I have blogged a great deal about the Lori Drew case, in which the government is arguing that mere breach of Terms of Service violates the Computer Fraud and Abuse Act, 18 U.S.C. 1030, which prohibits accessing a computer “without authorization.” It turns out that there’s another case in which the government is testing a similarly broad theory of the CFAA, if not an even broader one. The case is United States v. Nosal, No. CR 08-0237 MHP, a case in the Northern District of California presently before Judge Marilyn Hall Patel.
The facts of Nosal are pretty close to those of the most common fact pattern found in the civil caselaw of Section 1030, raised for the first time in a criminal case. The basic fact pattern is this: Employee at Company A decides that he is going to leave company A and join competitor company B, and he accesses the computers of Company A before he leaves. During that access, he looks around the files stored on Company A’s servers looking for information he might be able to use at Company B. After the employee leaves, Company A then sues the employee and Company B on the theory that by using Company A’s computers with a subjective intent to help Company B, the employee was accessing Company A’s computer “without authorization.” That is, by acting contrary to the interests of Company A, the employee was implicitly no longer authorized to access the Computers of A.
Courts are sharply divided on this theory in the civil context. Almost all the caselaw is district court caselaw, so there isn’t a circuit split yet. But there have been about 20 district court decisions on this, about 10 of which were handed down in the last year alone, and the cases are divided almost 50/50 (or should I say 10/10?) between decisions accepting the theory and decisions rejecting it. Also, there is a clear trend in the caselaw: The earlier decisions generally accepted this theory, and the more recent cases tend to reject it. The one federal appeals court opinion to address the issue agreed with this theory, International Airport Centers v. Citrin, in a rather breezy opinion by Judge Posner in 2006 (I blogged about it at my solo blog here). As far as I know, however, this theory has not been tried in such a case in the criminal context.
At least until the Nosal case, that is. I have posted some of the filings in the Nosal case here:
1) Initial indictment (later superceded, but it gives you the basic idea of the government’s theory of the case),
2) Motion to dismiss indictment for failure to state an offense
3) Government opposition to motion to dismiss, and
4) Reply.
There’s a lot going on in the Nosal case beyond the broad theory of the CFAA, I should emphasize. The matter has also been charged as mail fraud and a theft of trade secrets, for example, and the government claims that there are facts to prove unauthorized access beyond the Citrin theory that an employee who uses an employer’s computer with a bad motive is a criminal. Still, it appears that the government is indeed relying on that theory in several counts of the Nosal case, I believe for the first time in any criminal setting outside the Lori Drew case.
In my view, the government’s broad theory of the CFAA should be rejected in the Nosal case for the same reasons that the government’s similar theory of the CFAA should be rejected in the Lori Drew case. Perhaps the conduct alleged in the Nosal indictment amounts to a theft of trade secrets, or mail fraud, or interstate transportation of stolen property, or some other criminal offense. But accessing a computer in a way contrary to the interests of its owners does not make that access criminal. The early civil cases adopting a very broad construction of the statute were simply incorrect, in my view. The early courts didn’t understand that they were interpreting a criminal statute; they didn’t understand that the interpretation of the CFAA should follow the fraud in the factum/fraud in the inducement dictinction; and they didn’t apply the rule of lenity or consider how such interpretations would raise obvious overbreadth problems in the criminal setting. To the extent the government is relying on the Citrin agency theory of the CFAA, I hope the court will reject that effort and force the government to stick to the narrower reading of the CFAA that Congress intended.
I raised a lot of the arguments against the government’s theory in an article on the CFAA back in 2003, and I hope the court will address the theory and reject it squarely in the Nosal case. In the meantime, the Nosal case is very much worth watching: Judge Patel may hand down a ruling on this issue before Judge Wu decides the very similar issues in the Lori Drew case, meaning that Judge Patel may be the first judge to address these important issues.