Computer Fraud and Abuse – United States v. Nosal; Facebook v. Vachani

    T.J. Wolf

    Two cases recently coming out of the 9th Circuit Court of Appeals decided issues related to the Computer Fraud and Abuse Act (CFAA) and “access without authorization.”

    United States v. Nosal, a criminal case, involved a former employee accessing a computer system with borrowed login credentials from a current employee. Facebook v. Vachani, a civil case, involved a different social media outlet accessing Facebook’s computer system on the basis of user-granted access. In both cases, the Court decided that the parties accessed the system “without authorization,” despite being given “authorization” by a user or other authorized party. Specifically, the Court decided:

    1. In Nosal, a former employee whose access credentials have been revoked acts without authorization when the employee knowingly accesses a computer system using a borrowed login credential; and
    2. In Facebook, a third party who has been granted access by a user does not receive authority to access the entire system, but only to the user’s account; and receiving a cease and desist letter renders a party liable for CFAA violation for continued use.

    Significance:

    These decisions make a case for the notion of dual authorization regarding access to computer systems and accounts. Access is not authorized when either: (1) permission has been explicitly revoked and a party continues to access the system with borrowed credentials; or (2) a party knowingly continues to access a computer system based solely on permission from a user.

    Permission to access must originate from the party with the authority to grant access to the thing for which access is sought.

    This represents the multi-dimensional nature of access; it is granted by either a user to a user’s account, or by the system’s owner to the entire system. Permission to access must originate from the party with the authority to grant access to the thing for which access is sought. Many articles discuss these cases in the context of password sharing practices with respect to Netflix and HBOGo accounts, and how password sharing may now be considered a federal crime under CFAA.

    Read more about the United States v. Nosal decision
    Read more about the Facebook v. Vachani decision

    Other Insights from T.J. Wolf

    Post
    On March 4, 2019, the Supreme Court of the United States in Fourth Estate Public Benefit Corp. v. Wall-Street.com, LLC unanimously held that the U.S. Copyright Office must issue a copyright registration prior to a copyright claimant filing a lawsuit alleging infringement.
    Case
    DisputeSoft was engaged by a computer chip manufacturer in this pre-litigation patent infringement dispute involving chip power management technologies.
    Post
    In March 2018, the U.S. Court of Appeals for the Federal Circuit found that Google’s use of 37 Java API packages in the Android smartphone software platform was not fair use.

    T.J. Wolf

    IT Litigation Consultant & General Counsel

    Since joining DisputeSoft in 2016, T.J. Wolf has consulted for clients on a variety of software related matters, including breach of contract disputes, software implementation failure matters, and intellectual property matters involving allegations of copyright infringement and trade secret misappropriation. By researching and analyzing documentation to produce content and support for expert reports, T.J. has become deeply involved in analyzing the root causes of many IT failure cases and assessing misappropriation in intellectual property matters.