Ninth Circuit Refines the Meaning of “Without Authorization” under the Computer Fraud and Abuse Act

The United States Court of Appeals for the Ninth Circuit has recently tweaked two of its decisions from this past summer which held that access to another person’s online account, even with their permission, may in certain cases give rise to liability under the U.S. federal Computer Fraud and Abuse Act (CFAA).

The first case, United States v. Nosal, revolved around an employee who, after resigning from a head-hunting firm, asked another employee to share his credentials in order to access the firm’s database. When the firm discovered that the former employee accessed its databases it pressed charges. In the summer 2016 decision, the Ninth Circuit held that the phrase accessing a computer “without authorization” under the CFAA should be interpreted according to its plain meaning: a person’s access to a computer after their own access credentials were revoked constitutes unauthorized access. 
Following that decision, the defendant, supported by digital and civil rights advocacy groups, petitioned the court to rehear the case, which petition the court denied in its recent decision. But the court also took the opportunity to reaffirm some issues arising from its earlier decision. The recent decision held that “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.” The court also reassured that the CFAA does not proscribe innocent conduct such as family password sharing.

The second case, Facebook, Inc. v. Power Ventures Inc., addressed an online platform that provided its users a messaging service that consensually collected all users’ contacts and friends across various social networks. When Facebook learned of this it issued a cease and desist letter alleging that the platform violates Facebook’s terms of service as well as various state and federal computer laws. Facebook also IP-blocked the platform’s access to its servers, but the platform bypassed the block and continued accessing Facebook’s servers using different IP addresses. Facebook sued the platform, alleging violation of the CFAA. The Ninth Circuit’s summer 2016 decision held that Facebook’s cease and desist letter revoked the platform’s authorization to access Facebook’s servers and when it continued to do so despite it violated the CFAA.
Here again, the defendant, supported by a digital rights advocacy group, petitioned the court to rehear the case, which petition the court denied in its recent decision but nevertheless issued an amended opinion refining some of the issues previously raised. In the amended decision the court held that “a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly”, and that when permission is revoked technological deception such as circumvention of IP blocking “will not excuse liability”. Importantly, the court’s amended decision held that “a violation of the terms of use of a website, without more, cannot be the basis for liability under the CFAA”.
Click here to read the Ninth Circuit’s amended decision in United States v. Nosal. 
Click here to read the Ninth Circuit’s amended decision in Facebook, Inc. v. Power Ventures Inc.