The 9th Circuit Crafts A Bright Line Test For The CFAA

After the 9th Circuit’s en banc ruling in United States v. Nosal (Nosal I), it appeared for a brief and shining moment that some clarity was being brought to the Computer Fraud and Abuse Act, that the court held that violating the terms of service did not elevate whatever private crap a website owner used into the foundation for a federal offense. But as so often happens, the clouds rolled in and obscured the sunlight.

“[W]ithout authorization” is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. (Emphasis added.)

For an unambiguous, non-technical term, “without authorization” has caused the murder of a great many words in explanation. But there is some foreshadowing in there, perhaps not clearly noticed in Nosal II, but apparent now that the 9th Circuit has issued its decision in Facebook v. Power Ventures, which held that while no CFAA violation occurs based upon a violation of the terms of service per se, failure to abide by a cease and desist demand by the website owner based upon the violation gives rise to a violation of the CFAA.

In other words, violating TOS doesn’t make it a crime, but accessing a website after the owner has demanded you cease and desist does. Remember, “affirmatively revoked”? 

At Volokh Conspiracy, Orin Kerr dissects the latest decision (and, in case you’re unclear, is no fan of the concept that people commit a crime under the CFAA based on TOS):

Judge Graber also offers this distinction between terms of use and cease-and-desist letters:

Finally, Nosal I [on terms of use] was most concerned with transforming “otherwise innocuous behavior into federal crimes simply because a computer is involved.” Id. at 860. It aimed to prevent criminal liability for computer users who might be unaware that they were committing a crime. But, in this case, Facebook clearly notified Power of the revocation of access, and Power intentionally refused to comply. Nosal I’s concerns about overreaching or an absence of culpable intent simply do not apply here. This case is closer to Nosal II, wherein liability attached after permission to access computers was expressly revoked, but then the defendant deliberately circumvented the rescission of authorization.

This makes no sense to me. Again, Graber appears to have a misplaced emphasis on state of mind. She is focused on whether people had “culpable intent,” and letting those “unaware” escape liability while those who acted “deliberately” are punished. But that can’t explain why you can intentionally violate terms of use but you can’t intentionally ignore cease-and-desist letters. The state-of-mind question is about a different element of the CFAA — whether the unauthorized access was “intentional,” not whether the act was an unauthorized access in the first place. The difference in the legal treatment of the two acts has to rest on the difference between the acts themselves, not the differences between possible states of mind about those acts.

While Orin’s breakdown of the underlying meaning of Judge Graber’s rationale raises very real questions, this may be a situation where an analysis of a decision is too deep, too smart, when the decision is pragmatic, even if it’s doctrinally or theoretically shaky.

Judge Graber has announced a bright line test. There can be no CFAA crime (or civil cause of action, as was the case in Power Ventures) based on the terms of service. So far, so good. But if the website owner bans someone from accessing his website, then it crosses the line of “unauthorized access” and is sufficient to establish a CFAA violation. Whether it requires the magic words, “cease and desist,” isn’t clear, but since words are cheap, why not use them?

Is this because of the user’s intent? Is this because ignoring a cease and desist letter is more criminal-ly than intentionally violating TOS? It seems to be more easily understood as a very practical bit of line drawing, that the user may or may not have understood the exact parameters of the TOS, or may or may not have even been aware of them. But once they get a C&D letter, the user has no excuse for not grasping that the website owner doesn’t want them in their house. You want an engraved invitation? You got one.

Orin argues for a narrow interpretation of Power Ventures, though he still thinks it’s a bad decision.

One question is whether you can read the decision more narrowly to apply only to accessing an account rather than visiting a website. Here’s the uncertainty: Is the decision saying broadly that you can’t visit the public face of a website after the computer owner said “no,” or is the decision saying more narrowly that you can’t access an individual account with the user’s permission after the computer owner said “no”? I would still disagree with the narrower reading, but it would be a lot less objectionable than the broader one.

My speculation is that the 9th Circuit didn’t even consider this question, and that Orin is still over-thinking the implications of the decision.

Reading over the opinion, though, I don’t see a lot of reason to think the court had the narrower interpretation in mind. Consider these clues. First, Footnote 1 states:

Because, initially, Power users gave Power permission to use Facebook’s computers to disseminate messages, we need not decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly.

The court then cites a law review article “asserting that websites are the cyber-equivalent of an open public square in the physical world.”

Unless Judge Graber has mad hacker skillz, my bet is that she approached the problem as would any ordinary internet user, that anybody can look at the picture on their screen, but that they can’t go any further, such as leaving a comment, writing on someone’s wall, or scraping user information. Then again, I can’t point to anything that says so, while Orin can point to a line that gives rise to his issue:

Third, the court says that by sending the cease-and-desist letter, “Facebook explicitly revoked authorization for any access[.]” (emphasis in original). It doesn’t say that the authorization was revoked for the account access but not for visiting material accessible to the public on its computers (content such as this, for example, which anyone can access). Again, that suggests the broader reading rather than the narrower reading.

Or, it suggests that the judges view the internet like regular folk, unsophisticated in their use and with the common understanding that looking at the “public face” without more isn’t access as covered by the CFAA. Whether this is a matter of the Power Ventures opinion being read by someone too knowledgeable to miss the nuance, or written by judges too unsophisticated to realize the nuances, isn’t clear.

What is clear is that the 9th Circuit has tried to craft a bright line test, and part of it is that violating a website’s TOS does not, standing alone, give rise to a CFAA violation. That’s not a bad thing, and it means that if you aren’t hopping on your left leg as you read this post (as required by my TOS as of this moment), you have yet to commit a felony. Here, at least.

9 thoughts on “The 9th Circuit Crafts A Bright Line Test For The CFAA

  1. Hayden Curry

    Even if the prohibition is so extreme as to not even allow looking at the website, bypassing detection is just too too easy. Something as simple proxying through another server, Fake identies (, and anonymizing servers ( allow for no “digital fingerprints”. This makes detection a problem and enforcement even more so.
    But regular-folk-judges are mere flatlanders in a 3d world.
    And BTW, my latest fake identity is:

    Name: Hayden Curry
    Gender: Male
    Date of Birth: 1983-02-17
    Social Security Number: 122-42-7359
    Street Address: 5213 Oketo Avenue
    City, State, ZIP: South Butler, NY 13154
    Phone Number: (315) 560-8138
    Username: haydencurryzBm
    Password: WEejyhzyZ2wyTxK
    Temporary Email Address: [email protected]

    1. Patrick Maupin

      Of course, “bypassing detection” is really just “accessing a website while pretending to be someone else,” which, of course, means that the CFAA equivalent of SWATting will be happening soon.

  2. losingtrader

    What none of you seem to grasp is this ruling amounts to the full-employment act for law school grads.
    Scott, your days of criticizing law schools may soonbe a wistful memory.

    Oh well, there’s still SJW’s , Riker’s Island, etc.
    (Knowing me as you do, just as a joke I may put enough money in my will to fund a name change to Scott Greenfield island, particularly since you don’t like the idea.

    1. SHG Post author

      Maybe a nice Scott Greenfield memorial zen garden for the guards to enjoy, with a nice cage for the fights.

Comments are closed.