A petition for rehearing was recently filed in United States v. Nosal, the Ninth Circuit decision holding that an employee who violates his employer’s computer use policy is guilty of “exceeding authorized access” to the employer’s computer. I have posted a copy here. I hope the Ninth Circuit grants rehearing, as I think the Nosal case is both wrong on the law and deeply troubling for civil liberties in the Internet age.
Overstatement? I don’t think so. It seems to me that if the federal government can arrest you and throw you in jail for violating a computer use policy — any computer use policy — then the government can arrest pretty much anyone who uses a computer. Most people who use computers routinely violate computer use policies: While we understand that such policies may have force from the standpoint of breach of contract, no one thinks that breaching a computer use policy is the same as hacking into the computer. The Nosal case would change that. Under its reasoning, breaching a written policy is treated the same way as hacking. And as computers become more and more ubiquitous, the power to arrest anyone who routinely uses a computer is the power to arrest anyone.
It’s true that the Nosal appeal happens to involve a prosecution under 18 U.S.C. 1030(a)(4), which requires more than just unauthorized access to a computer. But as the petition for rehearing notes, the unauthorized access “trigger” is common to several crimes in Section 1030(a), and other sections of 1030(a) don’t require much if anything beyond unauthorized access. The most obvious concern is 1030(a)(2), which makes it a crime to have any unauthorized access to anything on the planet with a microchip so long as some information is either seen or collected. For now it’s usually just a misdemeanor crime, so each breach of a policy would only mean you spend up to a year of your life in federal prison, but note that (1) Congress may make that crime a felony soon and (2) even the misdemeanors can be sentenced conseccutively (remember that DOJ wanted Lori Drew to be sentenced to a three year prison term for her three misdemeanor convictions of violating three MySpace terms of service).
You might think that as long as you avoid the Ninth Circuit, you’re probably okay. But that won’t help much: Lots of Internet communications go through the Ninth Circuit, meaning that the Ninth Circuit has venue over much of the rest of the country to prosecute computer use policy breaches elsewhere. Again, remember the Lori Drew case. Everything in the case happened in Missouri, and the Missouri state and federal authorities declined to prosecute because they thought no crime was committed, but the case was charged in Los Angeles because that’s where MySpace’s servers (and some extremely aggressive prosecutors) were located. It probably won’t help to move to Canada, either: Section 1030 covers all computers in the world that can be reached under the Constitution, even computers outside the United States, so the computer use policy breach doesn’t even need to be in the US for the feds to prosecute.
Given the stakes, I hope the Ninth Circuit will grant rehearing, revisit the panel decision, and come out the other way. Stay tuned.
rintintin says:
i think more people would be excited about this if federal laws like “wire fraud” did not already essentially give the government power to imprison anyone at any time anyway.
June 14, 2011, 2:35 amOrin Kerr says:
rintintin,
The wire fraud statute is very broad, but even it has important limitations: It requires a scheme to obtain money or property across state lines. The CFAA doesn’t have any such limitations.
June 14, 2011, 2:39 amDavid Schwartz says:
I think there are serious, serious due process problems when the government criminalizes breaching a contract in the absence of intent to defraud. There is no requirement that contracts provide clear notice and contracts do not result from a legislative process involving elected officials. The criminal law should result from that kind of process, not private decisions made for purely private benefit.
CFAA is not the only context where this comes up. Another case is intellectual property cases where courts will sometimes treat breaching the terms of an agreement as a breach of copyright.
June 14, 2011, 3:16 amOrin Kerr says:
David,
As for your 1st para, here’s my article on that point agreeing with you.
As to your second, note that in the IP setting, criminal copyright requires originality, absence of fair use, and the mens rea of willfulness. The CFAA has no such requirements.
June 14, 2011, 3:28 amCloudesley Shovell says:
Perhaps volokh.com ought to change its terms of use to prohibit, say, any access from a DoJ server or a 9th Circuit Court server. Brings the argument into sharp focus.
June 14, 2011, 6:32 amAnother Thought says:
Perhaps if the employer’s computer use policy required the employee-user to eat broccoli while using the computer, then the CFAA would be constitutional (pursuant to Congress’s power under the commerce + necessary and proper power clauses)?
June 14, 2011, 7:34 amDavid Schwartz says:
Perhaps I’m misunderstanding precisely what you mean by “willfulness”, but it seems to me that the CFAA does require willfulness. All crimes defined there say “knowingly” or “intentionally”.
Also, I’m not just talking about criminal copyright infringement. Even in the civil context, copyright infringement has special properties such as statutory damages, the presumption of irreparable harm, and so on. I have no problem with these provisions when there is no reasonable argument that the crux of the offense is violating a license as opposed to violating copyright law. Statutes set out copyright law. Licenses are contracts.
I do agree with your other points. I still think the issue is the same, but it is much more serious with the CFAA than in any other context I know of, for the reasons you mentioned both in this post and in your reply to me.
June 14, 2011, 9:01 amSk says:
Wow-
I too find this incredible. I’d love to see your constitutional arguments as to why the Courts should overturn it. Merely thinking it is a bad law (which I agree with) shouldn’t be enough for a judge to overturn it (though the realist in me knows that it is).
Sk
June 14, 2011, 9:44 amAlan Gunn says:
It’s a federal crime (CPSIA) to fold a sheet of paper into the shape of an airplane and give it to somebody, so why not criminalize using computers as well? If Congress were to just make breathing a crime, we could save a lot on lawyers’ fees. Surely prosecutors would use this law only against bad people.
June 14, 2011, 10:30 amYo Gabba Gabba says:
I wonder how many times per day people break the law by reading, or commenting, here.
June 14, 2011, 11:17 amOrin Kerr says:
Cloudesley,
I’ve thought of that. See, for example, here. Maybe it’s time for another round.
June 14, 2011, 11:47 amOrin Kerr says:
David,
Yes, you are misunderstanding what willfully means in the criminal copyright context. It’s a term of art which means with awareness that the act violates the law.
June 14, 2011, 11:51 amTMLutas says:
The IT industry is rife with policies that are written down and not followed. In fact, it’s pretty common for high officials to break IT policies to order mailbox break-ins and other violations of normal security policy in the case of firings or suspected wrongdoing. This ruling would make normal industry practice very dangerous to continue and would be a huge blow to the economy. If the judicial branch persists with this, this needs to be knocked down by the political branches. It’s horrible public policy.
June 14, 2011, 12:03 pmDavid Schwartz says:
Sk: The constitutional argument is vagueness / due process because the law doesn’t tell you what it prohibits. You can read the law as many times as you want, and it still won’t tell you what’s illegal if the terms of use prohibit using the computer to “do bad stuff”. Saying you have fair notice because the law will only be enforced in the case of rules that are clearly specified doesn’t help because you have no prior notice of whether a rule is considered clearly specified or not.
There is no problem if the law itself clearly defines what it prohibits, which in fact the CFAA does, at 1030(e)(6) — accessing or altering information when you are not authorized to access or alter that information. For some strange reason though, courts seem to ignore the text and instead find CFAA liability based on things that have nothing to do with accessing or altering information. (For example, doing things based on information one has accessed with authorization.)
June 14, 2011, 12:15 pmOrin Kerr says:
Another thought:
No one doubts that the CFAA is within Congress’s commerce clause power. Further, it seems that no one in Congress is really all that concerned with federalism issues when it comes to the CFAA: To the contrary, Congress seems to think the more the federal government, the better.
June 14, 2011, 1:10 pmHoward Wise says:
Professor Kerr:
June 14, 2011, 1:15 pmState prosecutors,initially,and then judges and juries are asked 100s of times a day to detremine whether an act is done “knowingly and with intent to defraud” in all sorts of theft contexts. I see no need (constitutional or otherwise) for employees to have a blanket of immunity from prosecution under this statute or similar state statutes (e.g. CA PC 502(h)(1)] b/c it was meant for “hackers”. An attack from within can be more devestating to a victim then one made by an external 12 yo ankle biter hacker. The fact patterns that get shielded by the Chisman case in CA would make an ordinary person’s head spin.
Orin Kerr says:
Howard Wise,
I hereby announce a new Terms of Use policy at the Volokh Conspiracy: In your comments here, you are not allowed to use the letter “e”.
Under your own logic, any time you use the letter “e” in a comment here, it is an criminal “attack” against the blog that “can be devastating.” I have your IP address and I will not hesitate to refer to you state and federal authorities in light of your disturbing pattern of criminal activity.
Remember, Howard, no letter “e”. Seriously: Don’t attack me.
June 14, 2011, 1:45 pmOrin Kerr says:
(Just to be clear, this policy only applies to Howard Wise. Everyone else can continue to use the letter “e.”)
June 14, 2011, 1:46 pmAnon321 says:
Howard, I’d recommend getting a copy of A Void for guidance on how to avoid committing federal crimes.
June 14, 2011, 2:20 pmD.O. says:
Thank you. but i pr.f.r to b. saf..
June 14, 2011, 2:33 pmNorthern Dave says:
Could this be extended to breach of EULA’s?
June 14, 2011, 2:46 pmOrin Kerr says:
D.O.,
Not only are you permitted to use “e,” but you are herby required to use it in every word.
June 14, 2011, 2:58 pmSk says:
“Sk: The constitutional argument is vagueness / due process because the law doesn’t tell you what it prohibits. You can read the law as many times as you want, and it still won’t tell you what’s illegal if the terms of use prohibit using the computer to “do bad stuff”. Saying you have fair notice because the law will only be enforced in the case of rules that are clearly specified doesn’t help because you have no prior notice of whether a rule is considered clearly specified or not.”
Really? Nothing in the original post suggests the law is vague: rather, it suggests that the law is pretty clear, albeit all-encompassing.
sk
June 14, 2011, 3:17 pmKatahdin says:
Dide youe juste violate youre owne policye?
I dunno if this is on point, but in case it’s related:
“Cisco Systems (CSCO) orchestrated the arrest of Multiven founder Peter Alfred-Adekeye last year in order to force a settlement of Multiven’s antitrust lawsuit against Cisco, a Multiven executive said on Wednesday.
Multiven, an independent provider of service and support for networking gear, sued Cisco in 2008, alleging that the company monopolized the market for its software. Cisco countersued, charging that Alfred-Adekeye hacked into Cisco’s computers and stole copyrighted software.
In May 2010, Alfred-Adekeye was arrested [at a deposition with Cisco! - ed] in Vancouver, Canada, on 97 counts of intentionally accessing a protected computer system without authorization for the purposes of commercial advantage, according to his arrest warrant. He could be sentenced to 10 years in prison and a US$250,000 fine if convicted.”
June 14, 2011, 3:21 pmSuperSkeptic says:
I confess; I’m super skeptic, but not super-nice. Send me to jail.
June 14, 2011, 3:22 pmSteve says:
I don’t think I buy this. You have no prior notice of whether a given statute will be declared void for vagueness, either.
June 14, 2011, 3:26 pmEugene Volokh says:
It’s actually possible to write even a 50,000-word book without the letter “e.” But difficult.
[UPDATE: I see Anon321 beat me to it, but Gadsby came before A Void.]
June 14, 2011, 4:17 pmDavid Schwartz says:
Right, but that’s a government power wielded by the legislature after a deliberative process. Our first round of defense against vague laws is that legislatures won’t pass them. And our second round of defense is that the laws are published and we can launch facial challenges against them. If all else fails, we can use the political process. We have no such protections against private rules. The problem is that Congress didn’t tell us what it was prohibiting but left that to private entities.
June 14, 2011, 9:27 pm