Computer Crime Returns to the Ninth Circuit Court of Appeal

Author: Michael Dorsi[1]

Tomorrow the United States Court of Appeals for the Ninth Circuit will hear argument in United States v. Nosal, a case testing the meaning of the federal computer crime laws.

Petitioner David Nosal was convicted of a felony for his participation in a conspiracy by former employees of the executive search firm Korn/Ferry. The trial court found Nosal guilty of violating the federal Computer Fraud and Abuse Act[2] (“CFAA”) because his co-conspirators[3] used a password belonging to a then-employee of Korn/Ferry. After a jury trial, the district court concluded that the co-conspirators’ access was not authorized, and that using a current employee’s password falls within the CFAA.

This is the third time that the Ninth Circuit will hear argument in this case. In 2011, a three-judge panel considered an appeal of the dismissal of several charges. That panel reversed the district court, but on review en banc in 2012, the Ninth Circuit reversed the panel decision and affirmed the district court’s dismissal of causes of action. That decision held that the CFAA only prohibited wrongful access to — not wrongful use — protected computers and material found on those computers. Judge Kozinski’s opinion for the en banc panel[4] suggested that the court was concerned about the broad reach of the statute, but stopped short of striking down the statute for unconstitutional vagueness and overbreadth. That opinion considered but did not conclude that circumvention of a technological access barrier would be required to find a CFAA violation.

Interestingly, one of the eleven judges from the en banc decision in 2012, Judge M. Margaret McKeown, is on tomorrow’s panel. And during the en banc oral argument, Judge McKeown engaged in a brief colloquy with defense attorney Ted Sampsell-Jones, attempting to distinguish the charges now on appeal from those on appeal during the 2011 oral argument. Judge McKeown and Mr. Sampsell-Jones considered an analogy between passwords and keys to doors. Judge McKeown appeared to be under the impression that the defendants had kept their working passwords — like keeping a key after leaving — when in fact they used the password of a current employee. The text of the exchange suggests that Judge McKeown may not be as supportive of the defense argument now as she was in 2011–12:

“Mr. Sampsell-Jones: I don’t think that’s quite the same as picking a lock or stealing.

Judge McKeown: Well the one who’s left, has a key that he or she didn’t, quote, turn in, so to speak.

Mr. Sampsell-Jones: No the one who’s left doesn’t have a key anymore. The one who has left gets the key consensually from the one who is still there.

Judge McKeown: That’s called hacking.”[5]

While a single question is not entirely useful in forecasting the outcome, it will be interesting to see if Judge McKeown revisits the same question tomorrow.

[1] Mr. Dorsi is an associate at Ad Astra Law Group, counsel for amicus curiae NovelPoster. NovelPoster’s brief can be found here. All briefs are available online on a page hosted by the Electronic Frontier Foundation.

[2] The Computer Fraud and Abuse Act is codified at 18 U.S.C. § 1030. Mr. Nosal was convicted for his violation of 18 U.S.C. § 1030(a)(4).

[3] There are also arguments about whether Mr. Nosal can be guilty by way of conspiracy for these actions. Those arguments will not fit into a brief blog post, but are addressed in the briefs.

[4] 676 F.3d 854 (9th Cir. 2012).

[5] Oral Argument, Nosal, supra, 676 F.3d 854, at 46:45–47:10, available at http://www.ca9.uscourts.gov/media/view_video.php?pk_vid=0000006176.