Yesterday, the U.S. Court of Appeals for the Ninth Circuit issued its highly-anticipated ruling in United States v. Nosal, 10-10038. In a 9-2 en banc decision written by Chief Judge Alex Kozinski, the Ninth Circuit reversed its previous ruling by a three-member panel and rejected its expansive reading of the Computer Fraud and Abuse Act (CFAA) finding that violations of an employer’s computer use policy could qualify as the requisite “exceeded authorized access” under the CFAA, and therefore subject a defendant to the CFAA’s criminal provisions. (A copy of the opinion can be found below).
When the three-judge panel of the Ninth Circuit issued the initial ruling last April, there was a firestorm of controversy that the CFAA could now potentially criminalize the conduct of employees who reviewed personal websites like Facebook at work if their employer’s computer usage policy forbid looking at personal websites. And there was also concern that the ruling’s reasoning could be used to criminalize conduct that was inconsistent with the many online Terms and Conditions to which we mindlessly click “AGREE” so we can access that website.
Indeed, as I wrote last fall, at least one California district court, in Facebook v. MaxBounty, had applied Nosal’s reasoning to that very situation when it found that the CFAA’s civil remedies could apply if a business failed to follow the online instructions of Facebook. There was a remarkable amount of commentary about Nosal, with Professor Orin Kerr and The Wall Street Journal both expressing concern over its potential scope. As a result, many lawyers and businesses have been anxiously waiting for a definitive ruling.
Chief Judge Alex Kozinski’s introduction in many ways evokes U.S. Supreme Court Justice Sonaa Sotomayer’s recent statements in U.S. v. Jones, where she expressed concern about our evolving expectations of privacy and computer usage in the context of the Fourth Amendment. Judge Kozinski wrote:
“Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Some times we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website?”
Later in the opinion, Judge Kozinski emphasized that very concern, noting that “[t]he government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”
For a thorough analysis of the opinion, see Robert Milligan’s post at the Trading Secrets Blog. I am certain there will be plenty of commentary in the coming days.