Three Felonies By Coffee Break (Royal Wedding Crime Spree Update)

Harvey Silverglate’s  Three Felonies A Day is so passé.  Under the 9th Circuit’s decision in United States v. Nosal, chances are that you’ll have a few dozen before the day is out. 

David Nosal was accused of getting employees of an executive search firm to use their computer access to obtain “trade secrets” and pass them along to start a new firm.  The employees used their employer provided access, accounts and passwords, to get the information and pass along to Nosal. 

The district court refused to dismiss, until the 9th Circuit decided LVRC Holdings LLC v. Brekka, holding that there was no violation of the Computer Fraud and Abuse Act, 18 U.S.C. §1030 for unauthorized use when he was permitted by his employer to access a computer, even though it turned out that he used it in a way that the employer subsequently found contrary to his interests.  Since Brekka has the authority to access the account, including the specific data involved, he did not violate §1030’s prohibition against either unauthorized access or exceeding authorized access.

After the  Brekka decision, the court dismissed most of the counts of the indictment against Nosal.  The 9th Circuit, in a 2-1 split, reversed.

The crux of the court’s decision hinged on two letters:  so.

Although the statute does not define the phrase “without authorization,” it does state that “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6) (emphasis added). 

The government contends that Nosal’s interpretation of “exceeds authorized access” would render superfluous the word “so” in the statutory definition. We agree. “So” in this context means “in a manner or way that is indicated or suggested.” Webster’s Third New Int’l Dictionary 2159 (Philip Babcock Gove, ed. 2002). Thus, an employee exceeds authorized access under § 1030(e)(6) when the employee uses that authorized access “to obtain or alter information in the computer that the accesser is not entitled [in that manner] to obtain or alter.” We decline to render meaningless a word duly enacted by Congress.

On this thread, the court held that the limitations on access created by the employer, that it’s content was confidential, was sufficient to establish a crime by its access by employees otherwise authorized to access it.

Oh boy.

The court interpreted Brekka to hold that it was the employer’s action that determined whether access exceeded authorization.

How is an employee supposed to know when authorization has been revoked if the employer does not inform the employee of the revocation? It was this concern that motivated us to apply the rule of lenity, “ ‘which is rooted in considerations of notice [and] requires courts to limit the reach of criminal statutes to the clear import of their text and construe any ambiguity against the government.’ ” Id. at 1135 (quoting United States v. Romm, 455 F.3d 990, 1001 (9th Cir. 2006)). Because LVRC had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether — or when — his access would have become unauthorized. Therefore, as long as an employee has some permission to use the computer for some purpose, that employee accesses the computer with authorization even if the employee acts with a fraudulent intent.

In contrast, the court found that the employees in Nosal knew of the restrictions, that the data was confidential, which the court called “clear and conspicuous,”

For this reason, we conclude that the rule of lenity, which applied with particular force in interpreting the phrase “without authorization,” does not support ignoring the statutory language and the core rationale of Brekka. Nosal’s argument that the government’s “Orwellian” interpretation would improperly criminalize certain actions depending only on the vagaries and whims of the employer is foreclosed by Brekka, which held unequivocally that under § 1030 the employer determines whether an employee is authorized. Id. at 1133, 1135. Therefore, as long as the employee has knowledge of the employer’s limitations on that authorization, the employee “exceeds authorized access” when the employee violates those limitations. It is as simple as that.

Simple?  Maybe a little too simple.  The potential for restrictions, whether real or imagined, clear or overarchingly vague, puts into employers’ hands the ability to criminalize conduct by their employees and former employees at will.  This creates the potential for a cottage industry for lawyers in crafting computer access restriction that could be used to terrorize their employees with potential criminal liability.

And further, considering the breadth of electronic equipment in hand and upon which we’re becoming increasingly dependent, the same reasoning that holds Nosal criminally liable would put all of us similarly at risk in the terms of use of every website on the internet.  Imagine some click-through terms to contain a few thousand restrictions on use (you are prohibited from accessing this website while wearing a bathrobe and/or flip flops), which now constitutes a crime.

Didn’t read it?  Bummer, as ignorance of the law is no excuse.  But it’s not like some governmental entity passed a law making it a crime?  Bummer, because every employer, website owner, cellphone provider, car manufacturer, anyone providing anything that works on or with a computer chip, is now empowered to create crimes at will. 

They need not be reasonable.  They need not be fair.  It’s their authorization you need, and by which you’re limited, and if they say jump and you don’t, you’ve exceeded your authorization. 

Of course, chances aren’t good that roving bands of prosecutors will be surveilling your every move on the internet or in your employer’s database.  instead, prosecutions will come only when you’ve pissed someone off enough that they either bring your nefarious computer use to the government’s attention or the person you pissed off happens to have sufficient influence for an indictment to be brought.

Get it?  Aside from the few people living as hermits, there is no one who does not violate some restriction on use of a computer regularly, meaning that the government, should it so choose, has the ability to prosecute every person (hermits aside) online.  Heck, you’d be lucky to make it to your coffee break with only three felonies.

Royal Wedding Crime Spree Update: This is a test. How many crimes can one commit via this page from today’s lovely Royal Wedding between Prince William and She Who Must Be Obeyed?

H/T Eric Johnson at PrawfBlawg (Copyright 2011 Eric Johnson at Prawfsblawg)

4 thoughts on “Three Felonies By Coffee Break (Royal Wedding Crime Spree Update)

  1. BadLawyer

    Within a week of being at FCI, Morgantown someone pressed a copy of Silverglate’s book into my hands commanding me to read it and be educated. While not eye-opening, I got the point–what was eye-opening was the story of the conviction of Dr. Roger Pellmann who according to the federal indictment was convicted of treating one patient, gratis, for trigeminal neuralgia in a manner that the DEA (and subsequently a jury) deemed exceeded “legitimate medical purposes.” Somehow all of these folks arrived at this “exceeding medical purposes” determination without medical degrees, without medical or toxicological expert testimony. I know that as a personal injury attorney of almost 28 years, I would not survive a motion for directed verdict in a whiplash case without a medical expert. Up close it’s possible to see prosecutions and felonies you might not have thought possible. In some instances it’s a matter, it seems, of what the government feels like indicting.

  2. SHG

    I just got an email from Harvey telling me he liked this post.  I guess he’s not mad at me anymore for not loving his book.  He’s great, though.

    Consider the “expertise” possessed by prosecutors.  They’ve never run a business, yet know all the things corporate executive do wrong. They’ve never been the surviving spouse of a murder, yet know exactly how surviving spouses should behave. They’ve never been poor, hungry and uneducated, yet know exactly what motivates mothers of starving children.  And they don’t have medical degrees, yet know when physicians exceed their authority.  The list goes on.

    And because jurors know even less than prosecutors, they believe them.  After all, they wouldn’t prosecute people if they didn’t commit crimes.

Comments are closed.