The US Court of Appeals for the Ninth Circuit [official website] on Tuesday rejected [opinion, PDF] the government's broad reading of the Computer Fraud and Abuse Act (CFAA) [text]. This decision directly contradicts the rulings of three other appeals courts that did allow for a broader reading of the law. Writing for the 9-2 majority, Chief Justice Alex Kozinski upheld the lower court ruling. He found that if the court followed the path the government wanted to take it would transform the purpose of the CFAA from an anti-hacking law into a misappropriation law. The government was asking that the portion of the law dealing with "exceeds authorized access" be read as including people who access unauthorized information while on a computer they were authorized to use.
If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions; which may well include everyone who uses a computer; we would expect it to use language better suited to that purpose. Under the presumption that Congress acts interstitially, we construe a statute as displacing a substantial portion of the common law only where Congress has clearly indicated its intent to do so.Judge Barry Silverman wrote the dissent, opining that this law had nothing to do with the non-criminal activities cited by the majority, but rather criminal fraud. He believed that the government's reasoning should be followed in order to protect against criminal activities. With a circuit split, it may be more likely that the Supreme Court will take up the issue.
The CFAA was enacted in 1986 to protect against federal computer hacking. Since then, the law has been used numerous times. In 2006, AT&T filed suit [JURIST report] against 25 people claiming they committed fraud by posing as potential customers to obtain information about other customers to be used in legal disputes. Courts have also attempted to use the law in cyber bullying cases. In 2009, a California appeals court overturned the conviction [case materials] of Lori Drew who had been convicted of setting up a fake Myspace account for a 13 year old girl, who eventually committed suicide.