October 23, 2018

New Computer Fraud and Abuse Act Appellate Case

The Ninth Circuit has decided an important Computer Fraud and Abuse Act case. In United States v. Christensen, the court overturned CFAA convictions for employee misuse of a sensitive database. The appeal also involved many other issues other than the CFAA. The defendants were connected with a famous investigative agency in Los Angeles, Pellicano Investigative Agency, which was known for high profile investigation of the rich and famous. Pellincano was convicted under the CFAA for bribing a Los Angeles police officer, Arneson, to get Arneson to access police databases to obtain confidential police information to help Pellicano. Pellicano also paid a telephone company technician Turner to pay another telephone company employee Wright to go into the telephone company database and obtain confidential data that Pellicano could use to install illegal wiretaps.

At trial, the defense did not challenge the jury instructions relating to the CFAA. The jury was instructed on the key question of authorization as follows:

[A] defendant exceeds authorized access . . . when the defendant accesses a computer with authorization but uses such access to obtain information in the computer that the defendant is not entitled to obtain.

Exercising plain error review because the issue was not challenged, the Ninth Circuit held that all the CFAA convictions must be overturned because the jury was obviously wrong. Under United States v. Nosal, the en banc Ninth Circuit had held that CFAA violations are “limited to violations of restrictions on access to information, and not restrictions on its use.” The Pellicano court held that the jury instruction violated the requirements of Nosal:

Although it was not obvious to the district court at the time, this definition of exceeding authorized access was flawed in that it allowed the jury to convict for unauthorized use of information rather than only for unauthorized access. Such an instruction is contrary to Nosal, and therefore the instruction constituted plain error.

The court continued:

The error was also prejudicial. Not anticipating Nosal, the government made no attempt to prove that Wright accessed any databases that she was not authorized to access in the course of doing her job. Although the government now contends that Wright’s use of the code “ERR” upon logging out in an attempt to cover her tracks constituted evidence of unauthorized access, we are not persuaded. “ERR” was a code that phone company employees were instructed to use if they accessed an account by accident. The use of that code did not necessarily prove that the employee was not authorized to access the database. Wright might have used the “ERR” code simply to divert suspicion as to what she was doing. That use of the “ERR” code may have violated company policy, but Wright may nonetheless have been authorized to access the database. Under Nosal, unauthorized use was not enough to support the convictions of Turner and Pellicano for aiding and abetting Wright’s CFAA violation.

The Ninth Circuit also reached a a similar conclusion on the convictions associated with Arneson’s misuse of information from the LAPD database. The government had contended that Nosal does not preclude criminal liability under the CFAA for violations of state or federal law that restrict access to certain types of information. See, e.g., 28 C.F.R. § 20.33(d) (restricting the dissemination of certain criminal history information). The court rejected this argument finding that while the state laws laws arguably prohibited Arneson’s conduct based on the way the information was used, as distinguished from the way it was accessed, this does not expand the reach of the CFAA. The Ninth Circuit pointed out that Congress has created other statutes under which a government employee who abuses his database access privileges may be punished, but it did not intend to expand the scope of the federal antihacking statute.

The Ninth Circuit also noted that the definition of unauthorized access under the CFAA is different from “access” under California Penal Code 502(h), which punishes one who “[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network[.]” In turn, “Access” is defined as “to gain entry to, instruct, . . . or communicate with, the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.” Cal. Penal Code § 502(b)(1).

The court found that defendants’ conduct violated 502(h) even thought it did not violate the CFAA rejecting defendants argument that the state statute should be interpreted consistent with the federal statute as interpreted by Nosal. The court pointed out that in contrast to the CFAA, the California statute does not require unauthorized access. It merely requires knowing access. What makes that access unlawful is that the person “without permission takes, copies, or makes use of” data on the computer. Cal. Penal Code § 502(c)(2). The focus is on unauthorized taking or use of information. In contrast, the CFAA criminalizes unauthorized access, not subsequent unauthorized use.

While the outcome of the case seems to be consistent with the Nosal decision since the evidence only established a use violation it is interesting to note that the Pellicano court found that the jury instruction with regard to exceeding authorized access to have been wrongly given, even though the jury instruction mirrored the definition found in 18 U.S.C. 1030(e)(6): “[T]he term ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” How can it be possible for a jury instruction to be an obviously mistaken statement of what the statute prohibits where it simply repeats the language of the text of the statute? In other words, is it possible for a jury instruction that mirrors the statute to be obviously wrong on the basis that it is inconsistent with the statute? I don’t know the answers these questions but it does highlight the need for Congress to amend the CFAA to clarify, among other things, what it means to access a computer without authorization or in excess of authorization.

One final point: by finding that the jury instruction was erroneous instead of finding that there was insufficient evidence for the defendants to have been convicted under the requirements of Nosal, the government may retry the defendants for violating the CFAA.



Speak Your Mind