure”

  1. At the same time, there are existing noncontroversial remedies such as civil suits and criminal prosecutions for violating trade secret laws.

    In Massachusetts the DOJ is going after a person who downloaded and made public a substantial number of articles from JSTOR. The DOJ interprets this as exceeding authorized access of the JSTOR computers and damaging protected computers of JSTOR and MIT. Despite the fact that both JSTOR and MIT have settled with the person and stated they suffered no damage. http://crookedtimber.org/2012/09/19/new-charges-against-aaron-swartz/. Swartz is already liable for breach of contract for making the JSTOR papers public. Demanding a substantial prison term in addition to existing law seems excessive.

  2. Generally, when I think of computer hacking I think of a stealthy computer genius sitting in his garage and breaking into the computer system of some large corporation with the goal of siphoning funds into an untraceable off shore account. I clearly have been watching too many unrealistic movies…but the court in this case seems to share a similar sentiment. I think the court was right to narrowly interpret the scope of the CFAA. If the CFAA is interpreted more broadly it would eventually criminalize playing a quick round of solitaire at work and a mild online shopping spree while on the job. While these seemingly harmless actions are generally prohibited in the workplace, it hardly seems fair to criminalize such actions when they are so commonplace in the world today. The penalties for violating employee computer usage agreements should remain internal to the corporation that sets the policies. The law should not become involved merely because an employee checked their fantasy football status in between assignments. If the court were to expand the CFAA to include these minor violations the court system would be inundated with cases that attempt to transform otherwise law abiding citizens into criminals for something that the citizens likely didn’t realize was a crime. To open the flood gates for such cases would be irresponsible, not to mention terrifying for every normal employee with internet access.

  3. I agree with Kelly. To have a violation of the CFAA for accessing information an employee is not entitled to obtain seems to be too broad of an interpretation of the act. Even if the government promises not to convict people for de minimus actions, I know I personally wouldn’t feel comfortable relying on that promise. It seems that a civil action would be a more appropriate remedy here.

    This scenario is a lot like the Facebook v. Power situation. In Facebook v. Power, Facebook made a claim that Power violated the CFAA by obtaining and using information from Facebook’s protected computers when Power obtained users login information to use on their website. Although we still don’t know all the facts in the case, again, it seems like the right remedy here would also be a civil action.

    However, stealing corporate property seems much more like a crime than a mere violation of access by doing online shopping during working hours. It seems the legislature should act to better define what it means by “access to a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” A more narrow definition of what a person is not entitled to do under the act seems appropriate, but it would also make sense to include a note that there are other remedies for things not covered under the CFAA.

  4. I would I agree with the previous comments and add that our readings thus far have presented the theme of laws lagging behind technology and the courts attempts to grapple with how to adapt. While I would agree that it seems dangerous for courts to attempt to stretch the definition of simple words, I sympathize with the attempts of judges to hold people accountable for actions that seem wrong. I think that United States v. Nosal, as did Facebook v. Power, should prompt the legislature to try and keep pace with ever evolving technology.

  5. I’m not sure we’re going to find anyone who thinks that criminalizing simple unauthorized computer use is a good idea. From the readings we have seen so far, thankfully, courts have refused to go that far. But as Kristen pointed out, this highlights one of the major themes of the class: the law is going to always struggle to keep up with technology. I think the best answer that can be given to this problem is that judges need to have a good understanding of the technology and use common sense to shape the legislation.

  6. I agree with the other commenters that the broad reading of “in excess of authorization” should be restricted. A number of members of Congress and the public do as well. The recent Cybersecurity Bill (which has basically been tabled for now) proposed to add enhanced penalties for hacking and at the same time amend the CFAA’s loose language in defining authorization. Unfortunately, the DOJ opposes those changes: it supports both the harsher penalties and wants to keep the broad language so that it can define whom to pursue with the CFAA. It seems that anytime law enforcement has a useful tool which provides wide-ranging prosecutorial powers, it is reluctant to give it up. (https://www.cdt.org/blogs/greg-nojeim/3007why-fibbing-about-your-age-relevant-cybersecurity-bill)

  7. I agree with the previous comments here. The government does seem reluctant to give up the broad language of the CFAA. Understandably, this could mean that the judiciary will be responsible for the interpretation. However, as we discussed this week in class, most judges (and older generations in general) do not understand technology and it is frightening that they are ruling on these types of cases when they do not even understand how the technology works. Adding to this scary situation is the fact that the government is proposing enhanced penalties for hacking.

    Although the consequences of this combination cannot be fully predicted, especially since no changes to the CFAA have been solidified yet, it is still an important concern. Not only is problem present with the CFAA, but it also exists when any law involves new technology or the internet. How will the government (and judges/legislators) ever be able to keep up with technology’s constant evolution?

  8. Not wanting to join the bandwagon, but having trouble finding a way to be contrary, I agree with the majority that the statute was overly broad as written. There seems like there must be existing agency or business law doctrines of duty of care or loyalty that should be sufficient to hold the defendant liable for damages. Furthermore, do we really need to be drafting legislation that increases pressures on our prison system for issues that are civil in nature?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: