Case o' The Week: Share? Beware. - Nosal and Shared Passwords as CFFA violations
You really shouldn’t. Your IT staff will yell at you.
(That, and you’ll go to federal prison).
United States v. Nosal, 2016 WL 3608752 (9th Cir. July 5, 2016), decision available here.
Players: Decision by Judge McKeown, joined by Chief Judge Thomas (above). Dissent by Judge Reinhardt. Hard fought-appeal by SF counsel Dennis Riordan, Donald Horgan and Ted Sampsell-Jones.
Facts: Nosal left Korn/Ferry, a headhunting company, to start his own firm. Id. at *2. Korn / Ferry had a confidentiality agreement that prohibited password sharing. Id. at *4. Nosal’s accomplices circumvented their revoked accessed credentials, and consensually used an assistant’s password to access Korn / Ferry’s database for information to take to Nosal’s new enterprise. Id. at *2. Nosal was convicted after trial. Id. at *10.
Issue(s): “This is the second time we consider the scope of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, with respect to David Nosal. The CFAA imposes criminal penalties on whoever ‘knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .’ Id. § 1030(a)(4) (emphasis added). Only the first prong of the section is before us in this appeal: knowingly and with intent to defraud accessing a computer ‘without authorization.’” Id. at *1.
“The question we consider is whether the jury properly convicted Nosal of conspiracy to violate the ‘without authorization’ provision of the CFAA for unauthorized access to, and downloads from, his former employer's database called Searcher. Put simply, we are asked to decide whether the ‘without authorization’ prohibition of the CFAA extends to a former employee whose computer access credentials have been rescinded but who, disregarding the revocation, accesses the computer by other means.” Id. at *2 (footnote omitted). "
Held: “[W] e conclude that ‘without authorization’ is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.” Id. at *1.
“We . . . . hold that Nosal, a former employee whose computer access credentials were revoked by Korn/Ferry acted ‘without authorization’ in violation of the CFAA when he or his former employee co-conspirators used the login credentials of a current employee to gain access to computer data owned by the former employer and to circumvent the revocation of access.” Id. at *9.
Of Note: Dissenting Judge Reinhardt explains that this holding extends the CFAA to most of us who share passwords. Id. at *19 (Reinhardt, J., dissenting). It is a compelling opinion, that wonders how this extension of the CFAA statute to consensual password sharing can be reconciled with the very real policy concerns of Nosal I.
En banc, encore?
How to Use: A (thin) silver lining in this case is reversal and remand on the restitution award, for attorney fees. Id. at *18. Korn / Ferry hired “premier” attorneys, and the opinion insinuates that this private firm did a fair chunk of the USAO’s work. Id.
Judge McKeown warns that private attorneys “are not a substitute for the work of the prosecutor, nor do they serve the role of a shadow prosecutor.” Id. An interesting admonishment, for those of us who have endured Silicon’s Valley’s pricest private counsel sitting chummily at the USAO’s table.
For Further Reading: Professor Kerr has an interesting, albeit somewhat self-promoting, analysis of Nosal II in a Washington Post piece here.
A very thought-provoking op-ed comes from Harvard Law Professor Noah Feldman, available here.
Image of Judge McKeown and Chief Judge Thomas from http://www.usdmootcourt.com/wp-content/uploads/2013/03/mclennon_judges_2010.jpg
Steven Kalar, Federal Public Defender N.D. Cal. Website at www.ndcalfpd.org