This week’s internal report by MIT on its handling of the Aaron Swartz case may be an appropriate time to note that the sound and fury over the Computer Fraud and Abuse Act (the “CFAA”) is not limited to its use in criminal cases like the Swartz prosecution. The controversy extends to the use of this law in civil cases as well.*
*The CFAA may be used as either a civil or a criminal law. However, the words of the statute must mean the same thing in each context. As the court noted in the case discussed in this post, “it is not possible to define authorization narrowly for some CFAA violations and broadly for others.”
In my July 2nd post on AMD v. Feldstein I noted that the case had given rise to two note-worthy decisions. The May 15, 2013 decision, discussed in that post, involved the legalities of the former-AMD employees’ alleged solicitation of current AMD employees in violation of non-solicitation agreements. However, Massachusetts Federal District Court Judge Timothy Hillman issued a second opinion in the case on June 10, 2013, ruling on the defendant-employees’ motion to dismiss claims of civil liability under the CFAA.
Judge Hillman’s June 10th opinion reflects the struggle within the federal courts nationally over how to apply the CFAA. The controversy focuses on the section of the law that imposes criminal and civil penalties on –
whoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer. 18 U.S.C. § 1030(a)(2)(C).*
*As Judge Hillman observed, “The breadth of this provision is difficult to understate.”
I discussed the courts’ varied interpretations of this provision in some detail in an August 2012 post. As I stated there, “the issue, on which the federal courts cannot agree, is whether an employee who has authorized access to a computer, but uses that access for an illegal purpose — typically to take confidential information in anticipation of resigning to start a competing company or join one — violates the CFAA.” In that post I discussed several of the conflicting decisions over this issue, including the Ninth Circuit’s influential en banc holding in U.S. v. Nosal.
In considering how to apply the CFAA in this case Judge Hillman described the two possible interpretations of the CFAA. The first, a “technological model of authorization,” requires that an employee violate a technologically implemented barrier in order for his actions to give rise to a violation. Under this model, which the court described as the “narrow interpretation,” the employee would have to (for example) use someone else’s login credentials to access his employer’s computer, or break into (hack) the computer. Another way to view the “narrow interpretation” of the CFAA is that the phrase “without authorization” in the statute is limited to outsiders who do not have permission to access the employer’s computer in the first place.
Under the second model, described as the “broader interpretation,” the employee would be liable under the CFAA if he used a valid password to access information for an improper purpose, for example, obtaining confidential or trade secret information that will be provided to the employee’s new employer, or to a competitor of the current employer.
As Judge Hillman noted, the only First Circuit case to address the scope of the CFAA – EF Cultural Travel BV v. Explorica, Inc. – only created uncertainty over how to apply the statute. At least one Massachusetts district court judge has viewed EF Cultural as an endorsement of the broader interpretation. Guest-Tek Interactive Entm’t, Inc. v. Pullen (Gorton, J. 2009).
Judge Hillman, however, disagreed, distinguishing EF Cultural and concluding that the facts in that case shift it into the realm of “access that exceeds authorization” rather than permitted access for an unauthorized purpose. In what seems to be a clear nod to the Ninth Circuit in Nosal, he held that “as between a broad definition that pulls trivial contractual violations into the realm of federal criminal penalties, and a narrow one that forces the victims of misappropriation and/or breach of contract to seek justice under state, rather than federal, law, the prudent choice is clearly the narrower definition.”*
*A recent case from the district of New Hampshire appears to have reached the same conclusion. Wentworth-Douglas Hospital v. Young & Novis Prof. Assoc. (June 29, 2012).
This is the conclusion that the former AMD employee-defendants wanted the court to reach on their motion to dismiss the CFAA count. However, it turned out to be somewhat of a pyrrhic victory for them.
Although the judge found that “the narrower interpretation” of the CFAA “is preferable” and found that AMD’s “allegations are … insufficient to sustain a CFAA claim under a narrow interpretation of the CFAA,” he declined to dismiss the CFAA claims against the defendants, noting that “this is an unsettled area of federal law, and one where the courts have yet to establish a clear pleading standard.” Instead, he deferred action on this claim until the factual record is complete, meaning the conclusion of discovery.
And, if it was the defendants’ hope to dismiss the federal CFAA claim in order to force the case into state court (which is unclear, since AMD also pleaded diversity jurisdiction), not only did they fail to accomplish this by means of this motion, but the court went so far as to note that “even if the CFAA claims are dismissed at a later date, the pendant state law claims need not be remanded to state courts. … It would be extremely inefficient to remand this case to state court given the quantity of evidence already presented to this Court.”
Bottom line: the defendants won their central legal argument, but did not get their reward. And, this section of the CFAA remains in limbo in the First Circuit, pending final word from the First Circuit Court of Appeals on its proper interpretation.