- Share this article on Facebook
- Share this article on Twitter
- Share this article on Email
- Show additional share options
- Share this article on Print
- Share this article on Comment
- Share this article on Whatsapp
- Share this article on Linkedin
- Share this article on Reddit
- Share this article on Pinit
- Share this article on Tumblr
Twice in the past week, the 9th Circuit Court of Appeals has exploded some minds in the legal community with interpretation of the Computer Fraud and Abuse Act, the 1986 statute that has been likened to an anti-hacking law, but more precisely deals with one’s authority to access another’s computers.
On July 5, the appellate circuit issued an opinion in United States v. Nosal interpreted by some as criminalizing the sharing of Netflix passwords. On Tuesday, the same appellate circuit came out with an opinion in Facebook v. Vachani that under a broad reading, means that websites can bar access to certain users. Check out the reaction…
Ninth Circuit: If you tell someone not to visit your website, and they do it anyway, it’s a federal crime. https://t.co/SXJzGVa940
— Orin Kerr (@OrinKerr) July 12, 2016
If so, that’s devastating for critical speech. Imagine Trump sending a C&D to Clinton’s campaign, barring access to https://t.co/BFK7Ukdtpw.
— Andy Sellars (@andy_sellars) July 12, 2016
In the Facebook case, the 9th Circuit examined a company called Power Ventures, Inc., which offered a service aggregating a user’s information across multiple social networking sites. Back in 2008, Power began a promotional campaign that in part, transmitted messages to a user’s friends on Facebook. When Facebook became aware of what Power was doing, it sent a cease and desist letter instructing Power that it needed to terminate its activities. Facebook attempted to get Power to enroll in its Developer program and instituted an IP block to prevent Power from accessing the Facebook website. Nevertheless, Power continued its program, made use of data from Facebook.com, and circumvented IP barriers.
Facebook sued, and the CFAA question examined by the appeals court was whether Power’s activity constituted accessing Facebook’s computers without authorization.
In reaching the answer that yes, Power violated the CFAA, the 9th Circuit brought up Nosal — the very case that it had decided a few days earlier that led to a collective freak-out that it was suddenly illegal to share a Netflix password.
That controversy dealt with David Nosal, who left an executive search firm, Korn/Ferry, and recruited others to join him. A couple of those employees used their credentials to log in to a computer in order to download information from the firm’s confidential database. Back in 2012, the 9th Circuit ruled there was no CFAA violation because there was no unauthorized access. These employees had authority until they left the company. But last week, the 9th Circuit had to decide how to interpret the events that occurred once the employment was terminated. Korn/Ferry revoked their permission to access computers, and to get around this, another employee at the firm was enlisted by the Nosal gang. She shared her login credentials.
The appeals court said this went too far — and so it naturally led observers to wonder whether the 9th Circuit had just made it illegal to share passwords. In Nosal, the two judges in the majority shrugged off warnings about implications of what was being decided. “This appeal is not about password sharing,” they wrote. The outvoted 9th Circuit judge in the minority was disbelieving. He opened his own opinion by stating, “This case is about password sharing.”
Now back to Power Ventures and how the 9th Circuit is spinning its earlier decisions.
The key factor here that dooms Power is that cease and desist letter that Facebook had sent. That put Power on notice that it no longer had authorization to access Facebook’s computers. State of mind counts. One can be a little snarky about the outcome:
— Terry Hart (@terrencehart) July 12, 2016
But in maybe shooting down one overreading of its CFAA analysis, the 9th Circuit may have invited more visits into the rabbit hole of what-if’s. Like what would happen if Donald Trump told Hillary Clinton to stop accessing his website.
At the Washington Post, George Washington University law professor Orin Kerr discusses Facebook v. Vachani.
He writes, “Here’s the uncertainty: Is the decision saying broadly that you can’t visit the public face of a website after the computer owner said ‘no,’ or is the decision saying more narrowly that you can’t access an individual account with the user’s permission after the computer owner said ‘no’?”
Kerr nods to the first footnote in the opinion. There, the 9th Circuit expressly reserves its opinion on “whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly.”
By talking about websites instead of private accounts on company servers, and focusing so heavily (for the moment) on permission, the doors certainly seem ajar to the kind of broad interpretation of what is potentially illegal under the CFAA. Although the 9th Circuit tried to “distill general rules in analyzing authorization under the CFAA,” uncertainly reigns, and future disputes will no doubt necessitate the appeals court to intervene and cool heads. Then again, maybe Trump really can build a wall. A digital one, that is. Stopping his presidential rival.
Sign up for THR news straight to your inbox every day