I’ve written previously that using an incapacitated or deceased person’s passwords to access that person’s online accounts may not be permitted under the Web service’s Terms of Service contract, and it might even be construed as “unauthorized access” under a state or federal criminal law. On April 10, 2012, the Ninth Circuit Court of Appeals issued an opinion in United States v. Nosal regarding the scope of the phase “exceed authorized access” under § 1030 of the Computer Fraud and Abuse Act.
In this case, David Nosal, a former employee of Korn/Ferry, convinced current Korn/Ferry employees to obtain information from a confidential Korn/Ferry database—information that Mr. Nosal could use to help start a competing business. The current Korn/Ferry employees were authorized to access the database, but disclosing that confidential information violated Korn/Ferry’s company policies. The criminal charge was “exceeding authorized access” under the Computer Fraud and Abuse Act because the company’s policy was violated.
The Ninth Circuit held in this case that “We need not decide today whether Congress could base criminal liability on violations of a company or website’s computer use restrictions. Instead, we hold that the phrase ‘exceeds authorized access’ in the CFAA does not extend to violations of use restrictions.” Note that the key phrase in that quote is “use restrictions.” The Ninth Circuit concluded “Therefore, we hold that ‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” In this case, the current company employees had permission to access the confidential company database, but the company’s policies restricted the use of the information. So, the criminal charge of “exceeding authorized access” under the Computer Fraud and Abuse Act was dismissed.
As I have discussed before, the U.S. Department of Justice has asserted that § 1030(a)(2) of the Computer Fraud and Abuse Act is broad enough to permit the government to charge a person with a crime for violating the Computer Fraud and Abuse Act when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. This position may have a chilling effect on fiduciaries trying to carry out their duties of gathering a deceased person’s assets, paying debts and expenses, and distributing the remaining assets. The Terms of Service contracts at some major Web services, including Facebook and Microsoft’s Hotmail, specifically prohibit you from allowing anyone else to access your account.
This case is interesting for fiduciaries and family members because the Ninth Circuit narrowly construes the phrase “exceeds authorized access,” despite the government arguing for a very broad construction of “exceeds authorized access.” Although it is not part of the Ninth Circuit’s holding, the most interesting portion of the order to me is the Discussion section of the Ninth Circuit’s opinion, where the court gives several examples of the consequences of the government’s broad construction, including an example about Facebook’s Terms of Service contract provision regarding letting someone else access your account:
For example, it’s not widely known that, up until very recently, Google forbade minors from using its services. See Google Terms of Service, effective April 16, 2007–March 1, 2012, § 2.3, http://www.google.com/intl/en/ policies/terms/archive/20070416 (“You may not use the Services and may not accept the Terms if…you are not of legal age to form a binding contract with Google….”) (last visited Mar. 4, 2012). Adopting the government’s interpretation would turn vast numbers of teens and pre–teens into juvenile delinquents—and their parents and teachers into delinquency contributors. Similarly, Facebook makes it a violation of the terms of service to let anyone log into your account. See Facebook Statement of Rights and Responsibilities § 4.8 http://www.facebook.com/legal/terms (“You will not share your password,…let anyone else access your account, or do anything else that might jeopardize the security of your account.”) (last visited Mar. 4, 2012). Yet it’s very common for people to let close friends and relatives check their email or access their online accounts. Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so.
…Not only are the terms of service vague and generally unknown—unless you look real hard at the small print at the bottom of a webpage—but website owners retain the right to change the terms at any time and without notice. See, e.g., YouTube Terms of Service § 1.B, http://www.youtube.com/t/terms (“YouTube may, in its sole discretion, modify or revise these Terms of Service and policies at any time, and you agree to be bound by such modifications or revisions.”) (last visited Mar. 4, 2012). Accordingly, behavior that wasn’t criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever.
The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations. But we shouldn’t have to live at the mercy of our local prosecutor. Cf. United States v. Stevens, 130 S. Ct. 1577, 1591 (2010) (“We would not uphold an unconstitutional statute merely because the Government promised to use it responsibly.”). And it’s not clear we can trust the government when a tempting target comes along. Take the case of the mom who posed as a 17–year–old boy and cyber–bullied her daughter’s classmate. The Justice Department prosecuted her under 18 U.S.C. § 1030(a)(2)(C) for violating MySpace’s terms of service, which prohibited lying about identifying information, including age. See United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009). Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.
So, although the Ninth Circuit’s actual holding in this case does not specifically resolve the question of whether using an incapacitated or deceased person’s passwords to access that person’s online accounts is a crime (if that “exceeds authorized access” when the Web service’s Terms of Service contract prohibits letting others access the online account), the opinion’s discussion about Facebook’s Terms of Service provision gives me some hope for the future. Keep in mind that the Ninth Circuit concluded “Therefore, we hold that ‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use,” so the chilling effect on fiduciaries and family members accessing online accounts remains a problem.
For more discussion of United States v. Nosal, read the April 10, 2012, article by Orin Kerr at The Volokhh Conspiracy, including a mention of disagreement among the circuit courts about whether to interpret the Computer Fraud and Abuse Act broadly or narrowly, which could lead to a Supreme Court opinion on this issue in the future.