As the Second Circuit wades into the long-simmering fray over the Computer Fraud and Abuse Act, I am starting to wonder if this is all worth the trouble. In other words, do we have reason to be concerned about the CFAA reaching seemingly innocuous conduct, or is the statute working as intended?
For those unfamiliar with the dispute over this once-obscure law, the statutory language "exceeds authorized access" has divided federal courts for more than ten years. The CFAA imposes both civil and criminal liability for those who exceed authorized access from a protected computer and obtain certain types of information. The term "exceeds authorized access" means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.
The dispute in employment contexts almost always arises when an employee, before leaving to compete, accesses a company database and digitally copies proprietary files (they do not have to be trade secrets under the CFAA). The employee's access is technically authorized, but if the employee acquires information contrary to his duty of loyalty and then misuses company data, some courts have held that this improper purpose qualifies as "exceeding" authorized access. Other courts take the opposite view.
An interesting (and very disturbing) case from the Second Circuit has fueled this split in authority. The case is not an employment case and involves a disgusting set of facts that I won't repeat. The case of United States v. Valle arose when a New York City police officer accessed a computer program called Omnixx Force Mobile, which allowed him to search restricted databases like the federal National Crime Information Center database, to gain sensitive personal information about an individual. The purpose of his access was to learn details about a woman the officer knew from high school, and whom he and a co-conspirator intended to kidnap. As such, the officer had no valid law enforcement purpose for accessing the database.
Reversing a conviction under the CFAA, the Second Circuit waded into the fray over the meaning of "exceeds authorized access" and the application of that statutory term to the officer's conduct. The court acknowledged a deep circuit split over the term's meaning and then took a deep, even nauseating dive, into the CFAA's legislative history. After going through that exercise, the court ultimately found that both the narrow and broad view found some support. And because of that, the court determined that a criminal statute had to be construed narrowly (the so-called rule of lenity).
The Second Circuit then adopted the "parade of horribles" approach, articulated by Judge Kozinski in United States v. Nosal. In that case, Judge Kozinski described the potential reach of the CFAA if the court had authorized a broad definition of "exceeds authorized access," a reach that would in his view criminalize a wide range of innocuous, everyday behavior. The examples include an employee using a computer to check Facebook, in violation of a corporate computer policy and similar conduct qualitatively different than that before the court.
Given the Second Circuit's adoption of a narrow view (and its agreement with the Fourth and Ninth Circuit), the circuit split over the CFAA's reach has become deeper. It is possible that U.S. Attorney Preet Bharara will seek to file a petition for writ of certiorari over this question. Though Congress in the past has entertained amendments to the CFAA, no legislative activity is imminent. In my view, Congress easily could find a middle ground between the two lines of authority to ensure that the CFAA does cover the type of conduct at issue in Valle and even civil cases that resemble some form of insider hacking or sabotage.
But even though I have in the past endorsed the narrow view of the CFAA, I question whether prosecutors are abusing the law. While the result in Valle seems wrong strictly in terms of justice, the Second Circuit's reversal in no way suggests that prosecutors overreached by charging Valle under the CFAA. Nor am I seeing an overuse of the CFAA in the civil context. Cases like Nosal, to be sure, seem more appropriate for a civil remedy. But are they outliers? Is the CFAA actually being used selectively, rather than punitively? If so, then perhaps we need not worry so much about individuals being hailed into court based on a "confused, accidental, or otherwise inappropriate use" of a database (the coin the phrase used by the dissenting judge in Valle). Maybe we have struck the right balance and done our best with an imperfect law that can, at times, be used effectively.