Harvey Silverglate’s Three Felonies A Day is so passé. Under the 9th Circuit’s decision in United States v. Nosal, chances are that you’ll have a few dozen before the day is out.
David Nosal was accused of getting employees of an executive search firm to use their computer access to obtain “trade secrets” and pass them along to start a new firm. The employees used their employer provided access, accounts and passwords, to get the information and pass along to Nosal.
The district court refused to dismiss, until the 9th Circuit decided LVRC Holdings LLC v. Brekka, holding that there was no violation of the Computer Fraud and Abuse Act, 18 U.S.C. §1030 for unauthorized use when he was permitted by his employer to access a computer, even though it turned out that he used it in a way that the employer subsequently found contrary to his interests. Since Brekka has the authority to access the account, including the specific data involved, he did not violate §1030’s prohibition against either unauthorized access or exceeding authorized access.
After the Brekka decision, the court dismissed most of the counts of the indictment against Nosal. The 9th Circuit, in a 2-1 split, reversed.
The crux of the court’s decision hinged on two letters: so.
Although the statute does not define the phrase “without authorization,” it does state that “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6) (emphasis added).
The government contends that Nosal’s interpretation of “exceeds authorized access” would render superfluous the word “so” in the statutory definition. We agree. “So” in this context means “in a manner or way that is indicated or suggested.” Webster’s Third New Int’l Dictionary 2159 (Philip Babcock Gove, ed. 2002). Thus, an employee exceeds authorized access under § 1030(e)(6) when the employee uses that authorized access “to obtain or alter information in the computer that the accesser is not entitled [in that manner] to obtain or alter.” We decline to render meaningless a word duly enacted by Congress.
On this thread, the court held that the limitations on access created by the employer, that it’s content was confidential, was sufficient to establish a crime by its access by employees otherwise authorized to access it.
The court interpreted Brekka to hold that it was the employer’s action that determined whether access exceeded authorization.
How is an employee supposed to know when authorization has been revoked if the employer does not inform the employee of the revocation? It was this concern that motivated us to apply the rule of lenity, “ ‘which is rooted in considerations of notice [and] requires courts to limit the reach of criminal statutes to the clear import of their text and construe any ambiguity against the government.’ ” Id. at 1135 (quoting United States v. Romm, 455 F.3d 990, 1001 (9th Cir. 2006)). Because LVRC had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether — or when — his access would have become unauthorized. Therefore, as long as an employee has some permission to use the computer for some purpose, that employee accesses the computer with authorization even if the employee acts with a fraudulent intent.
In contrast, the court found that the employees in Nosal knew of the restrictions, that the data was confidential, which the court called “clear and conspicuous,”
For this reason, we conclude that the rule of lenity, which applied with particular force in interpreting the phrase “without authorization,” does not support ignoring the statutory language and the core rationale of Brekka. Nosal’s argument that the government’s “Orwellian” interpretation would improperly criminalize certain actions depending only on the vagaries and whims of the employer is foreclosed by Brekka, which held unequivocally that under § 1030 the employer determines whether an employee is authorized. Id. at 1133, 1135. Therefore, as long as the employee has knowledge of the employer’s limitations on that authorization, the employee “exceeds authorized access” when the employee violates those limitations. It is as simple as that.
Simple? Maybe a little too simple. The potential for restrictions, whether real or imagined, clear or overarchingly vague, puts into employers’ hands the ability to criminalize conduct by their employees and former employees at will. This creates the potential for a cottage industry for lawyers in crafting computer access restriction that could be used to terrorize their employees with potential criminal liability.
Didn’t read it? Bummer, as ignorance of the law is no excuse. But it’s not like some governmental entity passed a law making it a crime? Bummer, because every employer, website owner, cellphone provider, car manufacturer, anyone providing anything that works on or with a computer chip, is now empowered to create crimes at will.
They need not be reasonable. They need not be fair. It’s their authorization you need, and by which you’re limited, and if they say jump and you don’t, you’ve exceeded your authorization.
Of course, chances aren’t good that roving bands of prosecutors will be surveilling your every move on the internet or in your employer’s database. instead, prosecutions will come only when you’ve pissed someone off enough that they either bring your nefarious computer use to the government’s attention or the person you pissed off happens to have sufficient influence for an indictment to be brought.
Get it? Aside from the few people living as hermits, there is no one who does not violate some restriction on use of a computer regularly, meaning that the government, should it so choose, has the ability to prosecute every person (hermits aside) online. Heck, you’d be lucky to make it to your coffee break with only three felonies.
Royal Wedding Crime Spree Update: This is a test. How many crimes can one commit via this page from today’s lovely Royal Wedding between Prince William and She Who Must Be Obeyed?
H/T Eric Johnson at PrawfBlawg (Copyright 2011 Eric Johnson at Prawfsblawg)