Computer Fraud and Abuse – United States v. Nosal; Facebook v. Vachani

    T.J. Wolf

    Two cases recently coming out of the 9th Circuit Court of Appeals decided issues related to the Computer Fraud and Abuse Act (CFAA) and “access without authorization.”

    United States v. Nosal, a criminal case, involved a former employee accessing a computer system with borrowed login credentials from a current employee. Facebook v. Vachani, a civil case, involved a different social media outlet accessing Facebook’s computer system on the basis of user-granted access. In both cases, the Court decided that the parties accessed the system “without authorization,” despite being given “authorization” by a user or other authorized party. Specifically, the Court decided:

    1. In Nosal, a former employee whose access credentials have been revoked acts without authorization when the employee knowingly accesses a computer system using a borrowed login credential; and
    2. In Facebook, a third party who has been granted access by a user does not receive authority to access the entire system, but only to the user’s account; and receiving a cease and desist letter renders a party liable for CFAA violation for continued use.


    These decisions make a case for the notion of dual authorization regarding access to computer systems and accounts. Access is not authorized when either: (1) permission has been explicitly revoked and a party continues to access the system with borrowed credentials; or (2) a party knowingly continues to access a computer system based solely on permission from a user.

    Permission to access must originate from the party with the authority to grant access to the thing for which access is sought.

    This represents the multi-dimensional nature of access; it is granted by either a user to a user’s account, or by the system’s owner to the entire system. Permission to access must originate from the party with the authority to grant access to the thing for which access is sought. Many articles discuss these cases in the context of password sharing practices with respect to Netflix and HBOGo accounts, and how password sharing may now be considered a federal crime under CFAA.

    Read more about the United States v. Nosal decision
    Read more about the Facebook v. Vachani decision

    Other Insights from T.J. Wolf

    Post software copyright infringement and AI
    Auto-generated or artificial-intelligence-generated source code (collectively, “Non-human-authored code” (“NHA”) source code) can have a major impact on a software expert’s analysis and findings. With the software development industry continuing to move in the direction of including artificial intelligence in numerous products and services, it is worth exploring how the NHA source code typically needs to […]
    DisputeSoft was engaged by Carrier Corporation in this copyright infringement dispute involving heating, ventilation, air conditioning, and refrigeration (HVAC-R) software.
    Post software patent litigation
    Read T.J. Wolf’s article on why it is advisable to consult with your expert before agreeing to protective order terms that may limit your expert’s ability to review and analyze code completely and efficiently.

    T.J. Wolf

    General Counsel & Senior Consultant

    Since joining DisputeSoft in 2016, T.J. Wolf has consulted for clients on a variety of software related matters, including breach of contract disputes, software implementation failure matters, and intellectual property matters involving allegations of copyright infringement and trade secret misappropriation. By researching and analyzing documentation to produce content and support for expert reports, T.J. has become deeply involved in analyzing the root causes of many IT failure cases and assessing misappropriation in intellectual property matters.