Ninth Circuit overturns CFAA verdicts for misusing databases
The Volokh Conspiracy 2015-08-26
The Ninth Circuit has handed down United States v. Christensen, a case that touches on a bunch of computer crime issues that include the scope of the Computer Fraud and Abuse Act (CFAA). The court overturned CFAA convictions for employee misuse of a sensitive database. I think that result is correct, although I’m a bit puzzled by the way the court reached it.
The new case involves several defendants that were involved in the Pellicano Investigative Agency. There’s a ton going on in the case, with a lot of issues being argued on appeal, but let me focus just on the CFAA-related facts to keep things manageable. Pellicano did two things that were charged under the CFAA. First, he bribed an Los Angeles police officer, Arneson, to get Arneson to access police databases to obtain confidential police information to help Pellicano. That led to charges against Arneson for exceeding authorized access and against Pellicano for aiding and abetting that violation. Second, Pellicano paid a telephone company technician Turner to pay another telephone company employee Wright to go into the telephone company database and obtain confidential data that Pellicano could use to install illegal wiretaps. That led to charges against Pellicano and Turner for aiding and abetting Wright’s CFAA violation.
At trial, the defense did not challenge the jury instructions relating to the CFAA. The jury was instructed on the key question of authorization as follows:
[A] defendant exceeds authorized access . . . when the defendant accesses a computer with authorization but uses such access to obtain information in the computer that the defendant is not entitled to obtain.
Exercising plain error review because the issue was not challenged, the Ninth Circuit holds that all the CFAA convictions must be overturned because the jury was obviously wrongly instructed. The court explains that in United States v. Nosal, which postdated the convictions in this case, the en banc Ninth Circuit had held that CFAA violations are “limited to violations of restrictions on access to information, and not restrictions on its use.” The jury instruction plainly violated the requirements of Nosal, the court holds:
Although it was not obvious to the district court at the time, this definition of exceeding authorized access was flawed in that it allowed the jury to convict for unauthorized use of information rather than only for unauthorized access. Such an instruction is contrary to Nosal, and therefore the instruction constituted plain error.
[As an aside, this holding appears in the opinion as part of a block quote of the jury instructions, but I’m pretty sure that’s just an error. I think this is the holding rather than part of blockquote. See the bottom of page 33 and top of page 34.]
The court continues:
The error was also prejudicial. Not anticipating Nosal, the government made no attempt to prove that Wright accessed any databases that she was not authorized to access in the course of doing her job. Although the government now contends that Wright’s use of the code “ERR” upon logging out in an attempt to cover her tracks constituted evidence of unauthorized access, we are not persuaded. “ERR” was a code that phone company employees were instructed to use if they accessed an account by accident. The use of that code did not necessarily prove that the employee was not authorized to access the database. Wright might have used the “ERR” code simply to divert suspicion as to what she was doing. That use of the “ERR” code may have violated company policy, but Wright may nonetheless have been authorized to access the database. Under Nosal, unauthorized use was not enough to support the convictions of Turner and Pellicano for aiding and abetting computer fraud by Wright.
We reach a similar conclusion on the convictions associated with Arneson’s misuse of information from the LAPD database. The government contends that Nosal does not preclude criminal liability under the CFAA for violations of state or federal law that restrict access to certain types of information. See, e.g., 28 C.F.R. § 20.33(d) (restricting the dissemination of certain criminal history information). This argument lacks merit. Those laws arguably prohibited Arneson’s conduct based on the way the information was used, as distinguished from the way it was accessed, but that does not expand the reach of the CFAA. Congress has created other statutes under which a government employee who abuses his database access privileges may be punished, but it did not intend to expand the scope of the federal antihacking statute. See Nosal, 676 F.3d at 857 & n.3 (refusing to “transform the CFAA from an anti-hacking statute into an expansive misappropriation statute,” and citing another statute restricting the use of information under which a defendant might properly be charged).
The jury instructions defining both computer fraud and unauthorized computer access of United States agency information were plainly erroneous under Nosal. The error was prejudicial. We therefore vacate Turner’s conviction for aiding and abetting computer fraud, Arneson’s convictions for computer fraud and unauthorized computer access, and Pellicano’s convictions for aiding and abetting both computer fraud and unauthorized computer access. We remand for further proceedings as may be appropriate. If the government so decides, it may seek to retry the defendants on these charges.
Later in the opinion, the court elaborates on the meaning of unauthorized access in the CFAA when it contrasts the CFAA with California Penal Code 502(h), which punishes one who “[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network[.]” For procedural reasons I won’t bother you with, the court concludes that the conduct in the case violated 502(h) even thought it would not violate the CFAA:
“Access” is defined as “to gain entry to, instruct, . . . or communicate with, the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.” Cal. Penal Code § 502(b)(1).
Defendants argue that we should interpret the state statute consistent with the federal statute as interpreted by Nosal, but we disagree. The statutes are different. In contrast to the CFAA, the California statute does not require unauthorized access. It merely requires knowing access. Compare 18 U.S.C. § 1030(a)(2) with Cal. Penal Code § 502(c)(2).
What makes that access unlawful is that the person “without permission takes, copies, or makes use of” data on the computer. Cal. Penal Code § 502(c)(2). A plain reading of the statute demonstrates that its focus is on unauthorized taking or use of information. In contrast, the CFAA criminalizes unauthorized access, not subsequent unauthorized use. Nosal, 676 F.3d at 864.
I have two thoughts, one procedural and one substantive.
First, on the procedure, I’m not sure how use of this jury instruction could be plain error. To see why, a little detour into federal appellate practice might be helpful.
When a criminal defense lawyer seeks to challenge a federal jury conviction on appeal based on a claim that the conduct below was actually legal, there are two basic strategies. First, the lawyer can argue that the jury instructions were wrong. The jury was misinformed about the law, the argument runs, so the conviction cannot stand. The conviction is overturned if the error is prejudicial, but the government can later retry the defendant under the correct jury instructions if it so chooses.
Second, the defense attorney can argue that the evidence proved at trial cannot support the verdict. Based on the correct legal standard, the argument runs, the evidence proved at trial was simply insufficient to prove the defendant’s guilt even construing all the evidence in the government’s favor. Here the claim is that the defendant’s conduct was legal, regardless of what the jury was told. If the defense wins and the evidence is found insufficient, double jeopardy applies and the case is over.
The reason I’m puzzled by the court finding the jury instructions so wrong is that the jury instructions in the case simply copied the text of the statute. Recall the jury instructions used for authorization:
[A] defendant exceeds authorized access . . . when the defendant accesses a computer with authorization but uses such access to obtain information in the computer that the defendant is not entitled to obtain.
Although I suspect the Ninth Circuit didn’t realize it, that was taken almost word-for-word from the definition in 18 U.S.C. 1030(e)(6):
[T]he term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;
Given that the jury instruction mirrored the text of the statute, it seems odd to say that the jury instruction was obviously wrong because it was plainly inconsistent with precedent. Can the text of a criminal law be an obviously mistaken statement of what the statute prohibits, so much that giving it to the jury is plain error? I suppose it’s possible, but it seems pretty strange.
It seems to me that the court’s reasoning would be better understood as being about the sufficiency of the evidence. Under Nosal, the convictions could not stand because the evidence to the jury was insufficient. But the Ninth Circuit instead hung its hat on jury instruction error.
On the substantive point, I agree with the Ninth Circuit that this was not an unauthorized access offense based on the facts provided. As I wrote in this long post, I think a written restriction is always a use restriction for Nosal purposes, whereas a restriction on access requires some sort of circumventing a technical barrier. It seems in this case that there was only the violation of a use restriction rather than the circumvention of a technical barrier, at least based on the facts shown. So I take Christensen to be consistent with my understanding of Nosal, although the panel doesn’t elaborate on the test for when an employee is authorized or not authorized to access a particular database.