Can Hillary Clinton Be Barred From Visiting

Donald Trump Homepage Screenshot H 2016

Twice in the past week, the 9th Circuit Court of Appeals has exploded some minds in the legal community with interpretation of the Computer Fraud and Abuse Act, the 1986 statute that has been likened to an anti-hacking law, but more precisely deals with one's authority to access another's computers.

On July 5, the appellate circuit issued an opinion in United States v. Nosal interpreted by some as criminalizing the sharing of Netflix passwords. On Tuesday, the same appellate circuit came out with an opinion in Facebook v. Vachani that under a broad reading, means that websites can bar access to certain users. Check out the reaction...

In the Facebook case, the 9th Circuit examined a company called Power Ventures, Inc., which offered a service aggregating a user's information across multiple social networking sites. Back in 2008, Power began a promotional campaign that in part, transmitted messages to a user's friends on Facebook. When Facebook became aware of what Power was doing, it sent a cease and desist letter instructing Power that it needed to terminate its activities. Facebook attempted to get Power to enroll in its Developer program and instituted an IP block to prevent Power from accessing the Facebook website. Nevertheless, Power continued its program, made use of data from, and circumvented IP barriers.

Facebook sued, and the CFAA question examined by the appeals court was whether Power's activity constituted accessing Facebook's computers without authorization.

In reaching the answer that yes, Power violated the CFAA, the 9th Circuit brought up Nosal  — the very case that it had decided a few days earlier that led to a collective freak-out that it was suddenly illegal to share a Netflix password.

That controversy dealt with David Nosal, who left an executive search firm, Korn/Ferry, and recruited others to join him. A couple of those employees used their credentials to log in to a computer in order to download information from the firm's confidential database. Back in 2012, the 9th Circuit ruled there was no CFAA violation because there was no unauthorized access. These employees had authority until they left the company. But last week, the 9th Circuit had to decide how to interpret the events that occurred once the employment was terminated. Korn/Ferry revoked their permission to access computers, and to get around this, another employee at the firm was enlisted by the Nosal gang. She shared her login credentials.

The appeals court said this went too far — and so it naturally led observers to wonder whether the 9th Circuit had just made it illegal to share passwords. In Nosal, the two judges in the majority shrugged off warnings about implications of what was being decided. "This appeal is not about password sharing," they wrote. The outvoted 9th Circuit judge in the minority was disbelieving. He opened his own opinion by stating, "This case is about password sharing."

Now back to Power Ventures and how the 9th Circuit is spinning its earlier decisions.

"From those cases, we distill two general rules in analyzing authorization under the CFAA," wrote 9th Circuit judge Susan Graber. "First, a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability. Second, a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA."

The key factor here that dooms Power is that cease and desist letter that Facebook had sent. That put Power on notice that it no longer had authorization to access Facebook's computers. State of mind counts. One can be a little snarky about the outcome:

But in maybe shooting down one overreading of its CFAA analysis, the 9th Circuit may have invited more visits into the rabbit hole of what-if's. Like what would happen if Donald Trump told Hillary Clinton to stop accessing his website.

At the Washington Post, George Washington University law professor Orin Kerr discusses Facebook v. Vachani.

He writes, "Here’s the uncertainty: Is the decision saying broadly that you can’t visit the public face of a website after the computer owner said 'no,' or is the decision saying more narrowly that you can’t access an individual account with the user’s permission after the computer owner said 'no'?"

Kerr nods to the first footnote in the opinion. There, the 9th Circuit expressly reserves its opinion on "whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly."

By talking about websites instead of private accounts on company servers, and focusing so heavily (for the moment) on permission, the doors certainly seem ajar to the kind of broad interpretation of what is potentially illegal under the CFAA. Although the 9th Circuit tried to "distill general rules in analyzing authorization under the CFAA," uncertainly reigns, and future disputes will no doubt necessitate the appeals court to intervene and cool heads. Then again, maybe Trump really can build a wall. A digital one, that is. Stopping his presidential rival.