Computer Fraud and Abuse Act

On March 30, 2018, a D.C. federal district court denied a motion to dismiss an ACLU case filed against the government to challenge the constitutionality of the Computer Fraud and Abuse Act (CFAA), which makes it a federal crime to access a computer in a manner that “exceeds authorized access.” Sandvig v. Sessions, No. 1:16-cv-01368, Dkt. 24 (D.D.C. Mar. 30, 2018). The court held that the plaintiffs could proceed with their claim that the Free Speech and Free Press Clauses of the First Amendment, as applied, bar prosecution under the CFAA because it would restrict the plaintiffs’ ability to report on publicly available information, and even information available only following user registration on a site is generally available to the public.

The particular facts of the Sandvig case are unsurprisingly aimed at highlighting a potentially extreme application of the CFAA. The named plaintiffs are four professors and a media organization investigating whether automated decision-making and ad targeting technologies employed by various websites would result in potentially discriminatory practices against protected classes. For example, they want to analyze whether a real estate or employment website would discriminate against a user based on race. To perform the necessary analysis, they intend to use web scraping, bots, fake accounts (“sock puppets”) and other data collection techniques to conduct outcomes-based audit testing of websites and uncover such practices. These activities are typically prohibited by websites’ terms of service (TOS) and therefore unauthorized activity.Continue Reading D.C. federal court rules that web scraping does not violate the CFAA and may be protected by the First Amendment

It can be a violation of the federal Computer Fraud and Abuse Act (“CFAA”) to “access[] a protected computer without authorization.” The CFAA clearly applies when criminals with no connection to a company try to force their way into information systems.  But in a recent decision a divided panel of the Ninth Circuit found the CFAA can apply even when someone uses a password willingly shared by an authorized user.

In this criminal case, the defendant, David Nosal, had left his employment at Korn/Ferry. Nosal was seeking confidential information on the Korn/Ferry computer system to use at a venture he had started to compete with his previous employer.  Nosal asked his former executive assistant to stay at Korn/Ferry so she could provide access to the systems, and other former employees he was working with borrowed her password to the system and used it to download trade secrets.
Continue Reading Ninth Circuit Rules that CFAA Imposes Criminal Penalties when Terminated Users Try To Access Systems With Borrowed Passwords

In a decision that underscores the importance of carefully considering company computer-use policies and permissions, the United States District Court for the Middle District of Florida held last month that a company could not maintain a Computer Fraud and Abuse Act (“CFAA”) claim against a former employee because the company had given the employee “unfettered