Two new cases on using computers “without authorization” under the Computer Fraud and Abuse Act were decided in July 2016, and both were decided by the United States Court of Appeals for the Ninth Circuit.
The first case, decided on July 6, 2016, is United States v. Nosal (a/k/a Nosal II because the Ninth Circuit also issued an opinion on April 10, 2012, involving the same situation). The short summary of Nosal II is that sharing a password can be a crime of accessing a protected computer “without authorization” under the Computer Fraud and Abuse Act. For an excellent recap of the facts and analysis of the case, read this July 6, 2016, article by Orin Kerr that appeared in The Washington Post.
The second case, decided on July 12, 2016, is Facebook v. Vachani. The short summary of Vachani is that accessing a Web site after being notified that you are not authorized to access it can be a crime of accessing a protected computer “without authorization” under the Computer Fraud and Abuse Act. For an excellent recap of the facts and analysis of the case, read this July 12, 2016, article by Orin Kerr that appeared in The Washington Post.
With respect to the Vachani case, the court makes a difficult-to-follow distinction as it interprets the Computer Fraud and Abuse Act, and this issue is described in more detail in Orin Kerr’s article. In Nosal I, the Ninth Circuit court decided that the “exceeds authorized access” prong of 18 U.S.C. § 1030(a)(4) “does not extend to violations of [a company’s] use restrictions” (e.g., violating a Terms of Service Agreement is not a crime under the Computer Fraud and Abuse Act). But, in Vachani, the Ninth Circuit court decided that accessing a Web site after receiving a cease-and-desist letter can be a crime of accessing a protected computer “without authorization” under the Computer Fraud and Abuse Act. The court’s distinction appears to depend on the person’s intent—whether the person at issue “might be unaware that they were committing a crime” (e.g., that is not a crime) versus a person who “deliberately circumvented the rescission of authorization” (e.g., that is a crime).
For fiduciaries and family members dealing with online accounts and digital property of an incapacitated or deceased family member, the concern remains that accessing the incapacitated or deceased person’s online accounts and digital property could be a crime under federal or state law. The U.S. Department of Justice is on the record asserting that the Computer Fraud and Abuse Act is broad enough to permit the government to charge a person with a crime when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. This position was stated by Richard Downing, Deputy Chief of the DOJ’s Computer Crime and Intellectual Property Section, Criminal Division, in testimony presented on November 15, 2011, before the U.S. House Committee on Judiciary, Subcommittee on Crime, Terrorism, and National Security (note that this testimony was given before Nosal I was decided). However, Mr. Downing also testified, “Let me be very clear that the DOJ is in no way interested in bringing cases against the people who lie about their age on a dating site or anything of the sort. We don’t have time or resources to do that.”
The bottom line is that this still is a developing area of law. Fiduciaries and family members should review and consider carefully the applicable Terms of Service Agreement before using a shared password or otherwise accessing a Web site in violation of the Web site’s access rules.
