The Computer Fraud and Abuse Act (CFAA) criminalizes forms of “hacking” other than actually breaking into a computer system — United States v. Nosal, 2013 WL 978226 (N.D .Cal. Mar. 12, 2013)
Nosal is back. This is the case that spawned a Ninth Circuit decision narrowing the reach of the CFAA to hacking activity. The case returned to the trial court after the Ninth Circuit decision. The trial court recently convicted the defendant (David Nosal) of violating the CFAA. But before analyzing the decision, let’s take a brief look at the background.
Nosal is a former employee of Korn/Ferry, an executive search and recruiting firm. After leaving Korn/Ferry, Nosal obtained access to Korn/Ferry’s confidential and proprietary data with help from others. In some instances, Nosal got Korn/Ferry employees to give their passwords to outsiders to enable them to access the firm’s computer systems. In another instance, a Korn/Ferry employee logged onto the firm’s computer system using her password and then allowed a non-employee to use the system. Nosal used the stolen data to start his own executive search business. Nosal and his co-conspirators were indicted for violating the CFAA by exceeding authorized access to Korn/Ferry’s computers “knowingly and with intent to defraud.”
An en banc panel of the Ninth Circuit held that the CFAA’s prohibition on accessing computers “without authorization” or “exceeding authorized access” is limited to violations of restrictions on access to information, not restrictions on its use. The Ninth Circuit reasoned that the CFAA primarily targets hacking rather than misappropriation of information. The Ninth Circuit returned the case to the trial court to determine if Nosal violated the CFAA under its interpretation of the statute.
Nosal tried to persuade the trial court to push the Ninth Circuit’s rationale one step further. Nosal argued that, since the CFAA is an anti-hacking statute, it is violated only when someone circumvents technological barriers to access to a computer. Under this narrow interpretation, not every form of unauthorized access to a computer necessarily violates the CFAA. The trial court disagreed with Nosal’s interpretation because the Ninth Circuit did not base CFAA liability on the manner in which access is restricted. Moreover, password protection is a form of a technological access barrier, and Nosal and his co-conspirators clearly bypassed password restrictions.
Nosal next argued that his co-conspirators did not act “without authorization” because they used a valid password issued to a Korn/Ferry employee. The court wasn’t enamored with this argument either. Whether an act is authorized must be viewed from the perspective of the employer who maintains the computer system. Clearly, an employer would not authorize an employee to allow another person to use his or her password. Nosal attempted to analogize consensual use of an employee’s computer password to consensual use of an employee’s key to gain physical access to a building, a situation that Nosal argued would not violate trespass law. The court also rejected this argumen.
Finally, Nosal argued that the Korn/Ferry employee who engaged in “shoulder surfing” (i.e., logging into the firm’s computer system and then letting another person use the system) did not engage in unauthorized “access.” The court found no difference between an employee who gives her password to an outsider and an employee who logs into the firm’s computer system with her password and then lets an outsider use the system. Both situations qualify as “access” under the CFAA.
LegalTXT Lesson: The CFAA targets hacking instead of misappropriation (so the Ninth Circuit says), but hacking could take various forms. According to the latest Nosal decision, the CFAA criminalizes at least these forms: (a) breaking into a computer system; (b) letting an outsider use your password to access a system; (c) logging into a system with your password and then letting an outsider use the system.
A New York federal judge rules that misuse of computer information gained through legal access does not violate the CFAA – Advanced Aerofoil Techs., AG v. Todaro, 2013 WL 410873 (S.D.N.Y. Jan. 30, 2013)
Judge Carter of the Southern District of New York joined a growing number of federal courts adopting a narrow interpretation of the Computer Fraud and Abuse Act (CFAA) that precludes liability for misappropriation under the Act. Several high-level personnel in the plaintiff companies (AAT) defected to a competing company, apparently taking with them AAT’s confidential and proprietary technology. AAT sued the ex-employees for, among other things, alleged violations of the CFAA.
An obstacle that AAT faced in pressing the CFAA claim was the fact that the ex-employees had “unfettered and unlimited access” to the information they took with them. Liability under the CFAA requires that the defendant have “access[ed] a computer without authorization.” Courts across the country are split on whether the CFAA is violated where a person legally accesses to a computer but misuses the information obtained with such access, such as what the former AAT employers allegedly did.
After noting that the Second Circuit has not decided the issue, and surveying decisions on both sides of the issue, including those written by his colleagues in the same district, Judge Carter answered the question in the negative. A CFAA violation occurs when one accesses a computer without permission. Judge Carter gave three reasons for his conclusion. First, the ordinary meaning of the word “authorization” refers to the absence of permission. Second, the legislative history of the CFAA indicates that the Act is directed primarily at access instead of misuse. Third, a violation of the CFAA could lead to criminal liability, the statute should be read narrowly, and ambiguities should be resolved in favor of the defendant. Because AAT had not revoked the defendants’ unlimited access to its system when they siphoned off the confidential and proprietary information, the court dismissed the CFAA claim.
LegalTXTS Note: I’ve blogged on this issue quite a bit. That indicates increased use of the CFAA in data misappropriation cases, or the uneasiness courts have in stretching the CFAA beyond its origin as an anti-hacking statute–or both. Here are my previous posts on similar cases.
Court Carves Back Oracle’s Computer Fraud and Abuse Act Claim Against Gray Market Reseller
CFAA: Recent Cases
One Is Not Like the Other: Access vs. Use Restrictions Under the CFAA
Don’t Just Because You Can
It’s time for a roundup of recent Stored Communications Act (SCA) decisions. The issues addressed in these decisions include: (1) is a company network a “facility” subject to the prohibitions of the SCA; (2) what is “electronic storage”; (3) can there be secondary liability for violating the SCA; and (4) how broadly is “authorization” under the SCA defined.
Is a company network a “facility”?
Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012)
A terminated employee remotely accessed her ex-employer’s company computers to transmit spyware and monitor network communications. The company sued the ex-employee under the Computer Fraud and Abuse Act (CFAA) and SCA. (I discussed the CFAA claim in this case in an earlier post.) The SCA makes it an offense to intentionally access without authorization (or exceed one’s authorization to access) a “facility through which an electronic communication service is provided” and thereby obtain, alter, or prevent authorized access to a wire or electronic communication “while it is in electronic storage in such system.”
The company alleged that its computers are “facilities” because they enable the use of electronic communication services. The court rejects that interpretation of “facilities.” Information that an individual stores to his or her hard drive, such as images, personal information and emails that he or she has downloaded, is not in “electronic storage” as defined by the SCA. The “facilities” the SCA is designed to protect are not computers that enable the use of an electronic communication service, but facilities operated by electronic communication service providers and used to store and maintain electronic storage. The court dismissed the SCA claim.
(LegalTXT Note: This decision conflicts with a number of other federal district court decision that have held that private servers are within the scope of the SCA)
What is “electronic storage”?
Jennings v. Jennings, 2012 WL 4808545 (S.C. Oct. 10, 2012)
Gail Jennings initiated a divorce proceeding after discovering that her husband (Lee Jennings) was having an affair. Gail’s daughter-in-law (Broome) decided to help Gail by hacking into Lee’s Yahoo! email account to retrieve messages between him and his mistress. In the lawsuit that followed, the trial court granted summary judgment for the defendants on all claims, including those brought under the SCA. The court of appeals affirmed except as to the SCA claim against Broome. The court of appeals found that the emails at issue were in “electronic storage” as defined in 18 U.S.C. § 2510(17), and therefore within the SCA’s prohibition against unauthorized accessing of an electronic communication while it is in “electronic storage.”
The South Carolina Supreme Court disagreed that the emails in questions were in “electronic storage.” Part of the SCA’s definition of “electronic storage” involves storage of an electronic communication “by an electronic communication service for the purposes of backup protection of such communication.” The emails in Lee’s account were left on the Yahoo! server after they were opened. Keeping an email after opening it does not amount to storing it for “backup protection,” the court ruled.
Can there be secondary liability for violating the SCA?
Can a person have secondary liability for violating the SCA, such as by “aiding and abetting” a violation? A Florida court suggests that the answer is yes, but the federal district court for the District of Columbia says no.
Vista Marketing, LLC v. Burkett, 2012 WL 3860435 (M.D. Fla. Sept. 5, 2012)
Plaintiff’s wife (Burkett) accessed the webmail account of Plaintiff’s company (Vista) to read Plaintiff’s emails so as to gain a strategic advantage in their divorce proceeding. She did not have authorization to access the Vista email account. Vista alleged that told her divorce attorney (Park) what she had done, and that Park encouraged Burkett to continue accessing Vista’s webmail account and advised her to compile and print many of the communications for use in the divorce proceeding. Vista sued Park under Florida common law for conspiracy to violate the SCA. Park moved to dismiss, but the court denied the motion, holding that Vista adequately alleged facts supporting the conspiracy claim.
Council on American-Islamic Relations Action Network, Inc. v. Gaubatz, 2012 WL 4054141 (D.D.C. Sept. 17, 2012)
Chris Gaubatz obtained an internship with a national Muslim advocacy organization (CAIR-AN) under false pretenses to infiltrate the organization and collect information that would cast the organization in a negative light. Chris is the son of David Gaubatz, an investigator hired by the Center for Security Policy, Inc. (CSP) and the Society of Americans for National Existence (SANE) as an independent contractor to collect “field data” about CAIR-AN. Chris was able to collect thousands of documents, which he turned over to David. David disclosed the stolen information on his blog and in a book he co-authored. CAIR-AN sued Chris and David, CSP and its employees, and SANE and its employees. One of the claims in the lawsuit alleged that the Defendants “conspired with” or “aided and abetted” Chris in violating the SCA.
The court concluded that the text of the SCA did not support a theory of secondary liability. According to the court, the SCA’s “plain language shows that Congress had one category of offenders in mind—i.e., those who directly access, or exceed their authority to access, a facility through which an electronic communication service is provided.”
(LegalTXT Note: Although Vista Marketing discussed the SCA, the claim at issue there was based on Florida’s common law of conspiracy rather than the SCA itself. In contrast, Gaubatz squarely involved an SCA claim.)
What’s the scope of “authorization”?
Is after-the-fact authorization effective?
Shefts v. Petrakis, 2012 WL 4049509 (C.D. Ill. Sept. 13, 2012)
There is an exception to the SCA’s prohibitions for conduct authorized by the entity providing the electronic communication service that was accessed. But what if the authorization was provided after there has already been access? Is authorization effective if it is given after the fact?
The answer is yes, according to the court in Shefts. (Some of the facts relevant to the case are supplied by an earlier published decision, Shefts v. Petrakis, 758 F. Supp. 2d 620 (C.D. Ill. 2010). Access2Go, Inc., a telecommunications company, initiated a program to monitor the email and texting activity of its president after learning of concerns that he was sexually harassing Access2Go employees and violating his fiduciary duties. As part of the monitoring program, a shareholder and member of the Access2Go board of directors (Petrakis) accessed Shefts’ company email account. The board appointed Petrakis as its liaison of security. Petrakis collected emails allegedly showing Shefts engaged in sexually harassing behavior and other improper acts. Based on this and other evidence, the board suspended Shefts and recommended his termination.
When Shefts sued the board members under the SCA, the board members countered that the company had authorized access to his email account. Since Shefts’ company email account was maintained by and resided on Access2Go’s servers, Access2Go could legitimately authorize access to the account. The question is, when did Access2Go give the authorization? The board never voted to allow an employee to access another employee’s computer. However, the board members were aware that Petrakis had accessed Shefts’ company email account, and they relied on the emails that Petrakis collected in suspending Shefts and recommending his termination. Based on these facts, the court concluded that the board had “ratified” Petrakis’ actions, and such ratification qualified as “authorization” under the SCA.
You’re in, now what?
Cheng v. Romo, 2012 WL 6021369 (D. Mass Nov. 28, 2012)
Just because the owner of an email account gives you permission to access his account doesn’t mean you are “authorized” to read every email in there. In Cheng, the plaintiff (Cheng) and the defendant (Romo) and her husband worked for a medical imaging company. Cheng maintained a Yahoo! email account while working at the company, the password for which he shared with Romo. Although Cheng never qualified Romo’s access to his email account in any way, never stated a time limit on his grant of access to Romo, and never changed his password during the relevant time, his purpose in sharing his email account was to enable Romo to review radiologic images for their work. Romo testified that she would check Cheng’s email account to read consultant reports that radiologists emailed to Cheng. Initially, Romo did not look at any personal items in Cheng’s email account. But after Romo and her husband’s relationship with Cheng and others at the company deteriorated—leading ultimately to their separation from the company—Romo accessed Cheng’s account to find out about the state of the company. Romo shared with her husband the emails she printed from Cheng’s account. Cheng sued Romo for violations of the SCA and invasion of privacy under Massachusetts law.
The court denied Romo’s motion for summary judgment as to both claims. Regarding the SCA claim, the court found genuine issues of material fact as to whether Romo had authorization to access Cheng’s email account. The fact that Cheng had given Romo his password years earlier was not determinative, given the context in which the password was given and the later use that Romo made of it. It was up to the factfinder to look at the circumstances in which the password was given and to determine whether Romo was authorized, or exceeded her authorization, to access Cheng’s email account, the court said.
As for the privacy claim, the court held that it was cognizable, but there were genuine issues of material fact concerning whether Cheng had a reasonable expectation of privacy in his email messages and whether Romo’s actions interfered with Cheng’s privacy.
(LegalTXT Note: The court in Cheng noted that the term “authorization” in the SCA could have analogous meaning as the same term in the CFAA. The court summarized the different approaches court take in defining the term in the context of the CFAA, including those finding “authorization” where there was no breach of technical barriers to access, and those finding no “authorization” where permission to access was granted but the information collected via such access was misused (see my post on Wentworth-Douglass Hosp. v. Young & Novis Prof’l Ass’n, 2012 WL 2522963 (D.N.H. June 29, 2012), a case the Cheng court cites). Ultimately, the court does not indicate which approach it adopts, although its summary judgment ruling suggests that it considers the purpose behind the grant of access, and not the mere grant of permission itself, relevant to determining the existence of authorization.)
California federal court finds no CFAA violation for disseminating software updates obtained from subscription to software support service, and requires fraud-based CFAA claims to be pled with particularity — Oracle America, Inc. v. Service Key, LLC, 2012 WL 6019580 (N.D. Cal. Dec. 3, 2012).
DLT was a member of the Oracle Partner Network (OPN), a program for third party companies interested in reselling Oracle hardware and software. To facilitate their role as resellers, OPN members receive login-in credentials to access Oracle’s support websites. Oracle alleged that DLT fraudulently used its access to obtain Oracle’s proprietary software patches and updates, which DLT then provided to its own customers. Oracle further alleged that DLT gave its access credentials to Oracle’s websites to “unwitting third parties” (apparently including the Navy and FDA) who were unaware that DLT lacked authorization to do so. Oracle sued DLT under numerous theories, including violations of the CFAA.
Certain CFAA claims alleged that DLT “exceed[ed] authorized access” in obtaining information from Oracle’s support systems. The court agreed with DLT that dismissal of such claims was required under United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc). In Nosal, an en banc panel of the Ninth Circuit ruled that misuse or misappropriation of information to which one has authorized access does not violate CFAA provisions based on access to a computer “without authorization or exceeding authorized access.” Oracle’s complaint alleged that DLT used its access credentials for an unauthorized purpose (although Oracle apparently tried to distinguish Nosal by re-characterizing the complaint in subsequent briefing as alleging that DLT accessed Oracle’s websites without authorization). That’s precisely the kind of conduct that Nosal said was not actionable under the CFAA, the court ruled. However, DLT could still be liable under the CFAA for trafficking passwords to Oracle’s support sites because such a claim is not based upon unauthorized access to a protected computer.
Oracle also ran into trouble with the requirement in Rule 9(b) of the Federal Rules of Civil Procedure that claims alleging fraud or mistake to be pled with particularity. One of Oracle’s CFAA claims alleged that DLT “knowingly and with intent to defraud . . . exceed[ed] authorized access, and by means of such conduct further[ed] the intended fraud . . . .” 18 U.S.C. § 1030(a)(4). The court concluded that the claim was “grounded” or “sounded” in fraud and thus subject to Rule 9(b). Oracle did not adequately detail its fraud to meet the Rule 9(b) pleading requirement.
The one bright spot for Oracle in the decision was the court’s rebuff of DLT’s argument that Oracle did not properly allege damages. Oracle alleged that it incurred costs as a result of investigating and conducting a damage assessment in response to DLT’s actions, and the court found that enough to satisfy the damage requirement. The court also rejected a similar argument that Oracle did not sustain damages in excess of $5,000. That argument referred to the fraud-based CFAA violation, an element of which is that the fraud resulted in the defendant obtaining “anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period[.]” 18 U.S.C. § 1030(a)(4) (emphasis added). The $5,000 threshold is not meant to be a measure of damages, the court held. Rather, the threshold refers to the value of the computer use relevant in determining whether a CFAA violation exists. In any event, the court said, Oracle did allege that DLT obtained something of value, i.e., its software.
LegalTXTS Lesson: If you’re in the Ninth Circuit, recovery under the CFAA for illicit use or dissemination of proprietary computer information is a challenge. Liability for hacking into a computer system is well-established, see Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), and so is giving away passwords to protected sites as the Oracle decision teaches. Asking permission to access your work computer “one last time” to delete personal files before switching jobs and then downloading a bunch of proprietary data also will get you in trouble (see Weingand v. Harland Financial Solutions, 2012 WL 2327660 (N.D. Cal. June 19, 2012), and my post on it here).
When it comes to misuse or misappropriation of information that was obtained with authorized access, however, Nosal makes it pretty clear that’s not a violation of the CFAA. The Oracle decision follows that rule. Other circuits, like the Third Circuit, go the opposite direction—hence decisions like Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), which held that it is a violation of the CFAA to induce employees of a competing company who have authorized access to the company’s computer system to download proprietary information and give it to you (see my post on it here).
A round-up of recent developments in CFAA litigation is in order. In the last three months, a series of cases have provided answers to important questions about the requirements for bringing a CFAA claim under the Computer Fraud and Abuse Act (CFAA). The recent cases address three general questions:
1. What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?
2. What computers are subject to the protections of the CFAA?
3. What “losses” count toward the standing requirement to bring a civil claim under the CFAA?
What kinds of activity are considered “unauthorized access” or “access exceeding authorization”?
The CFAA prohibits various activities involving the access of a computer “without authorization” or “exceeding authorized access.” Whether the defendant’s actions constitute wrongful access is frequently litigated in CFAA cases. The recent cases are no exception. The cases considered three different factual situations and found that two of them satisfied the wrongful access requirements.
Downloading Information From a Publicly Accessible Website
Downloading information from a website that any member of the public could access via a hyperlink posted on another site does not constitute access “without authorization,” according to CollegeSource, Inc. v. AcademyOne, 2012 WL 5269213 (E.D. Pa. Oct. 25, 2012). The case involved two competing business that offered online access to college catalogs. One of the plaintiff’s (CollegeSource) services was CataLink, which provides subscribing schools with a link to CollegSource’s digital archive of the school’s course catalogs. The link could be inserted into the school’s homepage. If a person browsing on the school’s homepage clicked on the link, he or she would be sent to CollegeSource’s website without being told that they were leaving the school’s web domain. Unlike CollegeSource’s other offerings, CataLink is not a subscription-based service.
The defendant (AcademyOne) maintained an online course description database. To populate its database, AcademyOne hired a company to collect college catalogs available on the Internet. AcademyOne’s contractor obtained over 700 catalogs through CataLink.
Enlisting the Aid of a Person With Authorized Access to Obtain Restricted Information
Asking others to get you information that you’re not entitled to have will get you in trouble. In Synthes, Inc v. Emerge Medical, Inc., 2012 WL 4205476 (E.D. Pa. Sept. 19, 2012), former employees of a medical devices company who formed a competing business obtained the company’s proprietary information from current employees of the company. Inducing those with authorization to access a computer to retrieve and give information to a person who is not entitled to access such information constitutes access of a computer “without authorization,” the court held.
Hacking Into an Employees’ Email Account
This seems fairly obvious, but hacking into an employee’s email account could constitute a violation of the CFAA. The litigants in Mintz v. Mark Bartelstein & Associates, Inc., 2012 WL 5391779 (C.D. Cal. Nov. 1, 2012), didn’t even bother to fight over whether the defendant-employer violated the CFAA by ordering an employee to hack into the plaintiff’s Gmail account. The wrongfulness of the act was undisputed. The parties instead dueled over whether the plaintiff sustained “loss” as a result of the unauthorized access (see below).
What constitutes a “protected computer”?
Various prohibitions in the CFAA are tied to the accessing of a “protected computer,” which has two definitions. A “protected computer” could be a computer used exclusively by a financial institution or the U.S. government, or if not exclusively, then for a use affected by the conduct that violated the CFAA. A “protected computer” could also be a computer “which is used in or affecting interstate or foreign commerce or communication ….” 18 U.S.C. § 1030.
In Freedom Banc Mortgage Services, Inc. v. O’Harra, 2012 WL 3862209 (S.D. Ohio Sept. 5, 2012), the court held that a computer with a connection to the Internet is enough to satisfy the definition of a “protected computer” because of its use in or effect on interstate commerce. If a computer is connected to the Internet (and an allegation that the computer is used for email communications sufficiently establishes that fact), no additional link to interstate commerce needs to be shown.
What “losses” count toward meeting the standing requirement?
A claimant must have suffered “damage or loss by reason of a violation of” the CFAA to maintain a civil action under the CFAA. 18 U.S.C. § 1030(g). One way to meet this standing requirement is to establish loss during any 1-year period aggregating at least $5,000. § 1030(c)(4)(A)(i)(I). What costs qualify toward the threshold amount, and how they can be aggregated to meet the threshold, is a common issue.
The court in CollegeSource held that the costs to conduct an internal investigation, hire a computer expert, and implement subsequent security measures in response to an incident of unauthorized access count as qualifying “losses.” To that list, Synthes added expenses to conduct damage assessments; identify and trace the information that has been misappropriated; and restore data, programs, systems, and information to the condition they were in before the defendant engaged in CFAA violation. Legal expenses, however, are not “losses” unless necessary to remedy the harm caused by the violation. So in Mintz, attorneys’ fees incurred by the plaintiff to issue subpoenas to confirm the identity of the person who hacked into his email account were not “losses” because the plaintiff already knew who the hacker was before the subpoenas issued. The Mintz court contrasted another case (SuccessFactors, Inc. v. Softscape, Inc., 544 F. Supp. 2d 975 (N.D. Cal. 2008)) in which the victim of a hacked email account had to hire attorneys to identify the recipients of the victim’s confidential information that the hacker obtained and distributed. The attorneys’ fees in that case were “losses” because the plaintiff needed to know whom it had to contact to mitigate the damage caused by the hacker.
In regards to whether losses can be aggregated, the Freedom Banc court held that qualifying “losses” need not flow from a single wrongful act. Losses stemming from multiple CFAA violations could be added together to meet the threshold $5,000 amount.