Posted by Orin Kerr:
Lori Drew, Take 2?: The Government's Computer Fraud and Abuse Act Prosecution
in *United States v. Nosal*:
http://volokh.com/archives/archive_2009_02_22-2009_02_28.shtml#1235510297
Readers will recall that in the Lori Drew case, the government is
arguing that mere breach of Terms of service violates the Computer
Fraud and Abuse Act, [1]18 U.S.C. 1030, which prohibits accessing a
computer "without authorization." It turns out that there's another
case in which the government is trying a similarly broad theory of the
CFAA, if not an even broader one. The case is United States v. Nosal,
No. CR 08-0237 MHP, a case in the Northern District of California
presently before Judge Marilyn Hall Patel.
Nosal involves the most common fact pattern found in the civil
caselaw of Section 1030, raised for the first time in a criminal case.
The basic fact pattern is this: Employee at Company A decides that he
is going to leave company A and join competitor company B, and he
accesses the computers of Company A before he leaves. During that
access, he looks around the files stored on Company A's servers
looking for information he might be able to use at Company B. After
the employee leaves, Company A then sues the employee and Company B on
the theory that by using Company A's computers with a subjective
intent to help Company B, the employee was accessing Company A's
computer "without authorization." That is, by acting contrary to the
interests of Company A, the employee was implicitly no longer
authorized to access the Computers of A.
Courts are sharply divided on this theory in the civil context.
Almost all the caselaw is district court caselaw, so there isn't a
circuit split yet. But there have been about 20 district court
decisions on this, about 10 of which were handed down in the last year
alone, and the cases are divided almost 50/50 (or should I say 10/10?)
between decisions accepting the theory and decisions rejecting it.
Also, there is a clear trend in the caselaw: The earlier decisions
generally accepted this theory, and the more recent cases tend to
reject it. The one federal appeals court opinion to address the issue
agreed with this theory, [2]International Airport Centers v. Citrin,
in a rather breezy opinion by Judge Posner in 2006 (I blogged about it
at my solo blog [3]here). As far as I know, however, this theory has
not been tried in such a case in the criminal context.
At least until the Nosal case, that is. I have posted some of the
filings in the Nosal case here:
1) [4]Initial indictment (later superceded, but it gives you the
basic idea of the government's theory of the case),
2) [5]Motion to dismiss indictment for failure to state an offense
3) [6]Government opposition to motion to dismiss, and
4) [7]Reply.
There's a lot going on in the Nosal case beyond the broad theory of
the CFAA, I should emphasize. The matter has also been charged as a
theft of trade secrets, for example, and the government claims that
there may be facts to prove unauthorized access beyond the Citrin
theory that an employee who uses an employer's computer with a bad
motive is a criminal. Still, my understanding is that the government
is indeed relying on that theory in several counts of the Nosal case,
I believe for the first time in any criminal setting outside the Lori
Drew case.
In my view, the government's broad theory of the CFAA in the Nosal
case should be rejected for the same reasons that the government's
similar theory of the CFAA should be rejected in the Lori Drew case.
The early civil cases adopting a very broad construction of the
statute were simply incorrect. The early courts didn't understand that
they were interpreting a criminal statute; they didn't understand that
the interpretation of the CFAA should follow the fraud in the
factum/fraud in the inducement dictinction; and they didn't apply the
rule of lenity or consider how such interpretations would raise
obvious overbreadth problems in the criminal setting. To the extent
the government is relying on the Citrin agency theory of the CFAA, I
hope the court will reject that effort and force the government to
stick to the narrower reading of the CFAA that Congress intended.
I raised a lot of the arguments against the government's theory in
[8]an article on the CFAA back in 2003, and I hope the court will
address the theory and reject it squarely in the Nosal case. In the
meantime, the Nosal case is very much worth watching: I wouldn't be
surprised if Judge Patel hands down a ruling on this issue before
Judge Wu decides the very similar issues in the Lori Drew case,
meaning that Judge Patel may be the first judge to address these
important issues.
References
1. http://www4.law.cornell.edu/uscode/18/1030.html
2. http://www.ca7.uscourts.gov/tmp/LB1FFAOC.pdf
3. http://www.orinkerr.com/2006/03/24/wifi-crime-in-illinois/
4. http://volokh.com/files/Indictment.pdf
5. http://volokh.com/files/Motion.pdf
6. http://volokh.com/files/NosalOpp.pdf
7. http://volokh.com/files/Reply.pdf
8. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=399740
_______________________________________________
Volokh mailing list
Volokh@lists.powerblogs.com
http://lists.powerblogs.com/cgi-bin/mailman/listinfo/volokh
