US v. Nosal, CR-08-0237 EMC (N.D. Cal. Mar. 12, 2013)

Download as pdf or txt
Download as pdf or txt
You are on page 1of 16

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page1 of 16

1 2 3 4 5 6 7 8 9 10 v. DAVID NOSAL, Defendant. _________________________________/ UNITED STATES OF AMERICA, Plaintiff, No. CR-08-0237 EMC ORDER DENYING DEFENDANTS MOTION TO DISMISS (Docket Nos. 274, 276) UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

I.

INTRODUCTION

Pending before the Court is Defendants motion to dismiss three counts of violating the Computer Fraud and Abuse Act (CFAA). Docket No. 274, 276.1 The superseding indictment in this case included eight counts for violations of the CFAA related to unauthorized access of a computerized database of his former employer, Korn/Ferry. The indictment also included several counts for misappropriation, theft of trade secrets, and conspiracy that are not the subject of this motion. Judge Patel previously dismissed five of the counts for violations of the CFAA. Docket No. 135. The government appealed the dismissal to the Ninth Circuit. A panel of three judges reversed the dismissal, but upon en banc review, the Ninth Circuit affirmed Judge Patels opinion. Defendant now argues that the Ninth Circuits en banc opinion clarified the application of the CFAA in a way that now requires dismissal of the remaining CFAA counts, which were not addressed on

motion.

Docket No. 274 is the original version of the motion; Docket No. 276 is an amended

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page2 of 16

1 2 3 4 5 6 7 8 9 10

the appeal. Since the hearing on this motion, the government has secured a second superseding indictment adding additional factual detail to two of the CFAA counts.2 II. FACTUAL & PROCEDURAL BACKGROUND

The original indictment in this case was filed on April 10, 2008. Docket No. 1. The first superseding indictment was filed on June 28, 2008. Docket No. 42. The superseding indictment brings various charges against Defendant, including eight charges of violating the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030(a), for aiding and abetting his co-conspirators in securing unauthorized access to a protected computer with intent to defraud and obtain something of value. Id. 21 (counts 2-9). The following facts are taken from the first superseding indictment. Defendant is a former employee of Korn/Ferry, an executive search firm headquartered in Los Angeles with offices in San Francisco and Redwood City, California. Superseding Indictment (SI) 1-2. The company is a leading provider of executive recruitment services, assisting companies to fill executive and other high level positions. SI 1. Defendant worked for Korn/Ferry from approximately April 1996 until October 2004. SI 2. When he ceased his employment with the firm, he entered into Separation and General Release Agreement, and an Independent Contractor Agreement with Korn/Ferry. SI 2. In these agreements, he agreed to serve as an independent contractor to Korn/Ferry from November 1, 2004 through October 15, 2005. SI 2. He also agreed not to perform executive search or related services for any other entity during the term of his contract. SI 2. In return, he received compensation in the amount of $25,000 per month. SI 2. Despite these agreements, Defendant began to set up his own rival executive search firm with the assistance of three other current or former Korn/Ferry employees, Becky Christian, J.F., and M.J. SI 3-5. J.F. was Defendants assistant while he was a Korn/Ferry employee, and continued to be employed by Korn/Ferry after Defendants departure. SI 4. M.J. was a Korn/Ferry employee until approximately March of 2005. SI 5.

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

The second superseding indictment also renumbers the counts. The counts at issue in this motion, which had been numbers three, eight, and nine, are now counts two, three, and four, respectively. Since this motion pertains to the first superseding indictment, it will refer to the counts as numbered therein.

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page3 of 16

1 2 3 4 5 6 7 8 9 10

Christian, who is also named as a defendant in the superseding indictment, was employed by Korn/Ferry from approximately September 1999 to approximately January 2005. SI 3. After leaving Korn/Ferry, she set up an executive search firm known as Christian & Associates, though she was in fact working with Defendant to set up his executive search firm. SI 3. Christian generally retained 20% of the revenues from the searches the two conducted, while Defendant retained 80%. SI 3. Korn/Ferry maintained the Searcher database, a proprietary database of executives and companies. SI 6. Using the Custom Report feature of the database, Korn/Ferry employees were able to created targeted reports on executives, companies, and prior search engagements Korn/Ferry had conducted for clients. SI 6. The database was also capable of producing source lists, or candidate lists, which were provided to client companies with regards to a particular position they were trying to fill. SI 8. Korn/Ferry had built up the information contained in the Searcher database over many years, and considered it to be one of the most comprehensive databases of its kind in the world. SI 7. Korn/Ferry took a number of steps to preserve the confidential nature of the Searcher database, including controlling electronic access to the database, and controlling physical access to the servers on which it was stored. SI 9. Korn/Ferry employees received unique user names and passwords that allowed them to access the companys computer systems, including the Searcher Database. SI 9. These passwords were intended for use by employees only. SI 9. All Korn/Ferry employees, including Defendant, entered into agreements explaining the proprietary nature of the Searcher database, and restricting the use of the database and related information to legitimate company business. SI 10. Defendant executed such an agreement on or about April 26, 1996. SI 10. Korn/Ferry also explicitly noted the confidential and proprietary nature of the information from the Searcher database on reports and in the computer logon process. SI 11. All custom reports generated from the database had the phrase Korn/Ferry Proprietary and Confidential written across the top. SI 11. When an individual logged on to the Korn/Ferry computer system, the following notification was displayed

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page4 of 16

1 2 3 4 5 6 7 8 9 10 SI 11.

This computer system and information it stores and processes are the property of Korn/Ferry. You need specific authority to access any Korn/Ferry system or information and to do so without the relevant authority can lead to disciplinary action or criminal prosecution. . . .

The superseding indictment alleges that Defendant, along with co-conspirator Christian and others, did steal, and without authorization knowingly take by fraud, artifice, and deception, trade secrets from Korn/Ferrys computer system, including source lists. SI 15. The indictment alleges that individual co-conspirators and others obtained these source lists and other trade secrets prior by using their own Korn/Ferry usernames and passwords prior to and upon termination, and that they did so without authorization and in excess of authorization. SI 16. Defendant and co-conspirators also obtained trade secrets from Korn/Ferrys computer system by using, either directly or through J.F., J.F.s Korn/Ferry username and password, and that this was done without authorization and in excess of authorization. SE 17. The specific factual allegations related to the various CFAA counts in the first superseding indictment are as follows: A. Count 2 During the fourth quarter of 2004, just prior to the end of her employment with Korn/Ferry, Christian downloaded custom reports from the Searcher database containing over 3000 records. SI 19j. She took copies of these reports with her when she left the firm. SI 19j. B. Count 3 On or about April 11, 2005, Christian sent an email to J.F. that stated in part, It is to [sic] difficult to explain the searcher run I would need to log in as you. SI 19a. The next day, Christian emailed Defendant three Korn/Ferry source lists of Chief Financial Officers (CFOs) that had been downloaded from the Searcher database earlier that day using J.F.s username and password. SI 19b. These source lists were marked as proprietary and confidential. SI 19b. Defendant and Christian later used individuals on this source list in performing a Chief Financial Officer (CFO) search for Company B. SI 19e. The second superseding indictment specifies that it was Christian who downloaded the source lists after J.F. provided Christian with her password. Second Superseding Indictment (SSI)

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page5 of 16

1 2 3 4 5 6 7 8 9 10

19a. Christian did not have authorization from Korn/Ferry to access its computer system at that time. Id. C. Count 4 Also in April 2005, Company C retained Defendant to conduct a search for a senior vice president of human resources. SI 19h. The CEO of Company C emailed Defendant on April 25, 2005, asking Defendant to draft a job description for the position, and requesting that Defendant make sure that the payment terms are the aggressive ones you quoted. SI 19h. On April 29, Christian emailed the CEO of Company C a position description, copying Defendant, and signing the email David & Becky. SI 19i. This position description was largely identical to a position specification recently obtained from Korn/Ferrys computer system by J.F. SI 19i. D. Count 5 On or about May 26, 2005, M.J. contacted J.F., requesting that J.F. obtain information from the Searcher database on 17 individuals, and on a specific prior Korn/Ferry search engagement. SI 19l. M.J. had obtained the names of at least some of the individuals from Defendant. SI 19l. J.F. obtained the requested information from the Searcher database, and copied the files containing the information onto a C.D., which J.F. then provided to M.J. SI 19l. Defendant later used at least some of this information in a meeting with a prospective client. SI 19l. E. Count 6 On or about June 3, 2005, J.F. performed a query within the Searcher database for human resources managers at M.J.s request. SI 19m. This query yielded a list of approximately 366 executives, which J.F. then exported to a spreadsheet titled Choc Chip Cookie Recipes, and burned to a C.D. titled ChocChip Cookies. SI 19m. J.F. later provided this C.D. to M.J. for use in the search for Company C. SI 19m. F. Count 7 On or about June 23, 2005, J.F. used the Searcher database to create a custom report for senior vice president supply chain managers working at various companies. SI 19n. This report listed approximately 1,205 executives. SI 19n. J.F. later provided the custom report to Christian, who used it in an executive search. SI 19n.

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page6 of 16

1 2 3 4 5 6 7 8 9 10

G.

Count 8 On or about July 12, 2005, an individual used a computer at Defendants San Francisco

offices to remotely log into Korn/Ferrys computer network using J.F.s username and password. SI 19f. A co-conspirator then ran queries for information on two of the individuals who were being considered for Company Bs CFO position. SI 19f. The following month, Company B announced that it had hired one of these two individuals. SI 19f. The second superseding indictment does not identify who logged onto the computer, but does specify that Christian was the one who ran the queries, and that she additionally downloaded two source lists from the Korn/Ferry system. SSI 19f. H. Count 9 On or about July 29, 2005, J.F. used M.J.s computer in Defendants offices to remotely log into the Korn/Ferry computer network with her username and password. SI 19o. She then turned the computer over to M.J., who used the Searcher database to download information from the database to the computer, including 25 source lists. SI 19o. I. Relevant Procedural History On January 12, 2009, Defendant filed a motion to dismiss various counts in the superseding indictment, including the CFAA counts. Docket No. 84. Defendant argued that the CFAA does not cover misuse or misappropriation of information obtained by employees with authorization to access the information, and that the counts should thus be dismissed because the indictment alleges nothing more. Id. at 3-7. Judge Patel denied Defendants motion to dismiss the CFAA counts, holding that the statute covered the situations alleged in the complaint. Docket No. 105. In September 2009, the Ninth Circuit decided LVRC Holdings LLC v. Brekka, which interpreted the CFAAs prohibition on accessing computers without authorization or exceeding authorized access. 581 F.3d 1127, 1133-35 (9th Cir. 2009). In light of Brekka, Defendant filed a renewed motion to dismiss on October 5, 2009. Docket No. 122. Judge Patel granted Defendants motion as to counts two, and four through seven, those counts which were predicated on allegations that Christian, J.F., or M.J. accessed Korn/Ferrys computers while they were still employed by Korn/Ferry, and thus still permitted to access the Searcher database. Docket No. 135 at 9.

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page7 of 16

1 2 3 4 5 6 7 8 9 10

The government appealed these dismissals to the Ninth Circuit. A three judge panel of the Ninth Circuit reversed, but Defendant successfully sought en banc review, and the en banc panel of the Ninth Circuit upheld the dismissals. United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). Though counts three, eight, and nine were not considered on appeal, Defendant now argues that the Ninth Circuits decision in Nosal requires that those claims be dismissed as well. III. DISCUSSION

Under Rule 12 of the Federal Rules of Criminal Procedure, a Defendant may make a motion to dismiss before trial raising any defense, objection, or request that the court can determine without a trial of the general issue. Fed. R. Crim. P. 12(2). In analyzing a motion to dismiss an indictment, the court must accept the truth of the facts alleged in the indictment. United States v. Boren, 278 F.3d 911, 914 (9th Cir. 2002). An indictment will withstand a motion to dismiss if it contains the elements of the charged offense in sufficient detail (1) to enable the defendant to prepare his defense; (2) to ensure him that he is being prosecuted on the basis of the facts presented to the grand jury; (3) to enable him to plead double jeopardy; and (4) to inform the court of the alleged facts so that it can determine the sufficiency of the charge. United States v. Rosi, 27 F.3d 409, 414 (9th Cir. 1994) (quoting United States v. Bernhardt, 840 F.2d 1441, 1445 (9th Cir. 1988)). An indictment will be found defective and dismissed if it fails to recite an essential element of the charged offence. United States v. Gondinez-Rabadan, 289 F.3d 630, 632 (9th Cir. 2002). The Supreme Court has held that [i]t is generally sufficient that an indictment set forth the offense in the words of the statute itself, as long as those words of themselves fully, directly, and expressly, without any uncertainty or ambiguity, set forth all the elements necessary to constitute the offence intended to be punished. Hamling v. United States, 418 U.S. 87, 117, 94 (1974) (internal citations and quotation marks omitted). The Ninth Circuit has noted, however, that implied, necessary elements, not present in the statutory language, must be included in an indictment. United States v. Jackson, 72 F.3d 1370, 1380 (9th Cir. 1995). On the other hand, indictments are not required to incorporate judicial decisions that have interpreted the statutory language. United States v. Renteria, 557 F.3d 1003, 1006-07 (9th Cir. 2009).

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page8 of 16

1 2 3 4 5 6 7 8 9 10

A.

CFAA Statutory Language The CFAA provides criminal penalties for an individual who: knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period

18 U.S.C. 1030(a)(4). In order to establish a violation of this provision, the government must show that Defendant (1) accessed a protected computer, (2) without authorization or exceeding such authorization that was granted, (3) knowingly and with intent to defraud, and thereby (4) further[ed] the intended fraud and obtain[ed] anything of value. Brekka, 581 F.3d at 1132. The statute does not define the term authorization, but does define the phrase exceeds authorized access as meaning to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter. Id. 1030(e)(6). Judge Patel initially denied Defendants motion to dismiss the CFAA counts under this provision. Docket No. 105. Judge Patel recognized that the Ninth Circuit had not yet addressed whether the CFAA applied to a user who was otherwise authorized to access a computer but who did so with the intent to misuse or misappropriate information. Id. at 6. Surveying cases from other circuits, however, she concluded that A CFAA violation under section 1030(a)(4) occurs when a person accesses a protected computer knowingly and with the intent to defraud which renders the access unauthorized or in excess of authorization and then, by means of such conduct, the person furthers the intended fraud. Id. at 8. As Defendant and his co-conspirators had accessed the Searcher database with the intent to make unauthorized use of the information therein, Judge Patel found that they were thus acting without authorization or in excess of authorized access. Id. at 9-10. B. LVRC Holdings v. Brekka Shortly thereafter, the Ninth Circuit considered the interpretation of the term without authorization under the CFAA in Brekka. 581 F.3d at 1133-35. In that case, which arose under the provision of the CFAA that allows a private right of action for anyone who suffers damage from violations of one of the criminal provisions of that Act, an employer sued a former employee who

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page9 of 16

1 2 3 4 5 6 7 8 9 10

had allegedly acted without authorization in emailing certain work files to his personal computer. Id. at 1129-30. At the time the defendant emailed himself the files, he was an employee with authorization to access the files in question in the course of performing his duties. Id. The employer argued, however, that he had violated the CFAA because he accessed and transmitted the files not for the purposes of executing his duties, but to further his own personal interests. Id. at 1132. The court rejected this argument, and held that whether an employee using an employers computer is acting with authorization depends not on the users intent, but on the employers actions to grant or deny permission to use the computer or relevant content. Id. at 1135. The court held that the prohibition on accessing a computer without authorization referred to one who accesses a computer without any permission at all, while a person who exceeds authorized access, has permission to access the computer, but accesses information on the computer that the person is not entitled to access. Id. at 1133. Based on this interpretation of the statute, the court concluded that the defendant had not acted either without authorization or in excess of his authorization because he had possessed authorization to access the relevant files at the time that he emailed them, and his motivation for doing so did not render his access without authorization. Id. at 1135. Following Brekka, Judge Patel reconsidered the earlier ruling denying Defendants motion to dismiss the CFAA claims. Docket No. 135. In her January 6, 2010 order, she noted that reading Brekka together with the statutory definition of exceeds authorized access makes clear that, an individuals intent in accessing a computer, be it to defraud or otherwise, is irrelevant in determining whether an individual has permission or is authorized to access the computer. Id. at 8. As counts two and four through seven were based on allegations that Christian and J.F. had accessed the Searcher database during their employment with Korn/Ferry, and thus during a period where they were authorized to access the database, Judge Patel found that they had not acted without authorization or in excess of authorization. Id. at 11. Accordingly, those claims were dismissed. Id. Considering the remaining counts under the CFAA, Judge Patel noted that on its face, the indictment did not explicitly specify who accessed the Searcher database in the incidents that are the basis for counts three and eight. Id. at 12; see SI 19b, 19f, 21. At the December 16, 2009 hearing on the motion to reconsider, the government indicated that at trial it intends to introduce evidence

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page10 of 16

1 2 3 4 5 6 7 8 9 10

that it was Christian who accessed the database on those occasions. Docket No. 135 at 12; Def.s Opp. at 3. In light of this disclosure, Judge Patel declined to dismiss those counts. Docket No. 135. at 12. As noted above, the second superseding indictment amends these counts to include allegations that Christian accessed the database on those occasions. SSI 19. As to count nine, Judge Patel noted that the indictment specifically alleged that J.F. had logged onto the database and then turned over access to M.J., who was then no longer a Korn/Ferry employee. Id. at 12-13; SI 19o, 21. As this count specifically alleged database access by an individual without authorization, Judge Patel denied the motion to dismiss this count. Docket No. 135 at 13. C. The Ninth Circuits Decision in Nosal The government appealed the dismissal of counts two and four through seven. On appeal, the Ninth Circuit sitting en banc rejected the governments argument that this case is distinguishable from Brekka because Korn/Ferry had an explicit policy forbidding use of the contents of the Searcher database for purposes other than performing ones duties as a Korn/Ferry employee. 676 F.3d at 857-58. The court held that exceeds authorized access in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use. Id. at 863-64. In so holding, the court expressed concern that interpreting the CFAA to create criminal penalties for violations of use agreements would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. Id. at 857. The court thus rejected the argument that an individual could be liable for accessing a computer in excess of authorization when they had permission to access the information on a computer, but did so for a purpose not condoned by the relevant use agreement. Id. The court noted that a related provision of the CFAA provided criminal penalties for exceeding authorized access of a computer even without any culpable intent. Id. at 859. Allowing a definition of exceeds authorized access that includes actions that violate use agreements (as opposed to access restrictions) would create sweeping criminal liability for users of the numerous websites and computer systems that have lengthy use agreements that often go unread by users. Id. at 860-62. Since the court found that the plain language of the CFAA did not clearly create liability for violations of use agreements, the rule of lenity precluded interpreting the law in such a way that

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

10

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page11 of 16

1 2 3 4 5 6 7 8 9 10

would create such sweeping liability. Id. at 863. Rather, a violation of the CFAA requires unauthorized access (or access that exceeds authorization), not misuse of information after obtaining authorized access. The court noted that the narrower interpretation of the phrase exceeds authorized access is more consistent with the text of the statute, the legislative history, and the purpose of the CFAA. Id. at 863-64. D. Application to Remaining CFAA Counts 1. Defendants Definition of Hacking

Defendant now argues that the Ninth Circuits opinion in Nosal limits the applicability of the CFAA to not just unauthorized access but to hacking crimes where the defendant circumvented technological barriers to access a computer. Thus, Defendant argues, the remaining CFAA claims must be dismissed because they do not include allegations that Defendant or his co-conspirators circumvented any technological access barriers. The Ninth Circuit acknowledged that the CFAA was passed primarily to address the growing problem of computer hacking. Id. at 858. The court further rejected the governments argument that accessing a computer without authorization was intended to refer to hackers, while accessing a computer in a way that exceeds authorized access necessarily refers to authorized users who access a computer for an unauthorized purpose. it is possible to read both prohibitions as applying to hackers: [W]ithout authorization would apply to outside hackers (individuals who have no authorized access to the computer at all) and exceeds authorized access would apply to inside hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files). This is a perfectly plausible construction of the statutory language that maintains the CFAAs focus on hacking rather than turning it into a sweeping Internet-policing mandate. Id. at 858 (emphasis in original). The court noted that the Defendants narrower interpretation [of the CFAA] is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking the circumvention of technological access barriers not misappropriation of trade secrets a subject Congress has dealt with elsewhere. Id. at 863. The court did not, however, explicitly hold that the CFAA is limited to hacking crimes, or discuss the implications of so limiting the statute. For example, the court did not revisit the elements

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

11

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page12 of 16

1 2 3 4 5 6 7 8 9 10

of crimes under 1030(a)(4) as articulated in Brekka, where it held the elements of a violation of that provision were: (1) accessing a protected computer; (2) without authorization or exceeding such authorization that was granted; (3) knowingly and with intent to defraud; and thereby (4) furthering the intended fraud and obtaining anything of value. Brekka, 581 F.3d at 1132. Nowhere does the courts opinion in Nosal hold that the government is additionally required to allege that a defendant circumvented technological access barriers in bringing charges under 1030(a)(4). Instead, Nosal holds only that it is not a violation of the CFAA to access a computer with permission, but with the intent to use the information gained thereby in violation of a use agreement. 676 F.3d at 863-64. The court did not address limits on liability under the CFAA based on the manner in which access is limited, whether by technological barrier or otherwise. Id. Thus, Defendants interpretation is not a fair reading of Nosal on this front is simply incorrect. Hacking was only a shorthand term used as common parlance by the court to describe the general purpose of the CFAA, and its use of the phase circumvention of technological access barriers was an aside that does not appear to have been intended as having some precise definitional force. Even if Nosal added a circumventing technological access barriers element to crimes under 1030(a)(4), the indictment sufficiently alleges such circumvention. As the government points out password protection is one of the most obvious technological access barriers that a business could adopt. Gov.s Opp. at 1. Faced with this reality, Defendant acknowledges that the Ninth Circuit did not offer a definition of hacking, and urges this Court to look to the definition in the Digital Millenium Copyright Act, which provides that to circumvent a technological measure means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner. 17 U.S.C. 1201(a)(3)(A). However, there is no legal basis to incorporate into the CFAA the Digital Millenium Copyright Act which was passed 14 years after the CFAA and which concerned matters separate and distinct from the CFAA.3 Moreover, it is noteworthy that neither the CFAA nor the The CFAA is aimed at addressing various forms of computer-related crime, such as hacking. See Nosal, 676 F.3d at 858. The Digital Millenium Copyright Act creates various criminal and civil penalties for circumventing copyright protection systems, including the circumvention of technological measures intended to protect copyrighted materials. 17 U.S.C. 1201-1204.
3

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

12

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page13 of 16

1 2 3 4 5 6 7 8 9 10

Digital Millenium Copyright Act employs the term hacking. In any event, even if the Digital Millenium Copyright Acts definition of circumvent a technological measure were to inform the scope of the CFAA, as noted above, the actions alleged in the indictment fall within it. Use of anothers password avoids and bypasses the technological measure of password protection. Defendant argues that the remaining CFAA claims fail because they do not allege J.F.s password was obtained illegally or without her consent. Def.s Mot. at 5. Defendants argument is premised in part on the notion that because J.F. allowed Defendants co-conspirators to use her credentials to access the Korn/Ferry system, the co-conspirators cannot be said to be acting without authorization in accessing the Searcher database. In Brekka, however, the Ninth Circuit made clear that it is the actions of the employer who maintains the computer system that determine whether or not a person is acting with authorization. Brekka, 581 F.3d at 1135 (The plain language of the statute therefore indicates that authorization depends on actions taken by the employer.). Further, the CFAA appears to contemplate that one using the password of another may be accessing a computer without authorization, as it elsewhere provides penalties for anyone who knowingly and with intent to defraud traffics in any password or similar information through which a computer may be accessed without authorization. 18 U.S.C. 1030(a)(6).4 Additionally, Defendant argues that the CFAA does not cover situations where an employee voluntarily provides her password to another by analogizing to the law of trespass with regards to physical property: Just as consensual use of an employees key to gain physical access is not trespass, consensual use of an employees computer password is not hacking. Def.s Mot. at 6. Defendant argues that the court in Nosal held that the CFAA was based on principles of trespass.

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

In support of his argument that there is no criminal liability under the CFAA because J.F. willingly provided her access credentials, Defendant cites to an example given by the court in Nosal, where the court, discussing the variety of terms to be found in use restrictions, notes that Facebooks user agreement makes it a violation of terms to allow another person to log into your account. Nosal, 676 F3d at 861. Besides constituting a mere example cited in dicta, that situation is distinguishable from the circumstances here. First, in the case of Facebook, what is at issue is a use restriction that restricts a user from giving their password to another person. Furthermore, allowing such person to use ones password permits them to access the users Facebook account containing the users personal account and information; it does not allow access to any Facebook trade secrets. In the case at bar, what is being accessed by circumventing the password protection is Korn/Ferrys trade secrets.

13

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page14 of 16

1 2 3 4 5 6 7 8 9 10

Id. This is a mischaracterization of the opinion in Nosal, which merely noted that the CFAA was passed to address the growing problem of hacking, and quoted a Senate report that stated [i]n intentionally trespassing into someone elses computer files, the offender obtains at the very least information as to how to break into that computer system. Nosal, 676 F.3d at 858 (quoting S.Rep. No. 99432, at 9 (1986), 1986 U.S.C.C.A.N. 2479, 2487 (Conf. Rep.)). Aside from these passing comments positing an analogy, Defendant points to nothing in the wording of the CFAA or interpretive case law to support its construction. If the CFAA were not to apply where an authorized employee gave or even sold his or her password to another unauthorized individual, the CFAA could be rendered toothless. Surely, Congress could not have intended such a result. 2. Access

United States District Court

11
For the Northern District of California

The factual scenario presented in count nine, does, however, raises the question of how to interpret the term access in the CFAA. Defendant argues that J.F. was the individual accessing the Korn/Ferry system when she logged in using her password, and that M.J.s use of the system after the login does not constitute unauthorized access within the meaning of the statute. The government, on the other hand, argues that access encompasses ongoing use, including M.J.s unauthorized use of the system after J.F. logged in. In support of its argument, the government cites to two Senate Reports from the CFAAs legislative history. The first, from the 1996 amendments to the CFAA, notes that the term obtaining information includes merely reading it. Sen. Rep. No. 104-357, at 7 (1996). The government argues that just as obtaining information may include merely reading, so too may access be as simple as reading the materials in question.5 The second Senate Report, associated with
5

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

The full context for the quote is: Information as used in this subsection includes information stored in intangible form. Moreover, the term obtaining information includes merely reading it. There is no requirement that the information be copied or transported. This is critically important because, in an electronic environment, information can be stolen without asportation, and the original usually remains intact. This interpretation of obtaining information is consistent with congressional intent expressed as follows in connection with 1986 amendments to the Computer Fraud and Abuse statute:

14

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page15 of 16

1 2 3 4 5 6 7 8 9 10

the 1986 version of the CFAA, notes the intention to criminalize knowingly trafficking in other peoples computer passwords. Sen. Rep. No. 99-432, at 3 (1986). This comment, however, seems to be in reference to 1030(a)(6) of the CFAA, which criminalizes trafficking in passwords, and is not at issue in the current case. See id. at 13. The Court need not opine on whether 1030(a)(4) should be read so broadly as to encompass the situation where an unauthorized person looks over the shoulder of the authorized user to view password protected information or files. The allegation in Count Nine is that J.F. logged on to the computer using her credentials, then handed over the computer terminal to M.J., who ran his own searches through the Korn/Ferry database and then downloaded files therefrom. Functionally and logically, this is no different than if J.F. gave M.J. the password, and M.J. typed in the password himself. The only distinction differentiating the two scenarios is one based on a constrained and hypertechnical definition of access in which access focuses solely on the moment of entry and nothing else. Not only would such a definition produce a non-sensical result; it is not supported by the language of the statute. The crime under 1030(a)(4) is accessing a protected computer, or not entering or logging on to a protected computer. 18 U.S.C. 1030(a)(4). Nothing in the CFAA suggests anything other than a common definition of the term access, applies. The Oxford English Dictionary defines access as, inter alia, [t]he opportunity, means, or permission to gain entrance to or use a system, network, file, etc. See Oxford English Dictionary, www.oed.com (emphasis added); see also Blacks Law Dictionary (defining access as, inter alia, [a]n opportunity or ability to enter, approach, pass to and from, or communicate with). The common definition of the word access encompasses not only the moment of entry, but also the ongoing use of a computer system. Under the facts alleged in the indictment, M.J. proceeded to

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Because the premise of this subsection is privacy protection, the Committee wishes to make clear that obtaining information in this context includes mere observation of the data. Actual asportation, in the sense of physically removing the date from its original location or transcribing the data, need not be proved in order to establish a violation of this subsection. Sen. Rep. No. 104-357, at 7 (1996) (quoting Sen. Report No. 99432, at 67 (1986)).

15

Case3:08-cr-00237-EMC Document314 Filed03/12/13 Page16 of 16

1 2 3 4 5 6 7 8 9 10

query Korn/Ferrys Searcher database and download information, after obtaining initial access. SI 19o. That J.F. entered the password for him rather than having M.J. type it himself does not alter the fact that in common parlance and in the words of the CFAA, M.J. accessed the protected computer system, and he did not have authorization to do so.6 IV. CONCLUSION

For the foregoing reasons, Defendants motion to dismiss the third, eighth, and ninth counts of the first superseding indictment is DENIED.7 This order disposes of Docket Nos. 274 and 276.

IT IS SO ORDERED.

United States District Court

11
For the Northern District of California

12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

Dated: March 12, 2013 _________________________ EDWARD M. CHEN United States District Judge

In his motion, Defendant also argued that the third and eighth counts must be dismissed because the first superseding indictment did not specify who used the Searcher database to download information. The second superseding indictment, however, has remedied this problem by alleging that Christian was the person who accessed the database on both occasions, and that she did so without authorization. SSI 19. Though the second superseding indictment does not allege who logged into the Korn/Ferry system with respect to count eight, it does allege that it was Christian who ran the queries in the database. For the reasons discussed above with respect to count nine, this is sufficient to allege that Christian accessed the database without authorization, and thus to state a violation of the CFAA. As noted above, the third, eighth, and ninth counts of the first superseding indictment correspond to the third, fourth, and fifth counts of the second superseding indictment.
7

16

You might also like