In two recent decisions issued within a day of each other, two influential federal courts limited the scope of three important federal laws used to prosecute criminal conduct involving computers. On April 10, 2012, the Ninth Circuit limited the scope of criminal liability for prosecutions under the Computer Fraud and Abuse Act, and on the following day the Second Circuit sharply limited the scope of the National Stolen Property Act and the Economic Espionage Act of 1996. Together, these decisions indicate a reluctance to accept prosecutors’ expansive views of the reach of federal criminal laws with respect to computer usage, and the Ninth Circuit’s decision in particular may have far-reaching implications for the enforceability of website terms of service and employee policies in the civil context.
The Ninth Circuit’s decision was issued en banc in United States v. Nosal upholding the district court’s dismissal of David Nosal’s indictment for violations of the Computer Fraud and Abuse Act (“CFAA”). Nosal had worked for an executive search firm and left to start a competing business. He convinced several of his former colleagues to help him by accessing and then transferring to him source lists, names, and contact information from the firm’s confidential database. The former colleagues were authorized to access the database, but the firm had a policy forbidding the disclosure of confidential information. The government charged Nosal with violating 18 U.S.C. § 1030(a)(4) by aiding and abetting the former colleagues in “exceed[ing] authorized access” to the firm’s computers with intent to defraud the firm.
Nosal moved to dismiss the CFAA counts, arguing that the statute was meant to target hackers and not those who accessed a computer lawfully but then misused information obtained from such access. The district court agreed, and the government appealed. In a panel decision issued in 2011, the Ninth Circuit reversed the district court, holding that an employee “‘exceeds access’ under § 1030 when he or she violates the employer’s computer access restrictions — including use restrictions.” The en banc court found otherwise, holding that “‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” (Emphasis in original.) To hold otherwise, the court reasoned, would make federal crimes out of “minor dalliances” like playing games or shopping online, if such activities were prohibited by an employer’s computer-use policy. The court observed: “Employer-employee and company-consumer relationships are traditionally governed by tort and contract law,” and to interpret the CFAA to apply to use restrictions “allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law.” This would implicate “[s]ignificant notice problems.” Although the government argued that it would not prosecute minor violations of the law, the court found that “we shouldn’t have to live at the mercy of our local prosecutor.”
The Second Circuit’s decision in United States v. Aleynikov, issued on April 11, 2012, limits the reach of computer crime prosecutions under the National Stolen Property Act (“NSPA”) and the Economic Espionage Act of 1996 (“EEA”). Sergei Aleynikov was convicted of violating both acts based on his theft and transfer of his company’s proprietary source code. Aleynikov was a computer programmer at Goldman Sachs, where he developed source code for the company’s proprietary high-frequency trading (“HFT”) system. Goldman’s policies bound Aleynikov to keep the firm’s proprietary information confidential and barred him from taking or using it when his employment ended. Aleynikov accepted an offer from a new company that was looking to develop its own HFT system. On his last day at Goldman, Aleynikov uploaded source code for Goldman’s HFT system to a server in Germany, which he then downloaded to his home computer for use at his new job.
Aleynikov was sentenced to 97 months in prison. He appealed, arguing that the district court should have dismissed his indictment for failure to state an offense. The Second Circuit reversed his conviction on both counts, finding that his conduct did not constitute an offense under either statute. (Aleynikov has also been charged with a criminal violation of the CFAA, but the district court had dismissed that charge on the ground that “authorized use of a computer in a manner that misappropriates information is not an offense” under the act. This ruling predates the similar en banc Nosal decision discussed above, and the government did not appeal the ruling.)
The NSPA criminalizes transmittal of a stolen “good” in interstate or foreign commerce. The Second Circuit held that source code is not a “good,” and therefore, “the theft and subsequent interstate transmission of purely intangible property is beyond the scope of the NSPA.” The court “decline[d] to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age.” Significantly, the court noted that a different conclusion might apply if the stolen source code had been removed from Goldman’s premises on a tangible item, like a CD or flash drive, instead of having been stolen through uploading to an off-premises server.
The EEA prohibits the unauthorized downloading, uploading, transmitting, or conveying of trade secrets related to or included in a product that is produced for or placed in interstate or foreign commerce, with the intent to convert the trade secret, while intending or knowing that the offense will injure the owner of the trade secret. On this count, the Second Circuit held that Goldman’s HFT system was neither “produced for” nor “placed in” interstate commerce because Goldman had no intention of selling or licensing the system and, in fact, “went to great lengths to maintain the secrecy of its system.”
Although neither the NSPA nor EEA provides for a private right of action, we think it is possible the rationales of these decisions could influence civil litigation involving misuse of an employer’s computer system, including, in particular, civil litigation under the CFAA based on violations of website terms of service or employee policies. For examples of previous such cases, see, e.g., Am. Online, Inc. v. LCGM, Inc. and EF Cultural Travel BV v. Explorica, Inc. In most of these cases, it appears that the defendant was authorized to access the website or system in question, but misappropriated the data on those websites or systems. In addition to limiting criminal exposure, the Ninth Circuit’s interpretation of “exceeds authorized access” in Nosal may be construed to undermine this basis for a civil suit. Watch these pages for further reports on these issues.