United States v. Nosal, No. 10–10038.

CourtUnited States Courts of Appeals. United States Court of Appeals (9th Circuit)
Writing for the CourtKOZINSKI
Citation2012 Daily Journal D.A.R. 4500,12 Cal. Daily Op. Serv. 3874,676 F.3d 854
Decision Date10 April 2012
Docket NumberNo. 10–10038.
PartiesUNITED STATES of America, Plaintiff–Appellant, v. David NOSAL, Defendant–Appellee.

12 Cal. Daily Op. Serv. 3874
2012 Daily Journal D.A.R. 4500
676 F.3d 854

UNITED STATES of America, Plaintiff–Appellant,
v.
David NOSAL, Defendant–Appellee.

No. 10–10038.

United States Court of Appeals, Ninth Circuit.

Argued and Submitted Dec. 15, 2011.Filed April 10, 2012.


[676 F.3d 855]

Jenny C. Ellickson (argued), Lanny A. Breuer, Jaikumar Ramaswamy, Scott N. Schools, Kyle Francis Waldinger, United States Department of Justice, San Francisco, CA, for the plaintiff-appellant.

Ted Sampsell Jones (argued), Dennis P. Riordan, Donald M. Horgan, Riordan & Horgan, San Francisco, CA, for the defendant-appellee.

Kathryn M. Davis, Law Office of Kathryn M. Davis, Pasadena, CA, filed a brief on behalf of amicus curiae En Pointe Technologies, Inc., in support of the plaintiff-appellant.Geoffrey M. Howard, David B. Salmons, Bryan M. Killian, Bingham McCutchen, LLP, San Francisco, CA, filed a brief on behalf of amicus curiae Oracle America Inc., in support of the plaintiff-appellant.Kenneth M. Stern, Law Offices of Kenneth M. Stern, Woodland Hills, CA, filed a brief in support of the plaintiff-appellant.Marcia Hofmann, Electronic Frontier Foundation, San Francisco, CA, filed a brief on behalf of amicus curiae Electronic Frontier Foundation in support of the defendant-appellee.Appeal from the United States District Court for the Northern District of California, Marilyn H. Patel, Senior District Judge, Presiding. D.C. No. 3:08–cr–00237–MHP–1.

Before: ALEX KOZINSKI, Chief Judge, HARRY PREGERSON, BARRY G. SILVERMAN, M. MARGARET McKEOWN, KIM McLANE WARDLAW, RONALD M. GOULD, RICHARD A. PAEZ, RICHARD C. TALLMAN, RICHARD R. CLIFTON, JAY S. BYBEE and MARY H. MURGUIA, Circuit Judges.

Opinion by Chief Judge KOZINSKI; Dissent by Judge SILVERMAN.

[676 F.3d 856]

OPINION
KOZINSKI, Chief Judge:

Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website? This depends on how broadly we read the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.

FACTS

David Nosal used to work for Korn/Ferry, an executive search firm. Shortly after he left the company, he convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business. The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company's computer, and then transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry had a policy that forbade disclosing confidential information.1 The government indicted Nosal on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA. The CFAA counts charged Nosal with violations of 18 U.S.C. § 1030(a)(4), for aiding and abetting the Korn/Ferry employees in “exceed[ing their] authorized access” with intent to defraud.

Nosal filed a motion to dismiss the CFAA counts, arguing that the statute targets only hackers, not individuals who access a computer with authorization but then misuse information they obtain by means of such access. The district court initially rejected Nosal's argument, holding that when a person accesses a computer “knowingly and with the intent to defraud ... [it] renders the access unauthorized or in excess of authorization.” Shortly afterwards, however, we decided LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.2009), which construed narrowly the phrases “without authorization” and “exceeds authorized access” in the CFAA. Nosal filed a motion for reconsideration and a second motion to dismiss.

The district court reversed field and followed Brekka's guidance that “[t]here is simply no way to read [the definition of ‘exceeds authorized access'] to incorporate corporate policies governing use of information unless the word alter is interpreted to mean misappropriate,” as “[s]uch an interpretation would defy the plain meaning of the word alter, as well as common sense.” Accordingly, the district court dismissed counts 2 and 4–7 for failure to state an offense. The government appeals. We have jurisdiction over this interlocutory appeal. 18 U.S.C. § 3731; United States v. Russell, 804 F.2d 571, 573 (9th Cir.1986). We review de novo. United States v. Boren, 278 F.3d 911, 913 (9th Cir.2002).

DISCUSSION

The CFAA defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who's authorized to access only certain

[676 F.3d 857]

data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company's computer but accesses customer data: He would “exceed [ ] authorized access” if he looks at the customer lists. Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

The government argues that the statutory text can support only the latter interpretation of “exceeds authorized access.” In its opening brief, it focuses on the word “entitled” in the phrase an “accesser is not entitled so to obtain or alter.” Id. § 1030(e)(6) (emphasis added). Pointing to one dictionary definition of “entitle” as “to furnish with a right,” Webster's New Riverside University Dictionary 435, the government argues that Korn/Ferry's computer use policy gives employees certain rights, and when the employees violated that policy, they “exceed[ed] authorized access.” But “entitled” in the statutory text refers to how an accesser “obtain[s] or alter[s]” the information, whereas the computer use policy uses “entitled” to limit how the information is used after it is obtained. This is a poor fit with the statutory language. An equally or more sensible reading of “entitled” is as a synonym for “authorized.” 2 So read, “exceeds authorized access” would refer to data or files on a computer that one is not authorized to access.

In its reply brief and at oral argument, the government focuses on the word “so” in the same phrase. See 18 U.S.C. § 1030(e)(6) (“accesser is not entitled so to obtain or alter” (emphasis added)). The government reads “so” to mean “in that manner,” which it claims must refer to use restrictions. In the government's view, reading the definition narrowly would render “so” superfluous.

The government's interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. This places a great deal of weight on a two-letter word that is essentially a conjunction. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.3 Under the presumption that Congress acts interstitially, we construe a statute as displacing a substantial portion of the common law only where Congress has clearly indicated its intent to do so. See Jones v. United States, 529 U.S. 848, 858, 120 S.Ct. 1904, 146 L.Ed.2d 902 (2000) (“[U]nless Congress conveys its purpose clearly, it will not be deemed to have significantly changed the federal-state balance in the prosecution of crimes.” (internal quotation marks omitted)).

[676 F.3d 858]

In any event, the government's “so” argument doesn't work because the word has meaning even if it doesn't refer to use restrictions. Suppose an employer keeps certain information in a separate database that can be viewed on a computer screen, but not copied or downloaded. If an employee circumvents the security measures, copies the information to a thumb drive and walks out of the building with it in his pocket, he would then have obtained access to information in the computer that he is not “entitled so to obtain.” Or, let's say an employee is given full access to the information, provided he logs in with his username and password. In an effort to cover his tracks, he uses another employee's login to copy information from the database. Once again, this would be an employee who is authorized to access the information but does so in a manner he was not authorized “so to obtain.” Of course, this all assumes that “so” must have a substantive meaning to make sense of the statute. But Congress could just as well have included “so” as a connector or for emphasis.4

While the CFAA is susceptible to the government's broad interpretation, we find Nosal's narrower one more plausible. Congress enacted the CFAA in 1984 primarily to address the growing problem of computer hacking, recognizing that, “[i]n intentionally trespassing into someone else's computer files, the offender obtains at the very least information as to how to break into that computer system.” S.Rep. No. 99–432, at 9 (1986), 1986 U.S.C.C.A.N. 2479, 2487 (Conf. Rep.). The government agrees that the CFAA was concerned with hacking, which is why it also prohibits accessing a computer “without authorization.” According to the government, that prohibition applies to hackers, so the “exceeds authorized access” prohibition must apply to people who are authorized to use the computer, but do so for an unauthorized purpose. But it is possible to read both prohibitions as...

To continue reading

Request your trial
212 practice notes
  • BHL Boresight, Inc. v. Geo-Steering Solutions, Inc., CIVIL ACTION NO. 4:15-CV-00627
    • United States
    • U.S. District Court — Southern District of Texas
    • March 29, 2016
    ...accessed—determine access. (Id. at 9-10.) Statoil joins GSSI's offensive, citing the Ninth Circuit's decision in United States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012), to argue that ownership of the protected computer is dispositive to access. (Doc. 28 at 10-11.) Because "Statoil a......
  • In re Apple Inc. Device Performance Litig., Case No. 18-md-02827-EJD
    • United States
    • United States District Courts. 9th Circuit. United States District Courts. 9th Circuit. Northern District of California
    • October 1, 2018
    ...of computer hacking," and the Ninth Circuit has resisted efforts to expand the statute beyond that core. United States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012) (en banc). Permitting Plaintiffs' § 1030(a)(5)(C) claim to proceed on such thin allegations of vitiated consent would expan......
  • Welenco, Inc. v. Corbell, No. 2:13–cv–0287 KJM CKD.
    • United States
    • United States District Courts. 9th Circuit. United States District Courts. 9th Circuit. Eastern District of California
    • August 25, 2015
    ...source lists, names and contact information from a confidential database ... then transfer[ ] the information to [plaintiff]." 676 F.3d 854, 856 (9th Cir.2012). The employees accused of unlawfully accessing the information were authorized by the employer to access the database in quest......
  • Whatsapp Inc. v. NSO Grp. Techs. Ltd., Case No. 19-cv-07123-PJH
    • United States
    • United States District Courts. 9th Circuit. United States District Courts. 9th Circuit. Northern District of California
    • July 16, 2020
    ..." hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 1000 (9th Cir. 2019) (quoting United States v. Nosal ("Nosal I"), 676 F.3d 854, 857–58 (9th Cir. 2012) (en banc)). The operative question is whether "the conduct at issue is analogous to ‘breaking and entering.’ " Id......
  • Request a trial to view additional results
203 cases
  • BHL Boresight, Inc. v. Geo-Steering Solutions, Inc., CIVIL ACTION NO. 4:15-CV-00627
    • United States
    • U.S. District Court — Southern District of Texas
    • March 29, 2016
    ...accessed—determine access. (Id. at 9-10.) Statoil joins GSSI's offensive, citing the Ninth Circuit's decision in United States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012), to argue that ownership of the protected computer is dispositive to access. (Doc. 28 at 10-11.) Because "Statoil access......
  • In re Apple Inc. Device Performance Litig., Case No. 18-md-02827-EJD
    • United States
    • United States District Courts. 9th Circuit. United States District Courts. 9th Circuit. Northern District of California
    • October 1, 2018
    ...problem of computer hacking," and the Ninth Circuit has resisted efforts to expand the statute beyond that core. United States v. Nosal, 676 F.3d 854, 858 (9th Cir. 2012) (en banc). Permitting Plaintiffs' § 1030(a)(5)(C) claim to proceed on such thin allegations of vitiated consent would ex......
  • Welenco, Inc. v. Corbell, No. 2:13–cv–0287 KJM CKD.
    • United States
    • United States District Courts. 9th Circuit. United States District Courts. 9th Circuit. Eastern District of California
    • August 25, 2015
    ..."download source lists, names and contact information from a confidential database ... then transfer[ ] the information to [plaintiff]." 676 F.3d 854, 856 (9th Cir.2012). The employees accused of unlawfully accessing the information were authorized by the employer to access the database in ......
  • Whatsapp Inc. v. NSO Grp. Techs. Ltd., Case No. 19-cv-07123-PJH
    • United States
    • United States District Courts. 9th Circuit. United States District Courts. 9th Circuit. Northern District of California
    • July 16, 2020
    ...statute.’ " hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 1000 (9th Cir. 2019) (quoting United States v. Nosal ("Nosal I"), 676 F.3d 854, 857–58 (9th Cir. 2012) (en banc)). The operative question is whether "the conduct at issue is analogous to ‘breaking and entering.’ " Id. at 1001 (cita......
  • Request a trial to view additional results
2 firm's commentaries
  • Ninth Circuit Provides Guidance on Web Scraping
    • United States
    • LexBlog United States
    • May 5, 2022
    ...2016), cert. denied 138 S. Ct. 314 (2017). [4] HiQ Labs, 2022 WL 1132814, at *11. [5] Id. at *13 (citing United States v. Nosal (Nosal I), 676 F.3d 854, 857 – 58 (9th Cir. 2012)). [6] See, e.g., EF Cultural Travel BV v. Explorica, Inc., 274 F. 3d 577, 583 – 84 (1st Cir. 2001); United States......
  • Federal Court Rules in Favor of LinkedIn’s Breach of Contract Claim after Six Years of CFAA Data Scraping Litigation
    • United States
    • LexBlog United States
    • November 8, 2022
    ...v. LinkedIn Corp., No. 17-16783, 2022 WL 1132814 (9th Cir. Apr. 18, 2022). [9] Id. at 14. [10] Id. at 16. [11] United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (“Nosal”). [12] Nosal at 863. [13] Facebook, Inc. v. Power Ventures, Inc., 844 F. 3d 1058 (9th Cir. 2016) [14] Current version ......
7 books & journal articles
  • INTELLECTUAL PROPERTY CRIMES
    • United States
    • American Criminal Law Review Nbr. 58-3, July 2021
    • July 1, 2021
    ...Cir. 2012) (holding employee that had access to trade secrets but improperly used them was not liable under CFAA); United States v. Nosal, 676 F.3d 854, 863–64 (9th Cir. 2012) (holding that an employee does not “exceed authorized access” under the CFAA when he violates use restrictions); Cl......
  • Lengthening Shadows: Biotechnology and Patent Eligibility
    • United States
    • ABA General Library Landslide Nbr. 9-5, May 2017
    • May 1, 2017
    ...2009). 35. 581 F.3d at 1135. 36. Id. 37. Id. 38. Id. at 1133. 39. 642 F.3d 781 (9th Cir. 2011). 40. United States v. Nosal ( Nosal II ), 676 F.3d 854, 859 (9th Cir. 2012). 41. Id. 42. Id. at 863. 43. Id. 44. United States v. Nosal ( Nosal III ), 828 F.3d 865 (9th Cir. 2016). 45. Id. at 868–......
  • CRIMINAL TRESPASS AND COMPUTER CRIME.
    • United States
    • November 1, 2020
    ...n.32 (collecting scholars' critiques of the CFAA as "overbroad or overly punitive"). (6.) See, e.g., United States v. Nosal (Nosal I), 676 F.3d 854, 860 (9th Cir. 2012); United States v. Drew, 259 F.R.D. 449, 466 (C.D. Cal. (7.) See infra Part II.A. (8.) Terms of Service, FACEBOOK, https://......
  • AN AUDITING IMPERATIVE FOR AUTOMATED HIRING SYSTEMS.
    • United States
    • Harvard Journal of Law & Technology Vol. 34 Nbr. 2, March 2021
    • March 22, 2021
    ...of "exceed[ing] authorized access"), with United States v. Valle, 807 F.3d 508, 528 (2d Cir. 2015), and United States v. Nosal, 676 F.3d 854, 862-63 (9th Cir. 2012), and WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 207 (4th Cir. 2012) (rejecting a broader interpretation). And desp......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT