"Without Authorization" Means Unauthorized
The United States Court of Appeals for the Ninth Circuit recently ruled that a provision in the federal Computer Fraud and Abuse Act, which prohibits anyone from accessing “a protected computer without authorization” pretty much means what it says. So an employee who accesses a computer using a password that’s been revoked may be in violation of the statute. And if that ruling sounds intuitive, it was not unanimous.
The CFAA imposes criminal penalties on whoever "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value." David Nosal worked at the executive search firm Korn/Ferry International when he decided to launch a competitor along with a group of co-workers. When Nosal left Korn/Ferry, the company revoked his computer access credentials, even though he remained for a time as a contractor. Nonetheless, Nosal continued to access the database using the credentials of Nosal's former executive assistant, who remained at Korn/Ferry.
At trial, a jury convicted Nosal of violating the CFAA’s prohibition against “unauthorized access.” On appeal, the question was whether the jury properly convicted Nosal of conspiracy to violate the "without authorization" provision of the CFAA for unauthorized access to his former employer's database. As the appellate court noted, “[p]ut simply, we are asked to decide whether the ‘without authorization’ prohibition of the CFAA extends to a former employee whose computer access credentials have been rescinded but who, disregarding the revocation, accesses the computer by other means.”
In the majority’s view, it was an easy question, with a clear answer: "[A] person uses a computer 'without authorization' under [the CFAA] . . . when the employer has rescinded permission to access the computer and the defendant uses the computer anyway. This straightforward principle embodies the common sense, ordinary meaning of the 'without authorization' prohibition.” The court displayed little patience with Nosal’s arguments, noting: “Nosal spin[s] hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing. Nor is it about violating a company's internal computer-use policies. . . . Nosal is charged with conspiring with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed. . . . This access falls squarely within the CFAA's prohibition on access ‘without authorization,’ and thus we affirm Nosal's conviction for violations of § 1030(a)(4) of the CFAA.”
The dissent saw it a little differently. Here’s it’s view: “[t]he majority is wrong to conclude that a person necessarily accesses a computer account ‘without authorization’ if he does so without the permission of the system owner. Take the case of an office worker asking a friend to log onto his email in order to print a boarding pass, in violation of the system owner's access policy; or the case of one spouse asking the other to log into a bank website to pay a bill, in violation of the bank's password sharing prohibition. . . . Was access in these examples authorized? Most people would say ‘yes.’ Although the system owners' policies prohibit password sharing, a legitimate account holder ‘authorized’ the access.”
The dissent echoes the concern of many commenters who have considered this question. If an employer (or a service provider) can set the terms of access, and unauthorized access is anything that doesn’t conform with those terms, doesn’t that mean that the private employer or service provider is kind of writing the criminal code? And while it might be nice to have that kind of authority, it certainly could lead to some rather arbitrary results. Not to mention the fact that, based on the dissent’s examples, it’s likely that 99% of us have committed a crime at some point in the last decade.
The dueling opinions here seem to suggest that the statutory definition of “authorized” is not crystal clear. The solution may be for congress to clear this up. Otherwise, people’s liability under the CFAA may depend on the judicial circuit where they reside. And that in itself seems a little arbitrary.
Kim Davis In Trouble Again?
Kim Davis, the Rowan County Kentucky clerk who made headlines last year by refusing to issue marriage licenses to same sex couples remains engaged in legal battles. Maybe she likes the attention. In any event, her most recent adventure has resulted in a ruling by the Kentucky Attorney General finding she violated Kentucky’s Open Records Law.
Ms. Davis’s adversary in this most recent battle is not a same sex couple, but rather an organization called “The Campaign for Accountability.” The CFA is a non-profit organization that works to “expose misconduct and malfeasance in public life.” The CFA made a public records request for “copies of all retainer agreements and attorney-client engagement agreements from January 1, 2013, to the present between [Ms. Davis and her staff] and Liberty Counsel.” The request also sought copies of “all documents that authorize [Ms. Davis] to enter into an attorneyclient relationship with an outside entity or individual in [her] governmental capacity on behalf of Rowan County.”
Liberty Counsel is a religious advocacy group that represented Ms. Davis in her battle over the marriage license issue last year. Answering on behalf of Ms. Davis, the Liberty Counsel asserted a number of defenses to the Open Records Act that in its view would put the requested documents beyond the CFA’s reach. Included in the defenses were claims that the records were protected by the attorney client privilege and that they were “preliminary” and therefore not subject to production.
Not satisfied with this response, the CFA appealed to the Attorney General for a ruling on the propriety of the Liberty Counsel’s response. As a threshold matter, the CFA argued it was entitled to a response from Kim Davis herself, not the Liberty Counsel. The Attorney General disagreed with this position. It found that a public official “does not violate the Open Records Act in 3 responding to a request through private counsel.” So far so good for Ms. Davis. But the Attorney General found that Ms. Davis and the Liberty Counsel did violate the Open Records in another aspect. The Attorney General had asked that Ms. Davis produce the records for an “in camera” review. In a case like this, the Attorney General is entitled to review the records privately to determine if the party is entitled to invoke the exemption. The attorney client exemption is a good example. Without the ability to privately inspect the records, the Attorney General would have to take the Liberty Counsel’s word for it. I’m not saying they’d lie, but “scout’s honor” seems like a pretty thin legal standard.
But Liberty Counsel and Ms. Davis apparently think their word is good enough. They refused to produce the records for an in camera review. The Attorney General, unsurprisingly, found this refusal to constitute a violation in itself. As the AG noted, “[a]n agency cannot benefit from intentionally frustrating the Attorney General's review of an open records request; such result would subvert the General Assembly's intent behind providing review by the Attorney General.”
It’s possible that the Liberty Counsel’s positions – that the records are protected by the attorney client privilege and are preliminary – are correct. But the decision maker – the Attorney General – is entitled to make an informed judgment. Otherwise, this becomes a matter of faith. That may suit the Liberty Counsel’s religious beliefs, but it’s not great public policy.