请输入您要查询的百科知识:

 

词条 United States v. Nosal
释义

  1. Background

  2. Court case

     Dissent 

  3. Impact and criticism

  4. Follow up

  5. See also

  6. References

  7. External references

{{multiple issues|{{cleanup rewrite|date=December 2013}}{{lead too short|date=December 2013}}
}}{{Infobox COA case
|Litigants=United States of America v. David Nosal
|Court=United States Court of Appeals for the Ninth Circuit
|CourtSeal=
|ArgueDate=February 14th
|ArgueYear=2011
|DecideDate=April 28th
|DecideYear=2011
|FullName=United States of America v. David Nosal
|Citations=
|Prior=
|Subsequent=
|Holding=The court held that employees who violate the computer use policies of their employers have not "exceeded their authorization" for the purposes of prosecution under the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030.
|Judges=Diarmuid F. O'Scannlain, Stephen S. Trott, and Tena Campbell
|Majority=Judge O'Scannlain, Judge Trott
|JoinMajority=
|Concurrence=
|JoinConcurrence=
|Dissent=Judge Campbell
|JoinDissent=
|LawsApplied=Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030
}}

United States v. Nosal, 676 F.3d 854 (9th Cir. 2012)[1] was a United States Court of Appeals for the Ninth Circuit decision dealing with the scope of criminal prosecutions of former employees under the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit's first ruling (Nosal I) established that employees have not "exceeded authorization" for the purposes of the CFAA if they access a computer in a manner that violates the company's computer use policies—if they are authorized to access the computer and do not circumvent any protection mechanisms.

On April 24, 2013, U.S. Attorney Melinda Haag announced that Nosal was convicted by a federal jury of all charges contained in a six-count indictment.[2] Nosal appealed his conviction to the Ninth Circuit.[3] On July 5, 2016, a three-judge panel held 2-1 that Nosal had acted "without authorization" and affirmed his conviction. In this second decision (Nosal II), the Ninth Circuit attempted to clarify the meaning of "without authorization" in the context of the CFAA.[4]

Background

In October 2004, David Nosal resigned from his position at Korn/Ferry, an executive search and recruiting company. As part of his separation agreement, Nosal agreed to serve as an independent contractor for Korn/Ferry and not to compete with them for one year; in exchange, Korn/Ferry agreed to compensate Nosal with two lump-sum payments and twelve monthly payments of $25,000.[1] A few months after leaving Korn/Ferry, Nosal solicited three Korn/Ferry employees to help him start a competing executive search business. Before leaving the company, the employees downloaded a large volume of "highly confidential and proprietary" data from Korn/Ferry's computers, including source lists, names, and contact information for executives.[1]

On June 26, 2008, Nosal and the three employees were indicted by the federal government on twenty counts of violations of the Computer Fraud and Abuse Act. The government alleged that the defendants "knowingly and with intent to defraud" exceeded authorized access to Korn/Ferry's computers.

Nosal appealed the indictment, claiming that the CFAA was "aimed primarily at computer hackers" and that it "does not cover employees who misappropriate information or who violate contractual confidentiality agreements".[1] Nosal further argued that the employees were, in principal, permitted to access the information in their role as Korn/Ferry employees, and thus they did not "act without authorization" or "exceed authorized access" as written in Section (a)(4) of the CFAA.[1]

After initially rejecting these arguments, the district court eventually agreed with Nosal and dismissed the five counts of the indictment arising from Section (a)(4).[1] The government appealed this decision, arguing that Nosal and his accomplices did indeed exceed authorized access because they violated the company's computer access policies, which restricted the "use and disclosure of all [database] information, except for legitimate Korn/Ferry business".[5]

Court case

The case was based heavily on the Ninth Circuit's interpretation of language in the CFAA statute, especially Section (a)(4), under which the more serious charges against the defendants stemmed.

Section (a)(4) of the CFAA makes liable anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value."[6] Neither party disputed that Nosal's accomplices were authorized to access Korn/Ferry computers, so the case hinged on whether or not they exceeded their authorized access when they downloaded the information for fraudulent purposes.

The Ninth Circuit Court relied on their earlier decision in LVRC Holdings v. Brekka,[7] which centered on an employee who transferred business documents from his employer's computer to his personal email account and was later sued by the employer under a civil provision in the CFAA. In their ruling for that case, the court emphasized a distinction between the phrases "without authorization" and "exceeding authorized access" from CFAA Section (a)(4), and in so doing, provided an interpretation of the statutory language. They wrote, "an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has 'exceed[ed] authorized access.' On the other hand, a person who uses a computer 'without authorization' has no rights, limited or otherwise, to access the computer in question."[7]

The court adopted this interpretation and expanded its scope, ruling that an employee "exceeds authorized access" under the CFAA when they use a computer in way that violates an employer's access restrictions—including policies governing how information on the computer may be used.[7]

Regarding the question of how to determine when a violation occurs, the court rejected the approach used in International Airport Centers v. Citrin,[8] which asserted that an employee loses authorization when he or she "violates a state law duty of loyalty because...the employee's actions [terminate] the employer-employee relationship 'and with it his [or her] authority to access the [computer]'".[1]

Instead, the court cited their finding from Brekka that for purposes of the CFAA, it is the action of the employer that determines whether an employee is authorized to access the computer. They decided that, as a logical extension of this finding, the question of whether an employee "exceeds authorized access" is likewise determined by the employer's actions, including (but not limited to) the promulgation of computer use restrictions. Since Korn/Ferry indeed had such computer use restrictions, which the defendants violated when they accessed the executive database for fraudulent purposes, the Ninth Circuit court reversed the district court's decision and remanded the district court to reinstate the five counts under Section (a)(4).

Dissent

Judge Campbell dissented, arguing that the court's decision renders the CFAA's provisions unconstitutionally vague, since computer use policies are not written "with the definiteness or precision that would be required for a criminal statute" and they can be changed without notice. The ruling, she argued, places an undue burden on employees to stay current on such policies in order to protect themselves against possible criminal prosecution.[1]

Impact and criticism

Nosal argued that the ruling would make criminals out of millions of employees who use their work computer to do trivial tasks such as checking basketball scores on the internet or reading personal email—behaviors that (technically) violate typical computer use policies. Many online law pundits expressed similar concerns, fearing that one could be prosecuted under federal law for violating a website's terms of service—for example, lying about one's age on Facebook.[9][10]

The court defended its ruling, noting that such benign behaviors lack the requisite conditions of "intent to defraud" and "furthering fraud by obtaining something of value" as required for prosecution under CFAA Section (a)(4).[1] However, other provisions in the CFAA do not include such requirements, so the current ruling may still admit prosecution of trivial behaviors that had previously been considered out of the scope of the CFAA.

Follow up

On October 27, 2011, the Ninth Circuit agreed to rehear the case en banc. The new case was presented in front of the entire Ninth Circuit panel on December 15, 2011 in San Francisco.[11] The result of the hearing was published April 10, 2012 and states that the court chose a narrow interpretation of the CFAA, holding that the phrase

"exceeds authorized access" in the CFAA does not extend to violations of use restrictions.[12]

See also

  • [https://www.thetruthbehindthenosalcase.com/ The Truth Behind the Nosal Case]
  • LVRC Holdings LLC v. Brekka
  • International Airport Centers, L.L.C. v. Citrin
  • Lee v. PMSI, Inc.
  • EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003)
  • United States v. Fiander, 547 F.3d 1036, 1041 n.3 (9th Cir. 2008)
  • United States v. Boren, 278 F.3d 911, 913 (9th Cir. 2002)

References

1. ^{{Cite court | litigants=United States v. Nosal | vol=642 | reporter=F.3d | opinion=781 | pinpoint= | court=9th Cir. | date=2011 | url=http://www.ca9.uscourts.gov/datastore/opinions/2011/04/28/10-10038.pdf United States v. Nosal | accessdate=25022012 }}
2. ^"[https://www.fbi.gov/sanfrancisco/press-releases/2013/executive-recruiter-david-nosal-convicted-of-computer-intrusion-and-trade-secret-charges Executive Recruiter David Nosal Convicted of Computer Intrusion and Trade Secret Charges]." ([https://archive.is/20130619162807/http://www.fbi.gov/sanfrancisco/press-releases/2013/executive-recruiter-david-nosal-convicted-of-computer-intrusion-and-trade-secret-charges Archive]) Federal Bureau of Investigation. Retrieved on June 19, 2013.
3. ^Guilty Verdict In Critical Computer Fraud And Abuse Act Trial
4. ^[https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/05/14-10037.pdf “United States v. Nosal” (“Nosal II”) Decision] ~ Ninth Circuit
5. ^{{cite news |url=http://computerfraud.us/recent-updates/u-s-v-nosal-re-argued-before-the-9th-circuit |title=U.S. v. Nosal Re-Argued Before the 9th Circuit |work=Computer Fraud/Data Protection |date=2011-12-19 |accessdate=2012-03-19 |first1=Nick |last1=Akerman}}
6. ^The Computer Fraud and Abuse Act {{USC|18|1030}}
7. ^{{Cite court | litigants=LVRC Holdings v. Brekka | vol=581 | reporter=F.3d | opinion=1127 | pinpoint= | court=9th Cir. | date=2009 | url=http://www.ca9.uscourts.gov/datastore/uploads/enbanc/10-10038pfr.pdf| accessdate=02032012 }}
8. ^{{Cite court | litigants=International Airport Centers v. Citrin | vol=440 | reporter=F.3d | opinion=418 | pinpoint= | court=7th Cir. | date=2006 | url=http://www.ca7.uscourts.gov/tmp/G70UA4L3.pdf | accessdate=02032012 }}{{dead link|date=June 2016}}
9. ^{{cite news |url=http://computerfraud.us/articles/can-you-go-to-jail-for-lying-on-facebook |title=Can You Go to Jail for Lying on Facebook? |work=Computer Fraud/Data Protection |date=2011-12-21 |accessdate=2012-03-19 |first1=Nick |last1=Akerman}}
10. ^{{cite news |url=http://www.hahnloeser.com/tradesecretlitigator/post/2011/11/23/Better-Read-the-Fine-Print-Are-We-All-at-Risk-under-the-Computer-Fraud-and-Abuse-Act.aspx |title=Better Read the Fine Print: Are We All at Risk Under the Computer Fraud and Abuse Act? |work=Hahn Loeser |date=2011-11-23 |accessdate=2012-03-19 |first1=John |last1=Marsh}}
11. ^{{Cite court | litigants=United States v. Nosal (en banc)| vol=661 | reporter=F.3d | opinion=1180 | pinpoint= | court=9th Cir. | date=2011 | url=http://www.ca9.uscourts.gov/datastore/opinions/2011/10/27/1010038ebo.pdf| accessdate=02032012 }}
12. ^{{Cite court | litigants=United States v. Nosal (en banc) opinion | court=9th Cir. | date=2012 | url=http://www.ca9.uscourts.gov/datastore/opinions/2012/04/10/10-10038.pdf | accessdate=04102012 }}

External references

Parties
  • [https://web.archive.org/web/20111219062859/http://www.nosalpartners.com/team/dnosal.htm David Nosal at Nosal Partners]
  • Korn/Ferry International
Articles
  • List of documents related to CFAA
  • [https://www.eff.org/cases/u-s-v-nosal Electronic Frontier Foundation web page about the case]
  • Shawn E. Tuma: "What does the CFAA mean and why should I care?" - A Primer on the Computer Fraud and Abuse Act for Civil Litigator
  • Dale C. Campbell: Seventh and Ninth circuits split on what constitutes without authorization within the meaning of the CFAA
En banc hearing
  • Nick Akerman's article of the en banc hearing on December 15th
  • Video recording of United States v Nosal en banc hearing.
  • Orin Kerr discussing the "en banc" hearing follow-up article by Kerr
  • Ninth Circuit Ruling Trimming CFAA Claims for Misappropriation Reminds Employers that Technical Network Security is the First Defense
2013
  • Nosal Convicted of Computer Fraud and Abuse Act Crime Despite His Ninth Circuit Win
  • [https://www.wired.com/threatlevel/2013/04/man-convicted-of-hacking-despite-no-hacking/ Man Convicted of Hacking Despite Not Hacking]

4 : United States Court of Appeals for the Ninth Circuit cases|United States computer case law|United States Internet case law|2011 in United States case law

随便看

 

开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。

 

Copyright © 2023 OENC.NET All Rights Reserved
京ICP备2021023879号 更新时间:2024/11/10 11:37:30