Posted by Orin Kerr: Lori Drew, Take 2?: The Government's Computer Fraud and Abuse Act Prosecution in *United States v. Nosal*: http://volokh.com/archives/archive_2009_02_22-2009_02_28.shtml#1235510297
Readers will recall that in the Lori Drew case, the government is arguing that mere breach of Terms of service violates the Computer Fraud and Abuse Act, [1]18 U.S.C. 1030, which prohibits accessing a computer "without authorization." It turns out that there's another case in which the government is trying a similarly broad theory of the CFAA, if not an even broader one. The case is United States v. Nosal, No. CR 08-0237 MHP, a case in the Northern District of California presently before Judge Marilyn Hall Patel. Nosal involves the most common fact pattern found in the civil caselaw of Section 1030, raised for the first time in a criminal case. The basic fact pattern is this: Employee at Company A decides that he is going to leave company A and join competitor company B, and he accesses the computers of Company A before he leaves. During that access, he looks around the files stored on Company A's servers looking for information he might be able to use at Company B. After the employee leaves, Company A then sues the employee and Company B on the theory that by using Company A's computers with a subjective intent to help Company B, the employee was accessing Company A's computer "without authorization." That is, by acting contrary to the interests of Company A, the employee was implicitly no longer authorized to access the Computers of A. Courts are sharply divided on this theory in the civil context. Almost all the caselaw is district court caselaw, so there isn't a circuit split yet. But there have been about 20 district court decisions on this, about 10 of which were handed down in the last year alone, and the cases are divided almost 50/50 (or should I say 10/10?) between decisions accepting the theory and decisions rejecting it. Also, there is a clear trend in the caselaw: The earlier decisions generally accepted this theory, and the more recent cases tend to reject it. The one federal appeals court opinion to address the issue agreed with this theory, [2]International Airport Centers v. Citrin, in a rather breezy opinion by Judge Posner in 2006 (I blogged about it at my solo blog [3]here). As far as I know, however, this theory has not been tried in such a case in the criminal context. At least until the Nosal case, that is. I have posted some of the filings in the Nosal case here: 1) [4]Initial indictment (later superceded, but it gives you the basic idea of the government's theory of the case), 2) [5]Motion to dismiss indictment for failure to state an offense 3) [6]Government opposition to motion to dismiss, and 4) [7]Reply. There's a lot going on in the Nosal case beyond the broad theory of the CFAA, I should emphasize. The matter has also been charged as a theft of trade secrets, for example, and the government claims that there may be facts to prove unauthorized access beyond the Citrin theory that an employee who uses an employer's computer with a bad motive is a criminal. Still, my understanding is that the government is indeed relying on that theory in several counts of the Nosal case, I believe for the first time in any criminal setting outside the Lori Drew case. In my view, the government's broad theory of the CFAA in the Nosal case should be rejected for the same reasons that the government's similar theory of the CFAA should be rejected in the Lori Drew case. The early civil cases adopting a very broad construction of the statute were simply incorrect. The early courts didn't understand that they were interpreting a criminal statute; they didn't understand that the interpretation of the CFAA should follow the fraud in the factum/fraud in the inducement dictinction; and they didn't apply the rule of lenity or consider how such interpretations would raise obvious overbreadth problems in the criminal setting. To the extent the government is relying on the Citrin agency theory of the CFAA, I hope the court will reject that effort and force the government to stick to the narrower reading of the CFAA that Congress intended. I raised a lot of the arguments against the government's theory in [8]an article on the CFAA back in 2003, and I hope the court will address the theory and reject it squarely in the Nosal case. In the meantime, the Nosal case is very much worth watching: I wouldn't be surprised if Judge Patel hands down a ruling on this issue before Judge Wu decides the very similar issues in the Lori Drew case, meaning that Judge Patel may be the first judge to address these important issues. References 1. http://www4.law.cornell.edu/uscode/18/1030.html 2. http://www.ca7.uscourts.gov/tmp/LB1FFAOC.pdf 3. http://www.orinkerr.com/2006/03/24/wifi-crime-in-illinois/ 4. http://volokh.com/files/Indictment.pdf 5. http://volokh.com/files/Motion.pdf 6. http://volokh.com/files/NosalOpp.pdf 7. http://volokh.com/files/Reply.pdf 8. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=399740 _______________________________________________ Volokh mailing list Volokh@lists.powerblogs.com http://lists.powerblogs.com/cgi-bin/mailman/listinfo/volokh