Can You Go to Jail for Lying on Facebook?

During last week’s oral argument before the 9th Circuit Court of Appeals on the case of U.S. v. Nosal, 642 F.3d 781 (9th Cir. 2011), reh’g en banc granted (Oct. 27, 2011), members of the Court, including most notably Chief Judge Alex Kozinski, spent a substantial amount of time questioning the government lawyer about whether a Facebook user could be criminally prosecuted (meaning the person would face serious jail time) under the Computer Fraud and Abuse Act (“CFAA”) for lying about their personal information in signing up for a Facebook account. The full oral argument can be viewed at the following: click

The CFAA makes it a crime to gain unauthorized access to a computer. The questioning was premised on Facebook’s terms of service that prohibit a member of the public from providing false information in signing up for a Facebook account. The concern expressed by another Judge in the argument is that a violation of Facebook’s rules such as lying about one’s age would mean that access to Facebook is unauthorized and thus the person is subject to criminal prosecution under the CFAA. For a number of reasons this is a non-issue and, to the extent there is any issue, it is up to Congress, not the 9th Circuit, to remedy it.

First, it should be pointed out that the Nosal case does not involve a criminal defendant accessing Facebook. David Nosal, a Korn/Ferry International executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. The issue before the 9th Circuit is limited to whether Nosal exceeded his authorized access to his employer’s computers when he violated Korn/Ferry’s computer policies that restricted the scope of its employees’ access to the company computers to “legitimate Korn/Ferry business.” Id.

Second, the fear that a minor offense such as lying on Facebook could be prosecuted is not unique to the CFAA. The wire fraud statute, for example, makes it a crime to engage in a scheme to defraud using interstate wires in furtherance of the scheme. On its face the wire fraud statute could theoretically not only be used against someone who lies on Facebook but could be applied against a college student who calls home asking his parents to wire him money for books, when in fact he intentionally lied, planning to use the money to buy beer.

No one has ever seriously argued that this potential misuse of prosecutorial discretion makes the wire fraud statute unconstitutional. Not only has no one ever been prosecuted for simply lying about their age on Facebook, the concern raised over the misuse of federal criminal statutes is totally overblown as evidenced by the fact that Department of Justice does not bring frivolous wire fraud prosecutions based on common lies that have no meaningful harmful impact. Nor is the CFAA unconstitutionally vague. The only Circuit case that has addressed this issue, U.S. v. Mitra, 405 F.3d 492, 496 (8th Cir. 2005), held that “[t]here is no constitutional obstacle to enforcing broad but clear statutes” and that “[t]he statute gives all the notice that the Constitution requires.”

The only government prosecution under the CFAA predicated, in part, on lying about one’s age in signing up for a social networking site, was brought against Lori Drew in the federal court in Los Angeles. Judge Kozinski referenced this prosecution in the oral argument. The Drew case, however, was not a prosecution predicated solely on Drew lying about her age. Drew was a 49-year-old woman who, according to the government’s indictment, used a MySpace account to harass and torment a 13-year-old girl, who, as a result, committed suicide. Drew perpetrated what has been referred to as cyberbullying by posing as a fictitious 16-year-old boy in violation of MySpace’s terms of service that required her, among other things, to provide truthful information on MySpace and not use MySpace to harass, abuse or harm other people or solicit personal information from anyone younger than 18.

No one can seriously argue that the allegations in the indictment were not serious conduct worthy of a criminal prosecution. In that case the jury convicted Drew of a misdemeanor for unauthorized access to MySpace’s website and did not convict her of the felony for doing so with the purpose of intentionally inflicting emotional distress on the young girl. The Department of Justice chose not to appeal that decision to the 9th Circuit.

Third and finally, it is not up to the courts to decide whether the CFAA is good or bad policy. Judge Kozinski responded to the government attorney at the argument stating that it “would be exceedingly bad policy to give the hands of the government the ability to prosecute everybody who has access to a computer” who might violate Facebook’s terms of service. Whether it is or is not bad policy, is not within the purview of the courts. Under the Constitution it is Congress that writes the laws, and it is the court’s obligation to enforce them.

The bottom line – someone who does nothing more than lie about their age on Facebook and violates Facebook’s terms of service could theoretically be prosecuted under the CFAA, but that does not make it unconstitutional or even a realistic concern.

U.S. v. Nosal Re-Argued Before the 9th Circuit

On December 15, 2011, the 9th Circuit Court of Appeals heard argument en banc in U.S. v. Nosal, 642 F.3d 781 (9th Cir. 2011), reh’g en banc granted (Oct. 27, 2011). As expected, the oral argument focused on the meaning of unauthorized access under the Computer Fraud and Abuse Act. The issue is whether an employee can be prosecuted under the CFAA for accessing his employer’s computer in violation of rules established by the employer restricting access to the company computers. In Nosal, the 9th Circuit had clarified its earlier decision in LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1131 (9th Cir. 2009). A key element to prove either a civil or criminal violation of the CFAA is that the employee accessed the company computer “without authorization” or “exceed[ed] authorized access.”

Brekka had been predicated on the simplistic proposition that employees have permission to access the company computers and, thus, by definition cannot access the company computers without authorization. David Nosal, a Korn/Ferry Internation­al executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. Nosal had allegedly recruited “three Korn/Ferry employees to help him start a competing business.” Id. at 782. The indictment charged these employees with “using their user accounts to access the Korn/Ferry computer system.” They then “transferred to Nosal source lists, names, and contact information from the ‘Searcher’ database—a ‘highly confidential and proprietary database of executives and companies’—which was considered by Korn/Ferry ‘to be one of the most comprehensive databases of executive candidates in the world.’” Id. 

The district court had initially rejected Nosal’s motion to dismiss the CFAA counts but reversed its decision after the Brekka decision. The government appealed, citing Korn/Ferry’s computer policies that restricted the scope of its employees’ access to the company computers including one that “restricted the use and disclosure of all such information, except for legitimate Korn/Ferry business.” Id. The government argued that, based on these policies, Nosal had exceeded authorized access.

The court agreed, citing the statutory definition of “exceeds authorized access,” which is “to access a computer with ­authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” The court held that the word “so” “refers to an accesser who is not entitled to access information in a certain manner.” Id. at 785. Thus, the court held that “an employee ‘exceeds authorized access’ under § 1030 when he or she violates the employer’s computer access restrictions—including use restrictions.” Id. The government stressed this interpretation in its argument to the 9th Circuit.

Nosal distinguished Brekka on the lack of computer policies governing Brekka’s right to access the company computers: “Because LVRC [the employer] had not notified Brekka of any restrictions on his access to the computer, Brekka had no way to know whether—or when—his access would have become unauthorized.” Id at 787. The court concluded that “as long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations.” Id at 788. The full 9th Circuit, however, on October 27, 2011, granted en banc re-consideration to its opinion on October 28, 2011.

The primary argument advanced by Nosal’s counsel was that the CFAA only applies to hacking and that access cannot be unauthorized unless the employee circumvents the technology of the computer. In response to questioning by the court, Nosal’s counsel stated that using another’s password would qualify as a circumvention of the computer’s technology. This argument dismisses as irrelevant any written policies or agreements that limit the scope of an employee’s access to the employer’s computers and the First Circuit’s recognition without reference to the computer’s technology that the “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003).

In rebuttal the government rightly pointed out that there is nothing in the language of the statute that limits the definition of authorized access to the circumvention of technology. Given the Supreme Court’s recent admonition to the lower courts in Morrison v. National Australia Bank, Ltd. 130 S.Ct. 2869, 2881(2010) not to add requirements to a statute that are not on its face, this should be a losing argument. The Court in Morrison expressly warned against such “judicial-speculation-made-law-divining what Congress would have wanted if it had thought of the situation before the court.” Id.

Based on the questioning by various members of the court, it appears that its decision in Nosal will not be reversed. You can decide for yourself. The full argument from last week can be heard at the following link: