Efrain Alvarado III
United States v. Nosal (Nosal II) and the CFAA
This case involved the Computer Fraud and Abuse Act (CFAA), a law that criminalized intrusion into computer systems (including all “used in affecting interstate or foreign commerce or communication,” and imposed criminal penalties on anyone who “accesses a protected computer without authorization, or exceeds authorized access to perpetrate a fraud.” In United States v. Nosal (Nosal II), the conviction of the defendant and co-conspirators that used another person’s login credentials to access computers of their former employer were affirmed by the Ninth Circuit. David Nosal, a former employee of executive search firm Korn/Ferry International (KFI), announced his intention to leave the company in 2004 with an agreement that he’d continue working as a contractor under a noncompetition agreement. Nosal and other KFI employees actually had a secret plan to launching a competing business while using KFI’s proprietary database from their internal network “Searcher,” that had information about over 1 million executive search candidates. Nosal and the other conspirators used their credentials to procure information about said candidates until they stopped working after they were officially departed from the company; at this time, Nosal asked his former assistant (still employed by KFI) for her credentials, which they continued to use in an effort to gain access to more data for their new company.
A somewhat divided majority in the Ninth Circuit affirmed Nosal’s convictions of three CFAA violations, economic espionage, and a count of conspiracy. Judge McKeown cited LVRC Holdings LLC v. Brekka as having interpreted the phrase “intentionally accesses a computer without authorization,” directly by ruling that accessing a computer after having one’s credentials revoked clearly means one did not have authorization. Accordingly, the Ninth Circuit ruled that Nosal and his coconspirators were “outsiders” that were no longer permitted authorization to access Searcher. Additionally, since only the owner the system can allow or disallow access to its systems (in this case, Searcher), Nosal’s former assistant was completely unauthorized to give her credentials to known former employees who no longer had authorization. A minority dissent voiced by Judge Reinhardt said that he would permit “password sharing” where legitimate users can delegate access to the system, and he also noted that no direct language indicated that only the system owner has authority.
In this ruling the Ninth Circuit may have failed to make more nuanced decision that would make more sense as a precedent; they ruled that “without authorization,” a term with a plain meaning, meant that in this case the system owner (not someone with authorization to use the system) was the only one who could grant authorization. According to that precedent, there is no distinction between those whose access was revoked and those who lack direct authorization from the system owner but might claim authorization from some other legitimate user (i.e. a manager or superior, but not the actual system owner). What about instances that were hinted at by Judge Reinhardt’s dissent where legitimate users (such as managers) are granted permission to delegate access to other users within the company? Reinhardt also made the valid point that perhaps the “without authorization” term was related solely to those outside the company with no access (such as Nosal and the coconspirators after their credentials were revoked) and not necessarily people within the company. Either way, at least the defendant’s flimsy arguments were not taken seriously by the court; rather, the case was about how to interpret the CFAA.
United States v. Nosal (Nosal II). (2017, February 10). Retrieved March 25, 2017, from http://harvardlawreview.org/2017/02/united-states-v-nosal-nosal-ii/