Nosal Returns to the Ninth Circuit Posing the Question: Is a Password a Sufficient “Technological Access Barrier” Under the CFAA?

Observers following the legal issues surrounding the prosecution of David Nosal will be watching closely in 2015 as the former Korn Ferry executive returns to the Ninth Circuit to appeal his 2013 conviction on three counts of violating the Computer Fraud and Abuse Act.

Nosal was originally charged with eight counts of violating the CFAA in 2008 for conspiring with then-current Korn Ferry employees to obtain confidential data from the firm’s “Searcher” database, which he used to start a competing venture.

In April 2012, an en banc panel of the Ninth Circuit (Nosal I) ruled that the government could not bring five of the eight CFAA counts against Nosal because he could not have “exceed[ed] authorized access” under the CFAA when his co-conspirators used valid log-in credentials to access and download confidential data, which they then transferred to Nosal.

The panel applied the rule of lenity to hold that “the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions.” In other words, Nosal could not be criminally liable under the CFAA for merely violating the database’s use terms, because he did not circumvent any “technological access barrier.” The Panel justified its narrow interpretation on grounds that the CFAA’s “general purpose is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets.”

The decision, however, expressly left unresolved the three remaining CFAA counts against Nosal, for which the government then successfully tried and convicted him in April 2013.

The three remaining CFAA counts related to incidents in 2005 when two of Nosal’s alleged co-conspirators, who had by that time also left Korn Ferry, accessed the database using the username and password of a third alleged co-conspirator who remained at the firm. In denying Nosal’s motion for acquittal and a new trial, the district court endorsed the government’s argument that using another’s password – even with that person’s consent – could be considered “circumvention of a technological barrier because ‘password protection is one of the most obvious technological access barriers that a business could adopt.’ ”

In January 2014, Nosal was sentenced to one year and one day in prison. The district court stayed his sentence pending the current appeal.

On December 2, 2014, Nosal filed his opening brief with the Ninth Circuit. In it, he argued that the government’s theory that a user name and password is a sufficient “technological access barrier” to trigger CFAA liability is “indistinguishable from the theory” rejected by the Ninth Circuit’s en banc decision and would essentially make it a federal crime when, among other circumstances, “a mother logs in to her daughter’s Facebook account to check her posting.”

The brief does not mention that the government would also have to show that the mother intended to defraud her daughter and obtained something of value over $5,000 – at least under 18 U.S.C. 1030(a)(4), the CFAA section under which Nosal was convicted and he is now appealing.

The government’s answer to Nosal’s opening brief is due in early January 2015.

Meanwhile, two amicus curiae briefs were also filed in early December. One, by the Electronic Frontier Foundation, expressly supports Nosal’s position; and another by The Software Alliance, is ostensibly neutral, but in effect also supports Nosal’s position. The Alliance’s primary concern is that the district court’s decision could be interpreted as meaning that any time a third party accesses a “protected computer” with an authorized user’s credentials, the third party could be deemed to have violated the CFAA. Such a broad interpretation, according to the Alliance, could have negative consequences for cloud computing, which may involve situations where a customer authorizes a “cloud provider to access computers owned by another cloud provider on the customer’s behalf—often by providing the first provider with the customer’s own access credentials for the second provider’s service.”

However the Ninth Circuit rules, the split among federal circuits regarding the scope of CFAA liability, will continue. As it stands, the First, Fifth, Seventh and Eleventh Circuits have applied interpretations of the CFAA leading to more expansive liability; the Ninth Circuit (in Nosal I and LVRC Holdings v. Brekka) and Fourth Circuit have applied narrower interpretations; and the remaining circuits have yet to establish clear positions.

The U.S. Department of Justice decided not to appeal the Ninth Circuit’s initial ruling in Nosal I to the Supreme Court in 2012, and in 2013, the Supreme Court declined to weigh in by denying certiorari on the appeal from the Fourth Circuit’s decision in WEC Carolina Energy Solutions LLC v. Miller.

Several efforts in Congress over the past few years to clarify the law have also failed. The most recent one was Aaron’s Law, named after the 26-year-old computer scientist and activist who took his own life after the Department of Justice indicted him on 11 counts of violating the CFAA for systematically downloading articles from the academic database JSTOR. Aaron’s Law stalled in the House Judiciary Committee this summer, making it unlikely that Congress will bring clarity to controversial aspects of the CFAA anytime soon.

Thus, different interpretations across the country will likely endure, and the law in the the Ninth Circuit likely will remain unchanged for the foreseeable future.

Stay tuned to Trade Secrets Watch for more news and analysis of this case.