9th Circuit Says Playing FarmVille at Work Should NOT be a Federal Crime.
California Internet Daters Will No Longer Go To Prison For Lying About Their Height and Weight on eHarmony
The much awaited decision in United States v. Nosal was issued today by the Ninth Circuit of Appeals. The question at issue was whether an employee who accesses a computer system in violation of an employer’s Acceptable Use policy (in this case by downloading his employer’s trade secrets to start a competing business) is “exceeding unauthorized access” for purposes of the Computer Fraud and Abuse Act (“CFAA”). Put another way, is the right to access certain computer datasets for purpose A, but not for purpose B, a basis to find a violation of the CFAA? Or does the employee only violate the CFAA when he has the right to access dataset A, but not B, and he goes ahead and looks at dataset B anyway.
This topic has been a subject of much debate among lawyers who practice in the cybercrime area, and the decisions have gone in opposite directions. Today, the Ninth Circuit (in a 7-2 en banc decision) joined its voice to those who have said the CFAA is an anti-hacking statute, not a general misappropriation statute, and is only violated when a defendant “hacks” into a computer by looking at data he is not authorized to see — not when he merely uses it for an unauthorized purpose. Accordingly, the court may have slowed down the growing trend among plaintiff’s class actions attorneys of using computer hacking statutes to try to pursue allegedly unauthorized use of information obtained from a computer. Indeed, in footnote 7, (which will likely be celebrated by our friends at Zynga), the Court expressed its concern that adopting the government’s more aggressive interpretation of the CFAA would lead to clearly improper results, such as making it a federal crime to access a computer to “tend a FarmVille stable” on a work computer, where such use is prohibited by the employer’s policies.
But the court didn’t stop at FarmVille. To defend its interpretation it pointed out the absurdities that could result from the contrary view, such as making criminals out of Internet users who lie about their age to use Google, share their Facebook Logins, or misrepresent their height and weight on a Internet dating site. Despite years of lawyers (including those at DOJ) promoting Terms of Service as an effective way to define what is and is not an authorized uses, and therefore, what is and is not a crime, the Court made clear that it does not think Internet Terms of Service can be so weighty, especially where companies reserve the right to change them at will.
The court acknowledged that this decision put the 9th Circuit squarely at odds with the contrary decisions of the 5th, 7th and 11th Circuits. But rather than following those courts, the Court urged the other circuits to reconsider their holdings by focusing on the dangerous consequences of giving private companies the right and power to define federal crimes by merely updating their ToS.
While some of the court’s reasoning (such as its discussion of the rule of lenity) is limited to the criminal context, it’s overall holding on the proper interpretation of “exceeds authorized access” would apply to the civil context as well. Given how broadly the CFAA is being used (and abused) in civil cases, this decision will not likely be the last word on this issue — but it certainly adds to the conversation.
Meanwhile, social gamers, Internet daters prone to self-exaggeration and even (as the dissent points out) trade secret thieves, can all breathe a little easier tomorrow.