A new case in Massachusetts gives an opportunity to define the scope of the Computer Fraud and Abuse Act
The federal court in Massachusetts has the rare opportunity to clarify the scope of the Computer Fraud and Abuse Act this afternoon.
While I doubt many onlookers followed in the courtroom, there was a hearing on a temporary restraining order this afternoon that gave the United States District Court for the District of Massachusetts the rare opportunity to shed light on the current scope of the Computer Fraud and Abuse Act, in the days-old case NewPro Operating LLC v. Pic Home Pros, LLC (1:19-cv-12068)
The CFAA is the federal anti-hacking statute and prohibits, among other things, those who access a computer without authorization or exceeding their authorized access, and then obtain information from a computer. As many scholars (including me) have documented, we have seen the scope of the CFAA change fairly dramatically over the past ten years, starting with courts in the Ninth Circuit in LVRC Holdings v. Brekka and United States v. Nosal adopting what most courts and scholars call the “narrow” view of the CFAA, and specifically the question of what “exceeding authorized access” under the CFAA means.
While the trend in the CFAA has been to narrow the reach of the statute, there have been interesting, subtle variations as to what that means. Most courts have used “narrow” to mean they won’t allow CFAA claims to proceed when the restriction on computer access is really just a restriction on computer use — the difference between “you cannot use this system” and “you can use this system, but only for these purposes.”
But other courts seem use “narrow” to mean that a defendant must bypass some sort of technological mechanism of authorization, as opposed a contractual or other control, to be the sort of “hacking” that the CFAA addresses. This latter version of “narrow” has long been the view of several leading CFAA scholars. Prof. Orin Kerr argued in 2003 for this formulation, though his more recent scholarship notes that this may not be the best method of analysis. Prof. Patricia Bellia argued for a similar, code-based view in 2016. It initially looked as though the Ninth Circuit in Nosal adopted this latter view of “narrowing,” but later cases from the same court like Facebook v. Power Ventures moved the interpretation more towards the former. At least one decision here in the District of Massachusetts, AMD v. Feldstein, explicitly reads “narrow” to mean “technologically-based.”
However defined, the adoption of a narrow view is quite significant, as it excludes from the reach of the CFAA things like breach of website terms of service, employee handbooks, and other similar documents. I previously wrote about the importance of this narrowing to the world of web scraping, but it equally helps researchers, journalists, and advocates avoid liability under the CFAA, especially those who use websites and public platforms in ways the platform may not like.
Other appellate courts have since followed the Ninth Circuit’s lead and narrowed the scope of the CFAA, including the Second and Fourth Circuits. We also see a growing dyspepsia with the “broad” view in a recent Eleventh Circuit decision.
Meanwhile here in Massachusetts and within the First Circuit, we find ourselves in a more ambiguous space. The last time our appellate court weighed in on this question was years before this narrowing began, with a pair of cases from a shared underlying dispute: EF Cultural Travel BV v. Explorica, Inc. (EF I) from 2001 and EF Cultural Travel BV v. Zefer Corp. (EF II) from 2003. These cases are usually listed in the “broad” camp when courts and scholars rattle off the different approaches within the circuits. It may be fair to read EF I in that way, as in that case it was the misappropriation of a trade secret (as memorialized in an employee contract) that informed the question of authorization. But the court in EF II didn’t go so far. As a formal matter, the court did not find that the defendant there actually violated the CFAA at all — the case ended up being decided on more technical grounds about the scope of the district court’s injunction on another party. And while the court in EF II signaled toward a broad reading, the court also noted “public policy concerns” that would limit their application of the CFAA when used by a business to keep competitors off of a website. This was a prophetic concern, addressed more directly by the Ninth Circuit last month in the hiQ Labs v. LinkedIn decision.
In the absence of modern First Circuit guidance, it’s fair to say the District of Massachusetts is split on the question of how broadly to read the CFAA. When I talk to students about it I usually encourage them to look at the contrary approaches taken by Judge Gorton in Guest-Tek Interactive Entertainment v. Pullen and Judge Hillman in the previously-mentioned AMD v. Feldstein. The overall trend seems to be towards the narrow view, but that hasn’t been entirely consistent. (Judge Gorton recently reaffirmed his broader approach in Viken Detection Corp. v. Videray Technologies, for example.)
Which brings us to the NewPro case, filed last Friday. The case is especially interesting because it would appear that liability could depend on not only whether the court adopts a “narrow” view, but which narrow view the court adopts.
The case is a dispute between two rival companies in the home remodeling industry. The defendants are former NewPro employees and their new employers, and in particular their use of an internal iCapture database of client leads. The complaint spends considerable time noting the contracts that required those defendants to keep NewPro information confidential. This emphasis makes some sense sense given that there’s a Defend Trade Secrets Act claim in the case as well, but while that is helpful in the DTSA context, to a court taking a narrow view of the CFAA the breach of an employment agreement would not state a claim. That’s more or less the situation that was before the Ninth Circuit in both Brekka and Nosal when those decisions adopted narrow views.
But there’s a further allegation in the the case. The plaintiff alleges that on at least one occasion the defendants used NewPro’s iCapture database after all the defendants had left NewPro. How they still had access is not clear from the complaint; basic cybersecurity practices would dictate that NewPro would revoke their past employee credentials to online databases after termination, but companies routinely overlook that important security step. It’s quite possible that the defendants here were using previously-issued credentials for the database that NewPro didn’t revoke.
It its memorandum in support of a temporary restraining order the plaintiff acknowledges the present split but uses the post-termination access to argue that the court should see a likelihood of success in its CFAA claim either way:
NewPro has presented evidence that the Defendants accessed protected computers “exceed[ing] [their] authorized access.” 18 U.S.C. §§ 1030(a)(2), 1030(a)(4). While Defendants Perlitch, Rogers and Letizia had access to NewPro’s iCapture system while employed by NewPro, their authorized access ended when they became former employees. Access of NewPro’s computer systems, including its CRM or iCapture, after they were no longer employed to benefit a competitor was clearly unauthorized and akin to the classic “hacking” that the CFAA is designed to prevent. While the First Circuit has in any event taken a broad view of the CFAA, this is not a close call even under the narrow view. This is not a case of a current employee using authorized access to steal information as they head out the door. Instead, the former employees here appear to have abused their knowledge of NewPro’s systems to steal information after they left and went to work for a direct competitor.
I read the First Circuit to be more ambiguous as to whether they follow the broad or narrow view — and I very much hope that we see some clarity on this point soon. And if it was in fact the case that NewPro just failed to revoke their former employee’s credentials, I’m not so sure this is “akin to the classic ‘hacking’ at the CFAA is designed to prevent.”
But even assuming a “narrow” view, the resolution of the dispute may end up being a question of which narrow view the NewPro court chooses to adopt. If it adopts more of an “access vs. use” version of “narrow,” one could definitely argue that the ex-employees should have known their access to be wholly unauthorized once they were terminated from the company. Kerr argues for this approach in recent scholarship, citing approvingly the Fourth Circuit’s United States v. Steele. That’s also more or less similar facts that led the Ninth Circuit to find liability in Nosal II,the 2016 followup to its famed 2012 “narrowing” case.
But if, on the other hand, the court uses “narrow” to mean solely a bypass of a technological control, they may find evidence of a CFAA violation wanting. It’s hard to know what exactly happened until the defendants appear and explain themselves, but as alleged it’s not at all clear that they ever bypassed any technical limit to their access. It looks a bit more likely that they had technical access that someone failed to revoke. If the District of Massachusetts in Feldstein was serious in limiting the CFAA to “a technological model of authorization, whereby the scope of authorized access is defined by the technologically implemented barriers that circumscribe that access,” and Judge Young adopts the same view as Judge Hillman, the plaintiffs would not state a claim under this law.
The court was calendared to hear argument this afternoon, and as of this evening there are no new entries on the docket to indicate how Judge Young acted on the request for a temporary restraining order. It may be a while before we see his approach, but the facts of this case present an interesting opportunity to not only answer whether the court follows a “narrow” view, but the nuance of what that means.
