New Media and Technology Law Blog : Technology Lawyers & Attorneys : Proskauer Rose Law Firm : Trademarks, Patents & Copyright

David Nosal was a former employee of an executive search firm. He is accused in a multi-count indictment of having conspired with other employees of the firm to misappropriate the firm's trade secrets in order to use the information to start a rival search firm. According to the indictment, the other employees used their accounts and passwords on Nosal's behalf, without authorization and in excess of their authorization, to access and copy proprietary information to be used in connection with the establishment of the new firm. Last spring, Nosal sought dismissal of the CFAA charges on the ground that the statute does not cover misuse or misappropriation of information obtained with permission, but Judge Patel of the Northern District of California, in a ruling prior to LVRC v. Brekka, lined up with the Seventh Circuit position on the issue. She declined to dismiss the charges, ruling that the indictment sufficiently alleged that Nosal's co-conspirators engaged in "knowing access of electronic records for uses outside their intended purpose," and that access was "not only purposeful, but also with the intent to defraud, and that confidential and proprietary information was both taken and used to further the intended fraud, i.e., to advance Nosal’'s own executive search activities, to the detriment of" the former employer.

After LVRC v. Brekka was decided, Nosal moved for reconsideration of Judge Patel's prior ruling, and this time Judge Patel ruled that the government could not establish either that Nosal's access to the employer's computer (via the acts of his alleged co-conspirators) was "without authorization" or that it "exceeded authorized access." The government apparently conceded that the allegation that the access was "without authorization" could not survive LVRC v. Brekka, but dug in its heels and argued that it could still be argued that the employees' conduct "exceeded authorized access," based upon their disloyal purpose.

Judge Patel pointed out that while the opinion in LVRC v. Brekka focused on the term "without authorization," the logic of the opinion equally applied to the term "exceeds authorized access." She reasoned that under LVRC v. Brekka, "intent and authorization are independent elements of the CFAA," and that the employee's intent in accessing an employer's computer "is irrelevant in determining whether an individual has permission or is authorized to access the computer." She also rejected the argument that the employees exceeded their authorized access based on language in the employer's confidentiality and computer use policies. While there was some language in the Ninth Circuit ruling suggesting that an employer might be able to rely upon such language in defining authorized access, that language could not survive an examination of the statutory definition:

An individual only "exceeds authorized access" if he has permission to access a portion of the computer system but uses that access to "obtain or alter information in the computer that [he or she] is not entitled so to obtain or alter." 18 U.S.C. § 1030(e)(6) (emphasis added). There is simply no way to read that definition to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate. Such an interpretation would defy the plain meaning of the word alter, as well as common sense. A person does not necessarily alter information on a computer when they access it with a nefarious intent. Furthermore, the government’s proposed interpretation of "exceeds authorized access" would create an uncomfortable dissonance within section 1030(a)(4). Pursuant to the government’s reading of the statute, an individual’s intent would be irrelevant in determining whether that person accessed a computer "without authorization," but as long as the company had policies governing the use of the information stored in its computer system, that same individual’s intent could be dispositive in determining whether they "exceed[ed] authorized access."

Nosal still isn't off the hook on this indictment by any means. Judge Patel refused to dismiss several CFAA charges based on alleged access by Nosal's co-conspirators after they left the employer. And, although mail fraud charges were dismissed, there are also remaining federal trade secret theft and misappropriation charges, as well as conspiracy charges.

The implications of the Nosal case for exceedingly broad interpretation of the CFAA were noticed early in the game by Prof. Orin Kerr, a well-recognized authority on this subject, who was prominently on the team that successfully represented Lori Drew in the so-called MySpace suicide case, which also involved an expansive government interpretation of the CFAA in a criminal prosecution. Prof. Kerr blogged about the government's legal theory in Nosal that "an employer who uses an employer's computer with a bad motive is a criminal"prior to Judge Patel's first ruling on the issue. Prof. Kerr has also authored a recent article on the topic of CFAA application in criminal cases, a must-read for anyone interested in or concerned about this topic.

The question of what effect an employee's disloyalty has on authorization to access an employer's computer has arisen in numerous cases in which employers have added civil claims under the CFAA in actions brought against employees alleged to have misappropriated of trade secrets. A typical scenario in which such a claim would be made is where, before departing for a new job, the employee is alleged to have copied or transmitted an employer's computer files for the benefit of a new employer.
 
Often, what is at stake in such cases is the employer's ability to maintain an action in federal court. A dispute over misappropriation of trade secrets is likely to involve only state law issues, and unless there is diversity of the parties, there is no basis for jurisdiction in a federal court. But, of course, federal courts have jurisdiction over a CFAA claim, and the trade secret misappropriation claims are then swept into federal court along with the CFAA claim as pendent state law claims.
 
The Seventh Circuit opinion in International Airport Centers v. Citrin is the ruling that is cited by employers seeking to press CFAA claims in such cases. In that case the circuit, in an opinion written by Judge Posner, ruled that under common law agency principles, an employee who breaches the duty of loyalty to an employer thereby becomes “unauthorized” to access the employer's computer, at least for the purpose of furthering an act of disloyalty to the employer. In LVRC Holdings, LLC v Brekka, the Ninth Circuit ruled to the contrary, finding that under the plain meaning of the language of the CFAA, acts of disloyalty on the part of an employee do not render the employee's access to the employer's computer unauthorized within the meaning of the statute.
 
In LVRC, the Ninth Circuit panel concluded that under the “ordinary, contemporary, common meaning” of the statutory terms, “an employer gives an employee 'authorization' to access a computer when the employer gives the employee permission to use it.” The court found that there is no statutory language to support the contention that authorization terminates when an employee determines to act contrary to the interest of an employer. The court looked to the term "“exceeds authorized access,"” and concluded that the definition of that term made it clear that Congress had no intent to include in the statute any implicit, rather than explicit, limitation on the term “authorization.” It is an employer's act of allowing or terminating an employer's authorization to access a computer that determines whether the employee's access is “authorized” within the meaning of the statute, not the employee's disloyal act. The court reasoned:

 Section 1030(e)(6) provides: “the term ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). As this definition makes clear, an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has “exceed[ed] authorized access.” On the other hand, a person who uses a computer “without authorization” has no rights, limited or otherwise, to access the computer in question. In other words, for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or “without authorization.”

The Ninth Circuit rejected the Seventh Circuit's reasoning in International Airport Centers, LLC v. Citrin, concluding that relying on whether an employee's “mental state changed from loyal employee to disloyal competitor” to determine whether the statute had been violated would be problematic in the criminal law context. The statute should be interpreted consistently in civil and criminal contexts, the court reasoned. Relying on the employee's mental state with respect to disloyalty to determine whether the statute had been violated would run afoul of the proscription against “interpreting criminal statutes in surprising and novel ways that impose unexpected burdens on defendants.”
 
In this respect, the ruling echoes (but does not cite) the recent district court opinion in United States v. Drew, No. CR 08-0582-GW (C.D. Cal. Aug. 28, 2009) (the MySpace "cyberbullying" criminal prosecution). There, the court dismissed a misdemeanor charge of violating the CFAA that was predicated on a user's alleged violation of the MySpace Terms of Service, finding that it would run afoul of the void for vagueness doctrine because “individuals of 'common intelligence'” arguably would not be on notice that a breach of the terms of a service contract could become a crime under the CFAA.  
 
And conversely, the Ninth Circuit ruling appears to contradict the recent opinion in United States v. Nosal, 2009 U.S. Dist. LEXIS 31423 (N.D. Cal. Apr. 13, 2009), in which the district court declined to dismiss an indictment charging a violation of 18 U.S.C. § 1030(a)(4). The indictment alleged that the statute was violated when a former employee accessed an employer’'s computer network to copy proprietary information for use in a competitive enterprise. The court found that the statutory element of “intent to defraud” in subsection 1030(a)(4) could be found in the employee’'s “knowing access of electronic records for uses outside their intended purpose.” The court in Nosal also rejected the defendant’'s argument that because subsection 1030(a)(4) had never been addressed in the criminal context the indictment should be dismissed under the rule of lenity. Citing International Airport Centers, LLC v. Citrin and a number of opinions following it, the court found that there was “ample authority” in civil cases construing this section to conclude that the CFAA was violated by the 'access to the employer’s confidential and proprietary information to advance his own competitive enterprise.
 
No doubt more will be heard on this issue in the Ninth Circuit, and other courts as well. And eventually, perhaps, the U.S. Supreme Court.
 

The essence of the dispute is that Power Ventures, instead of developing its interface through the Facebook Connect developer program, created a Facebook user account and accessed Facebook content through that account. Facebook alleged that the creation and use of that account was in violation of the Facebook Terms of Use. Facebook Complaint ¶ 24, 41. The complaint also alleges that Power Ventures used the interface that it created to induce Facebook users to share their usernames and passwords, and then utilized that information to access Facebook servers via its interface in a manner that violated the Facebook ToU.

The complaint alleges that the ToU prohibits a variety of activities, including, among other things, solicitation of passwords or personally identifying information for commercial or unlawful purposes; using or attempting to use the account of another user or creating a false identity; using automated scripts; impersonating another person or entity; sending “junk mail” or “spam”; harvesting e-mail addresses; registering for more than one account; and “using Facebook’s website for commercial use without the express permission of Facebook.” The ToU also provides that the limited license granted to access and use the site terminates when the site is used “other than as specifically authorized herein.”

The copyright claim alleges that in violation of the ToU, Power Ventures used its account to access and copy the Facebook Web site, including the Facebook home page for which Facebook has obtained a copyright registration. Complaint ¶ 31, 70. Judge Fogel concluded that the allegations of the complaint made out a sufficient claim of copyright infringement because Power Ventures “need only access and copy one page to commit copyright infringement.” The court also found that the ToU prohibited downloading, scraping or distributing content from the Facebook Web site content except that belonging to the user, and that in any event, using automated methods, i.e., “data mining, robots, scraping, or similar data gathering or extraction methods” to access any content were also prohibited by the ToU. Thus, the court found that the allegation that Power Ventures accessed Facebook via automated means constituted made out a claim of direct copyright infringement, while the allegation that Facebook users utilized the Power.com interface to access their own profile pages made out claim of secondary copyright infringement.

Judge Fogel also declined to dismiss Facebook’s claim that the use of automated scripts to access Facebook copyrighted content bypassed specific technical measures designed to block such access and thus violated the DMCA. The trademark infringement claims were sustained based upon the inclusion in the complaint of a screenshot illustrating the use of the Facebook mark on an e-mail sent by Power Ventures to Facebook users. The court did order Facebook to file a short statement clarifying the basis for its California unfair competition claim.

The complaint also alleges a federal CAN-SPAM claim stemming from the transmission of e-mails to other Facebook users encouraging them to use the Power.com interface. According to the opinion, Power Ventures abandoned its challenge to the sufficiency of the CAN-SPAM claim, as well as its challenge to the sufficiency of the complaint under the CFAA. The CFAA claim also is grounded on the allegation that Power Ventures’s access to Facebook’s computers was unauthorized because it was in violation of the Facebook ToU.

The court’s refusal to dismiss Facebook’s claims demonstrates that careful drafting of a Web site terms of use is essential to obtaining legal redress for unauthorized access, particularly unauthorized access by competitors and others for commercial purposes. Access that violates the clear proscriptions of a ToU can form the basis for a multiplicity of legal claims, thereby maximizing the chances of a successful challenge to unwanted access.