Wednesday, March 13, 2013

Nosal on remand - another reading of CFAA's "exceeds authorized access"; court denies motion to dismiss

Update 3 - 12:19pm: I re-read Nosal (en banc), and I believe the court, here, failed to contemplate the following words from the en banc opinion:

Similarly, Facebook makes it a violation of the terms of service to let anyone log into your account. See Facebook Statement of Rights and Responsibilities § 4.8 (“You will not share your password, . . . let anyone else access your account, or do anything else that might jeopardize the security of your account.”) (last visited Mar. 4, 2012). Yet it’s very common for people to let close friends and relatives check their email or access their online accounts. Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so. 
I am unable to understand how the above scenario differs from the CFAA count against Nosal the court wrangles with, below. Here, an employee logged into a computer they had access rights to and then handed that over to another person who proceeded to download sensitive information. Of course this is a violation of an Acceptable Use Policy/Terms of Use, and there is (likely) liability under theft of trade secrets (and other torts), but is this a federal crime deserving of prison? Judge Kozinski's words in Nosal (en banc) seem to contradict the district court's holding, below.

Also, I am not convinced the court gets the circumventing technological access barriers analysis correct. Nosal did not employ trickery, tools, exploits, or anything else malicious to gain access to the information. He used another human being. Yes, passwords are technological barriers to information. But, he didn't circumvent that in a commonly understood (and contemplated manner) - i.e. password guessing, cracking, logical flaws, etc. The court's holding, here, expands the CFAA less than a year after the 9th Circuit reduced its scope.

Update 2 - 11:34am: For those of you, like me, who like to dig a little deeper, here are: Nosal's Motion to Dismiss, the government's Memo in Opposition, and Nosal's reply.

1/17/13 - Nosal's Amended Motion to Dismiss Remaining CFAA Counts And Supporting Memorandum Of Points And Authorities
1/30/13 - USA Memorandum in Opposition to Motion to Dismiss (and Exhibits)
2/13/13 - Nosal's Reply to USA Memo in Opposition (and Exhibits)

Update 1 - 11:07am: In regards to the DMCA language, it may have originated from Jennifer Granick's EFF proposal for changing the language of the CFAA to define "access without authorization" consistent with the DMCA. Orin Kerr has similar language in his proposal (see this Kerr post for a link and thoughts about Granick's proposal), but it was not (to my knowledge) lifted from the DMCA. I think the defense attorney, here, missed the point that these were proposed reforms to the CFAA's statutory language; reading the DMCA language into the statute isn't possible under its current iteration.

In United States v. Nosal, No. CR-08-0237 EMC (N.D. Cal. March 12, 2013), on remand from the en banc opinion of the 9th Circuit, and addressing additional counts, Judge Edward M. Chen denied Nosal's motion to dismiss the remaining CFAA counts (5 were dismissed previously). Nosal argued that the en banc opinion clarified application of the CFAA, requiring dismissal; Chen did not buy it, and provided an interesting take on what Nosal meant, but more importantly, what it didn't mean. I excerpt the relevant analysis portion from Judge Chen's order at length, below, because it is worth it to read the entire thing.

Of note, also, is the fact that in his motion to dismiss the remaining counts, Nosal tried to have "hacking" defined by reading a portion of the DMCA into the CFAA. I thought this was an interesting, albeit totally unworkable and unsound argument. It had to have been conjured understanding that it was a "reach" argument; otherwise, the tactic was distracting and silly owing to the fact that courts rarely read in definitions from completely unrelated statutes, passed many years apart.

First, for some background, see our previous posts on Nosal:

Jeffrey Brown, Ninth Circuit en banc adopts narrow reading of CFAA
Justin P. Webb, Why Nosal's dissent is surprisingly persuasive

Also, see Orin Kerr's testimony to the House Judiciary Committee’s Subcommittee on Crime, Terrorism, Homeland Security and Investigations, which he is giving today, and which references the 9th Circuit's en banc decision in Nosal

Here is the relevant excerpt from the order denying Nosal's motion to dismiss from Judge Chen of the Northern District of California, mentioned above(the entire order is here (and above): Chen Order denying motion to dismiss) (I have marked in red parts I feel are important/interesting):
D. Application to Remaining CFAA Counts 
1. Defendant's Definition of Hacking 
Defendant now argues that the Ninth Circuit's opinion in Nosal limits the applicability of the CFAA to not just unauthorized access but to hacking crimes where the defendant circumvented technological barriers to access a computer. Thus, Defendant argues, the remaining CFAA claims must be dismissed because they do not include allegations that Defendant or his co-conspirators circumvented any technological access barriers. 
The Ninth Circuit acknowledged that the CFAA was passed "primarily to address the growing problem of computer hacking." Id. at 858. The court further rejected the government's argument that accessing a computer "without authorization" was intended to refer to hackers, while accessing a computer in a way that "exceeds authorized access" necessarily refers to authorized users who access a computer for an unauthorized purpose. 
it is possible to read both prohibitions as applying to hackers: "[W]ithout authorization" would apply to outside hackers (individuals who have no authorized access to the computer at all) and "exceeds authorized access" would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files). This is a perfectly plausible construction of the statutory language that maintains the CFAA's focus on hacking rather than turning it into a sweeping Internet-policing mandate. 
Id. at 858 (emphasis in original). The court noted that the Defendant's "narrower interpretation [of the CFAA] is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking – the circumvention of technological access barriers – not misappropriation of trade secrets – a subject Congress has dealt with elsewhere." Id. at 863. 
The court did not, however, explicitly hold that the CFAA is limited to hacking crimes, or discuss the implications of so limiting the statute. For example, the court did not revisit the elements of crimes under § 1030(a)(4) as articulated in Brekka, where it held the elements of a violation of that provision were: (1) accessing a protected computer; (2) without authorization or exceeding such authorization that was granted; (3) knowingly and with intent to defraud; and thereby (4) furthering the intended fraud and obtaining anything of value. Brekka, 581 F.3d at 1132. Nowhere does the court's opinion in Nosal hold that the government is additionally required to allege that a defendant circumvented technological access barriers in bringing charges under § 1030(a)(4). Instead, Nosal holds only that it is not a violation of the CFAA to access a computer with permission, but with the intent to use the information gained thereby in violation of a use agreement. 676 F.3d at 863-64. The court did not address limits on liability under the CFAA based on the manner in which access is limited, whether by technological barrier or otherwise. Id. Thus, Defendant's interpretation is not a fair reading of Nosal on this front is simply incorrect. Hacking was only a shorthand term used as common parlance by the court to describe the general purpose of the CFAA, and its use of the phase "circumvention of technological access barriers" was an aside that does not appear to have been intended as having some precise definitional force. 
Even if Nosal added a "circumventing technological access barriers" element to crimes under § 1030(a)(4), the indictment sufficiently alleges such circumvention. As the government points out "password protection is one of the most obvious technological access barriers that a business could adopt." Gov.'s Opp. at 1. Faced with this reality, Defendant acknowledges that the Ninth Circuit did not offer a definition of hacking, and urges this Court to look to the definition in the Digital Millenium Copyright Act, which provides that to "'circumvent a technological measure' means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner." 17 U.S.C. § 1201(a)(3)(A). However, there is no legal basis to incorporate into the CFAA the Digital Millenium Copyright Act which was passed 14 years after the CFAA and which concerned matters separate and distinct from the CFAA. Moreover, it is noteworthy that neither the CFAA nor the Digital Millenium Copyright Act employs the term "hacking." In any event, even if the Digital Millenium Copyright Act's definition of "circumvent a technological measure" were to inform the scope of the CFAA, as noted above, the actions alleged in the indictment fall within it. Use of another's password "avoids" and "bypasses" the technological measure of password protection. 
Defendant argues that the remaining CFAA claims fail because they do not allege "J.F.'s password was obtained illegally or without her consent." Def.'s Mot. at 5. Defendant's argument is premised in part on the notion that because J.F. allowed Defendant's co-conspirators to use her credentials to access the Korn/Ferry system, the co-conspirators cannot be said to be acting "without authorization" in accessing the Searcher database. In Brekka, however, the Ninth Circuit made clear that it is the actions of the employer who maintains the computer system that determine whether or not a person is acting with authorization. Brekka, 581 F.3d at 1135 ("The plain language of the statute therefore indicates that 'authorization' depends on actions taken by the employer."). Further, the CFAA appears to contemplate that one using the password of another may be accessing a computer without authorization, as it elsewhere provides penalties for anyone who "knowingly and with intent to defraud traffics in any password or similar information through which a computer may be accessed without authorization." 18 U.S.C. § 1030(a)(6). 
Additionally, Defendant argues that the CFAA does not cover situations where an employee voluntarily provides her password to another by analogizing to the law of trespass with regards to physical property: "Just as consensual use of an employee's key to gain physical access is not trespass, consensual use of an employee's computer password is not hacking." Def.'s Mot. at 6. Defendant argues that the court in Nosal held that "the CFAA was based on principles of trespass." Id. This is a mischaracterization of the opinion in Nosal, which merely noted that the CFAA was passed to address the growing problem of hacking, and quoted a Senate report that stated "[i]n intentionally trespassing into someone else's computer files, the offender obtains at the very least information as to how to break into that computer system." Nosal, 676 F.3d at 858 (quoting S.Rep. No. 99-432, at 9 (1986), 1986 U.S.C.C.A.N. 2479, 2487 (Conf. Rep.)). Aside from these passing comments positing an analogy, Defendant points to nothing in the wording of the CFAA or interpretive case law to support its construction. If the CFAA were not to apply where an authorized employee gave or even sold his or her password to another unauthorized individual, the CFAA could be rendered toothless. Surely, Congress could not have intended such a result.

2. "Access" 
The factual scenario presented in count nine, does, however, raises the question of how to interpret the term "access" in the CFAA. Defendant argues that J.F. was the individual "accessing" the Korn/Ferry system when she logged in using her password, and that M.J.'s use of the system after the login does not constitute unauthorized "access" within the meaning of the statute. The government, on the other hand, argues that "access" encompasses ongoing use, including M.J.'s unauthorized use of the system after J.F. logged in. 
In support of its argument, the government cites to two Senate Reports from the CFAA's legislative history. The first, from the 1996 amendments to the CFAA, notes that "the term 'obtaining information' includes merely reading it." Sen. Rep. No. 104-357, at 7 (1996). The government argues that just as "obtaining information" may include merely reading, so too may access be as simple as reading the materials in question.5 The second Senate Report, associated with the 1986 version of the CFAA, notes the intention to criminalize "knowingly trafficking in other people's computer passwords." Sen. Rep. No. 99-432, at 3 (1986). This comment, however, seems to be in reference to § 1030(a)(6) of the CFAA, which criminalizes trafficking in passwords, and is not at issue in the current case. See id. at 13. 
The Court need not opine on whether § 1030(a)(4) should be read so broadly as to encompass the situation where an unauthorized person looks over the shoulder of the authorized user to view password protected information or files. The allegation in Count Nine is that J.F. logged on to the computer using her credentials, then handed over the computer terminal to M.J., who ran his own searches through the Korn/Ferry database and then downloaded files therefrom. 
Functionally and logically, this is no different than if J.F. gave M.J. the password, and M.J. typed in the password himself. The only distinction differentiating the two scenarios is one based on a constrained and hypertechnical definition of "access" in which access focuses solely on the moment of entry and nothing else. Not only would such a definition produce a non-sensical result; it is not supported by the language of the statute. The crime under § 1030(a)(4) is "accessing" a protected computer, or not "entering" or "logging on to" a protected computer. 18 U.S.C. § 1030(a)(4). Nothing in the CFAA suggests anything other than a common definition of the term "access," applies. The Oxford English Dictionary defines "access" as, inter alia, "[t]he opportunity, means, or permission to gain entrance to or use a system, network, file, etc." See Oxford English Dictionary, (emphasis added); see also Black's Law Dictionary (defining access as, inter alia, "[a]n opportunity or ability to enter, approach, pass to and from, or communicate with"). The common definition of the word "access" encompasses not only the moment of entry, but also the ongoing use of a computer system. Under the facts alleged in the indictment, M.J. "proceeded to query Korn/Ferry's Searcher database and download information, after obtaining initial access." SI ¶ 19o. That J.F. entered the password for him rather than having M.J. type it himself does not alter the fact that in common parlance and in the words of the CFAA, M.J. accessed the protected computer system, and he did not have authorization to do so.
I would love comments on this.


Post a Comment