If any of the panels can be said to have been adversarial in what was a largely congenial symposium, it was surely the third. While this wasn’t entirely unexpected (“debate” was in the title of the panel, after all), the articles that the two panelists’ submitted didn’t represent diametrically opposing views. But, as is all too often the case when pulling meaning from the scattered records of lawmakers from a previous generation, the two men’s positions were based on very different ideas of what precisely Congress intended the Computer Fraud and Abuse Act (CFAA) to do.
The Ninth Circuit’s 2012 decision in the United States v. Nosal formed the impetus for the panel. For the uninitiated, the case involved an employee (Nosal) who, after deciding to open a competing business, made off with a cache of confidential information from his former employer, including a master list of the firm’s clients. The employee was indicted under the CFAA, with the government arguing that he had exceeded his authorized access to his employer’s computers with an intent to defraud the business, in violation of the act. Nosal countered that, because his employer authorized him in principle to access the information in his role as an employee, he had not exceeded that authorization, but rather only violated his employer’s contractual use and disclosure policy. An en banc Ninth Circuit ultimately agreed, holding that the statute was intended to punish hackers, and if Congress wanted the laws liability to cover disloyal employees, it would have to “speak more clearly.”
The first panelist to present on the topic was Jonathan Mayer of Stanford University, a wunderkind lawyer and computer scientist that was recently named one of Forbes’s “30 under 30” for his contributions to security and privacy research. In his submission to the symposium, Mayer set out not to argue what courts should do in the wake of Nosal, but rather to describe what they have done, which is to develop a new canon of law that has proven unexpectedly coherent. Over the years preceding Nosal, he claims, the CFAA had strayed from its anti-hacking roots and had become a broad tool with which prosecutors and enterprising companies could threaten consumers, employees, rival entrepreneurs, journalists, and security researchers like himself. In response, courts have acted through decisions like Nosal to narrow the CFAA. Mayer contends that this has led to a key shifts in how courts conceptualize “authorization.”
First, courts have adjusted how they distinguish acts that are “without authorization” from those that “exceed authorization.” Before, the difference tended to be one of degree. Conduct that was mildly worse than what was allowed was regarded as being in excess of authorization, while conduct that was much worse was labeled as without authorization. In the new doctrine that Mayer has identified, courts instead draw the line around a computer system as a whole. Courts now consider acting without authorization to be accessing a computer when you have no permission to use the system at all, while poking your nose where you weren’t supposed to on a computer that you are allowed to use for a specified purpose is exceeding authorization. Thus, liability for the provisions of the CFAA that require acting “without authorization” has been strongly restricted.
Additionally, courts have largely adopted the dichotomy between unauthorized access and unauthorized use that lay at the heart of the Nosal decision. When an individual accesses information that the person had no permission to view or interact with, courts will regard it as a CFAA violation. When a person steals or misuses information that the individual was otherwise allowed to access, though, courts now hold that the CFAA does not apply, and the system owner must instead turn to other legal remedies.
In addition to being a desirable limitation on liability, Mayer argues, these changes are more consistent with the both the text and the legislative history of the CFAA. And this is where he runs afoul of the panel’s second presenter, Senior Trial Attorney William Hall, Jr. of the Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS). Hall’s submission to the symposium centers on the failure of the Nosal court to give the legislative history of the CFAA more than a “perfunctory” examination. When considered properly, Hall submits, the legislative record clearly demonstrates that Congress was concerned about just the sort of insider attack that occurred in Nosal.
In support of his claim, Hall looks to similar computer-crime related statutes that served as the predecessors of the CFAA and specifically mentioned purpose based restrictions. He then points to reports from the House and Senate Judiciary Committees that state that changes from the language in the previous statutes was intended only to clarify existing law. Further, reports indicate that Congress responded to concerns raised at the time about criminalizing employees’ innocuous conduct by removing references to “exceeding authorized access” from some areas of the bill, but pointedly did not do so in the sections at issue in Nosal. This jives with traditional principles of statutory construction, which state that language included in one part of a law and excluded in another represents an intentional omission by the drafter.
The two presenters skillfully argued back and forward on this point, each scoring minor wins before concluding the panel amicably with a handshake. During the question and answer section following the presentations, though, Professor Orin Kerr of The George Washington Law School and co-host of the Symposium gave voice to a sentiment that seemed to undercut both sides of the debate and embody one of the fundamental problems with basing current application of laws on the intentions of legislators long past: given the technological advances that have occurred over the past three decades, could the lawmakers of the 1980’s really conceive of “access” and “authorization” in the same way that we do today?
This summary was authored by Law Review member and On the Docket Fellow, Spencer McCandless.
