United States v. David Nosal
EFF has filed three separate amicus briefs in this criminal case, explaining why the government’s repeatedly expansive interpretation of the Computer Fraud and Abuse Act (CFAA) threatens people engaging in innocent behavior with criminal liability.
David Nosal, an ex-employee of the Korn/Ferry executive recruiting firm, was charged with violating the CFAA on the theory that he induced current company employees to use their legitimate credentials to access the company's proprietary database and provide him with information in violation of the company’s computer-use policy. The government claimed the violation of this policy was a federal crime, but a lower court disagreed, throwing out some of the CFAA charges. When the government appealed to the Ninth Circuit Court of Appeals, we filed an amicus brief explaining how imposing criminal liability for merely violating a company policy would dramatically expand the CFAA and turn millions of law abiding citizens into criminals. In an important 2012 decision, the Ninth Circuit agreed with us, ruling that accessing a workplace computer in violation of a corporate policy is not a CFAA violation.
The Ninth Circuit returned the case to the lower court to handle the remaining CFAA charges. These were based on the government’s theory that Nosal violated the CFAA when other ex-employees acting on Nosal’s behalf allegedly used the legitimate access credentials of a current company employee, with that employee’s knowledge and permission, to access Korn/Ferry’s propriety database. The district court refused to dismiss these charges, and Nosal was convicted at jury trial and sentenced to one year and one day in prison.
With his case on appeal before the Ninth Circuit again, EFF filed another amicus brief in his support, arguing that interpreting the CFAA to criminalize using an authorized user’s login credentials with their knowledge and permission ignores Congress’ intent to make the CFAA an anti-hacking statute. More importantly, this interpretation of the CFAA makes criminals out of the millions of people who use login credentials of family members or friends with their knowledge and permission.
We expect the Ninth Circuit will hear oral argument sometime in the spring of 2015.