We’ve written previously about the Computer Fraud and Abuse Act (CFAA) being limited by judicial interpretation, especially for employers as civil plaintiffs, and offered tips on alternatives to controlling unauthorized access to or use of enterprise IT systems by employees. Reports Of The Computer Fraud and Abuse Act’s Demise Have Been Greatly Exaggerated | Information Intersection. The terrain is getting even murkier.
The Court of Appeals for the Ninth Circuit last April in Nosal gave the statute a limited construction, holding that the “exceeds authorized access” offense is “limited to violations of restrictions on access to information, and not restrictions on its use.” That may make sense from the perspective of a law dating to 1984 and initially designed to criminalize physical damage to computing systems, but not from the perspective of how courts transition precedent from one technical era into another. The CFAA is not that old. Yet already we are confronted with an increasing conflict as to its basic scope when applied to civil remedies for insiders who exceed their authority and injure corporate good will or IP. Indeed, cybersecurity experts often warn that the greatest threats to business IT systems and the information they store arise not from hackers, but dishonest or disaffected employees, even “well-meaning insiders.”
Last week the Fourth Circuit added more fuel to the CFAA fire in WEC Carolina Energy Solutions LLC v. Miller, extending Nosal to civil claims and concluding that the law does not codify violations of corporate information technology policies. The employer’s IT policy (as this blog recommended) prohibited employees from using company information without authorization and from downloading information to their personal computers. So was use of information in violation of that policy, but obtained from a computer an employee is otherwise authorized to access, “without authorization” or “exceed[ing] authorized access”?
The WEC Carolina court said no. Unauthorized access applies to an employee who has “approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access…. Notably, neither of these definitions extends to the improper use of information validly accessed.” They do not cover information misuse alone, the court reasoned, because as a criminal statute the CFAA must be construed in accordance with the plain meaning of its language so defendants have fair warning about punishable conduct. The Fourth Circuit also rejected the “cessation-of-agency” theory espoused by the Seventh Circuit. Under this theory, if as an employee you use a corporate computer network in breach of your company’s policy, you have violated your fiduciary duty and therefore any right of access is terminated by operation of law, making ongoing use of the network a violation of the CFAA. The Fourth Circuit held that this approach would improperly suck in “millions of ordinary citizens” who innocently check Facebook or sporting event scores while at work.
Our conclusion here likely will disappoint employers hoping for a means to rein in rogue employees. But we are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy. Providing such recourse not only is unnecessary, given that other legal remedies exist for these grievances, but also is violative of the Supreme Court’s counsel to construe criminal statutes strictly.
The ambiguities inherent in the often-amended CFAA are growing as aggressive litigants vie for competing interpretations. They expose the often-secret reality that the statute was not structured for an era when most employees have company-issued computing devices and are permitted remote BYOD access to corporate IT systems. The argument that the CFAA regulates the workplace today because everyone uses what the statute classifiues as “protected computers” (used in interstate commerce, i.e., with an Internet connection) is on its last legs. We do suspect that the wide gulf among the federal appellate courts may inspire the Supreme Court to take up a CFAA case next term, which begins in October 2012, but even if review is accepted a decision would likely not be handed down until 2013 or even 2014. Employers obviously cannot wait that long and, given political paralysis on cubersecurity in the Senate, a legislative clarification seems extremely unlikely.
The lesson: employers should keep tabs on the CFAA, but put more of their IT and IP protection ”eggs” into confidentiality agreements, NDAs and other “baskets” that do not raise the linguistic disputes and uncertainty plaguing civil CFAA litigation today.
Note: Originally written for and reposted with permission of my law firm’s Information Intersection blog.
For decades Penn State football fans claimed their program was different, better and purer than others-a model for all college sports. But former FBI director Louis Freeh’s 267-page report blew a hole through that claim last Thursday. It is withering, thorough, believable: When Nittany Lions coach Joe Paterno, school president Graham Spanier and others were told that Sandusky was molesting children, they all felt bad. For Sandusky.
Shattered | SI-Everywhere.
The whole Sandusky scandal is revolting. This quote from Michael Rosenberg of Sports Illustrated captures the disgust which most Americans feel towards the once-proud institution. Joe’s family protests, but taking down his statue and revoking the record-setting coaching victories was the least that could be done to restore some modicum of respect to college football.
I’m not a reactionary liberal and think the personal loyalty shown towards Sandusky was admirable. But when one is talking about serious child abuse for more than decade, a crime is a crime, just as much now as in 1998. Not reporting this serial child molester to the authorities for prosecution — and at the very least severing his ties to the Penn State football program, which facilitated his evil — is and remain completely inexcusable. We can only hope Paterno is red-faced in his grave.
NCAA sanctions Penn State for Sandusky scandal | Reuters.
Whatever one thinks of Roger Clemens’ veracity (let alone possible steroid use), the idea that his criminal trial ends without a verdict because the prosecutors blatantly disregarded the court’s instructions by showing the jury inadmissible evidence is just astounding. Brings to mind former Supreme Court Justice Benjamin Cardozo’s famous question from the 1920s — should the suspect go free because the constable has blundered?
From the reports I’ve read, this was either incompetence or intentional overreaching, as the U.S. Attorneys’ office played in open court a videotape of congressional testimony in which a member read aloud portions of an affidavit (from Andy Petti’s wife) the court had declared — correctly, in my view — could not be used (at least not until rebuttal, if the defense attacked Pettit’s credibility). Astonishing. The meaning of this fiacso is that the government, no less and perhaps more than any other litigant, cannot under our American system of constitutional justice avoid its responsibilities to ensure fairness in criminal prosecutions.
Posted via email from glenn’s posterous.
Last week, a federal district court ruled that mandatory DNA collection for all people facing federal felony charges is constitutional, dealing a setback to civil liberties. U.S. District Judge Gregory G. Hollows upheld the DNA Fingerprint Act, a 2006 statute which allows federal law enforcement agencies to collect DNA from individuals “arrested, facing charges, or convicted” of federal offenses, as well as those “detained” but not charged. Previously, states throughout the country had a variety of different laws on the books regarding DNA collection — with most mandating testing only after a suspect had been convicted of a crime. The Not-So Private Parts [True/Slant].
So to dub this a “criminal” DNA database is misleading, because the DNA collection — stored in a database known as CODIS, short for Combined DNA Index System — is not limited to convicted people and never goes away. Historically, until 2001 DNA was collected only from inmates who had been convicted of a small number of specified offenses defined in rules promulgated by the Justice Department. Then the USA PATRIOT Act, in Section 503, added three additional categories of qualifying federal offenses for purposes of DNA-sample collection: (1) an offense listed in 18 U.S.C. 2332b(g)(5)(B), for “acts of terrorism transcending national boundaries”; (2) a crime of violence; and (3) an attempt or conspiracy to commit any of the above offenses.
So this little-noticed piece of legislation not only expands infinitely, to any criminal offense, those eligible for DNA collection. It also expands the DNA database to people who are arrested but never indicted or “charged” but never tried, as well as those who are acquitted! That’s bad enough, in my view, to characterize this law as yet another step toward an Orwellian future for the United States, driven by the knee-jerk reaction to 9/11, led by conservatives such as Sen. John Kyl, well-known for spearheading the so VERY important battle to criminalize Internet gambling by U.S. citizens. Will the government require location-based service providers, cell phone networks and smart-tag toll technologies to hand over and archive location data on subscribers, so the government can track us? Will Amazon, eBay and other online retailers be forced to allow the government to troll their databases for purchasing patterns?
Maybe folks made the same complaints when fingerprints began to be collected on arrest more than 70 years ago. But the difference is that DNA has taken on almost mythical status as being indisputable. As Eric Goldman observed when the Act was passed:
Criminal jurors, charged with deciding facts in a trial, tend to be irreversibly swayed by DNA evidence, rightly or wrongly. Call it the “CSI effect,” but DNA evidence creates an irrefutable connection in the minds of most jurors. While this can be a two-edged sword when juries expect forensic evidence prosecutors just don’t have, jury allegiance to DNA evidence tends to harm defendants it is introduced against much more than it exonerates them.
This is a double-whammy. First the government gets DNA from anyone with even the most cursory involvement with the criminal justice system. Then it can utilize those samples to add a patina of irrefutability to its criminal prosecutions. Whether or not the CODIS database is extended again (maybe to all infants born in the United States, justified as a way to protect against kidnapping and Amber Alert lost kids?), I believe its application beyond individuals convicted or indicted for terrorism and violent felonies is unnecessary and irresponsible.
As Benjamin Franklin wrote in 1759, “Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.” That’s a good lesson to apply to the DNA Fingerprint Act.
Had I noticed Bernie Ebbers, former WorldCom/MCI thief, seeking an 11th-hour pardon from the Bush Administration last week, I surely would have ranted. Ebbers Trying to Join the Bush Pardon Party [WSJ.com]. His sleaze never ends. Bernie was fairly convicted for some really serious financial crimes and deserves all the punishment he was handed. He absolutely ruined the life savings of scores of my friends, clients and colleagues from MCI by driving the company, and its stock price, into the ground. I for one hope he rots in prison.
Alaska Sen. Ted Stevens has been a fixture for decades on Capitol Hill, which means by definition folks are afraid of him. In this case it also mean’s he’s dirty. Now the federal government — prosecuting Stevens for omitting $250,000 in home improvements from his financial disclosure forms — has totally botched the case by itself failing to disclose evidence to Stevens’ defense team. Judge Threatens to Throw Out Corruption Case Against Ted Stevens [L.A. Times].
That’s a Brady violation, so named for the Supreme Court case requiring disclosure of exculpatory materials to a criminal defendant. Basic, basic. Here the Assistant U.S. Attorney disclosed only a “redacted” — incomplete — copy of the government’s interview of its star witness. Turns out the missing stuff was also the good stuff. Good for Stevens and now bad for the people. In think this sullied old crook should be hounded out of office by the Alaska electorate or banned by the Senate Ethics Committee. A long time ago, Supreme Court Justice Benjamin Cardozo asked whether “the criminal should go free because the constable has blundered.” The answer to that is yes, but it’s no solace that a crooked politician gets away with corruption for such a stupid blunder.
The offense happened two years ago, but the consequences are only now becoming reality. Ex-Judge Disbarred for Using Penis Pump During Trials [ABA Journal]. The judge, who entertained himself while presiding over capital murder prosecutions, saw his pneumatic proceedings came to an end after a police officer heard the pump’s distinctive signature during a case, and photographed the device during a recess. This is not just what lawyers call a “crime involving moral turpitude,” it’s revolting. (Does it run in the profession? See Cross-Dressing Bankruptcy Judge Lands at Boston Law Firm [ABA Journal]). Humans are sexual beings, but there is indeed a time and a place for everything, including penis pumps. Just ask Austin Powers.
I almost forgot about this little FBI fiasco from last week. Seems as if, seven years later, our wonderous federal forensic cops finally fingered the culprit in those Anthrax mail attacks against the Senate. Problem is, the perp committed suicide weeks ago. So the FBI’s “case” basically amounts to assertions that Bruce Ivins, a scientist with access to anthrax samples, could not “credibly” explain an alibi. F.B.I. Details Anthrax Case, but Doubts Remain [NYTimes.com].
No shit, “doubts” remain. Remember Richard Jewell from Atlanta, hounded mercilessly after being accused of the ‘96 Olympic bombings? He nearly bought the farm and was clearly innocent. The FBI’s disclaimer that “the many mysteries of the case meant an air of uncertainty would always surround it” is too little, too late. If American law enforcement can only solve cases years later by blaming dead guys, we as a society have mucho problemas.
So the Department of Justice has concluded that its Office of Legal Counsel and related hiring practices under President Bush broke civil service laws in favoring applicants with political connections and conservative political credentials. But they refuse to do anything about it. Justice Dept. Issues a Callback [washingtonpost.com].
"Where there is enough evidence to charge someone with a crime, we vigorously prosecute," the attorney general said. " But not every wrong, or even every violation of the law, is a crime."
Wow, what a concept. If a government official breaks the law governing his or her core official functions, how can that NOT be a crime?