Crime in the Suites: An Analyis of Current Issues in White Collar Defense
Author Archive
Jun 12
2017

The “Third Party” Catch-22

As the Department of Justice has been doubling down on law enforcement overreach, the Supreme Court has just decided to hear a case that may limit the use of a common tool that law enforcement uses to infringe upon the privacy rights of innocent people.

The case, Carpenter v. United States, arises out of a series of armed robberies in Michigan in 2010 and 2011.  As part of the investigation, police requested access to more than five months’ worth of cell phone location data for several suspects, including Timothy Carpenter.  This data allowed police to know the rough location of each suspect every time he used his phone during that period (and a more searching order could have provided constant, and more exact, location tracking).  Had the police wanted to get this information from their targets directly, they would have been subject to stringent warrant requirements under the Fourth Amendment to the Constitution.  A warrant must be narrow and can only be issued if a neutral judge finds, based upon a sworn statement under oath, that there is probable cause to believe that the warrant will turn up evidence of a crime.

However, because the suspects’ cell phone location data was held by third-party cell phone carriers, it is not protected by the Fourth Amendment under a legal principle called the “third party doctrine.”  This doctrine was created in 1979 in a case allowing for police to obtain a pen register—that is, a list of all the telephone numbers called from a given line—without a warrant.  In that case, the Court found that a person cannot have a “reasonable expectation of privacy” in information that was in possession of a third party.

This same reasoning has been extended to a shocking array of highly personal information that is entrusted to third parties—banking and financial records, emails, internet usage data, and even health records can all be excluded from constitutional protection under the third-party doctrine.  In virtually all of these cases, Congress has taken steps to offer some degree of protection to information that can be extremely personal, but these measures rarely, if ever, offer the same protection against law enforcement abuse as the Fourth Amendment’s warrant requirement.  For example, the cell site data at issue in Carpenter was obtained under the Stored Communications Act (“SCA”), which allows law enforcement to access information so long as it can show “reasonable grounds”—not necessarily under oath—“to believe that” the records sought “are relevant and material to an ongoing criminal investigation.”  This standard does not even require that the records have anything to do with a suspect—officers may seek the records of an innocent bystander or even a victim under this standard.

Part of the reason why this makes so little sense is that society has changed a great deal since 1979.  Back then, the phone company may know whom you had been calling, but they couldn’t track you once you hung up the phone.  The bank might have your deposit and withdrawal records, but it couldn’t track all of the purchases you made with your cash.

In the modern world, this has changed.  A credit card company can know almost everything you consume.  Your phone can track your location from moment to moment, and your social media accounts may record most of your thoughts over the course of a day.  And when you add in email servers, Fitbits, smart appliances, and various apps that organize your life, the third party doctrine has the potential to do away with any notion of privacy at all.  There simply no longer is a way to keep your personal information out of the hands of third parties without opting out of society entirely.

That is why it is so heartening that the Supreme Court has accepted the Carpenter case.  We can only help that the Court will recognize the changes that have occurred over the past four decades and rule that the Fourth Amendment protects our sensitive personal information even when it has been entrusted to third parties.  Until then, though, I would be careful where you use your cell phone, because you never know who may be looking over your shoulder just because they’re curious.

Jan 17
2017

Alexa: Play Confession

It sits in your house, passively recording everything you say.  It knows what you like.  It knows what you listen to.  It knows what you buy.  It knows who’s in the room with you.  And now, it might tell the police all about it.

“It” is the Amazon Echo, a revolution in the “internet of things.”  The Echo is a smart speaker that connects directly to Amazon’s cloud-based personal assistant service, Alexa.  It can play music; give you the traffic, weather, and news; handle your shopping; put things on your calendar; play games; and even respond appropriately to a wide array of cultural references, all in response to voice commands.  If you have the right add-ons, Alexa can even control your entire home, dimming your lights, adjusting the thermostat, and locking the doors.

It does this by passively listening for a given activation phrase—the default is “Alexa.”  Generally, Alexa does not record anything else (although it may store up to sixty seconds at a time in a buffer).  Once it hears its name, Alexa will begin recording and will send what follows to Amazon for processing—both to respond to a given request, and to store to improve responsiveness later.  On one hand, this means that Amazon is not actually recording everything you say, but only those specific commands directed to Alexa.  On the other hand, it means that Alexa is always listening.

This became relevant in a recent murder case in Bentonville Arkansas, in which police obtained a warrant for recordings from Amazon of commands given to the suspect’s Echo.  It is far from clear what police hope to gain from these recordings; they have a large amount of traditional evidence and, unless the murderer specifically asked Alexa for help, the recordings are unlikely to be incriminating.  Nevertheless, an attempt by police to seek recordings from a device that is virtually always listening to us in our homes is extremely disturbing.

These efforts are made even more concerning by recent court rulings on cell phone location data.  According to two federal appellate courts, because cell phones send this information to a third party (that is, to cell phone and app providers), it is not considered sufficiently private for protection from searches and seizures.  That means that police can access this data—which often allows an individual to be physically tracked from moment-to-moment—without even requesting a warrant.

If this principle is upheld by the Supreme Court (which, so far, has refused to consider the issue), it would mean that police could access daily recordings from the privacy of your own home on little more than a hunch and an informal request.  Though many may say they have nothing to hide, I doubt most of us would be comfortable knowing a police officer was looking over our shoulder twenty-four hours a day.

There is one barrier to that terrifying outcome, which is that Amazon has refused to comply with the Bentonville warrant and officers there have decided not to press the issue.  Like Apple, Amazon has taken it upon itself to protect its customers’ privacy.  But a private company cannot be expected to be the defender of its customers’ civil rights forever.

But until the law catches up to the state of technology, every one of our devices is capable of being turned into an informant against us.  And though Alexa can do a lot, it has yet to learn how to invoke its Fifth Amendment right to remain silent. Until it does, you might want to think twice before inviting Alexa–and potentially the police–into your home.

Dec 06
2016

‘Tis the Season of Giving: Supreme Court Expands Insider Trading Liability to Recipients of “Gift” Stock Tips

Just in time for the holiday season, the Supreme Court has ruled that gift-giving is truly its own reward.  But far from embodying the spirit of generosity that typically goes with that saying, the Court has ruled that the warm feeling one gets from giving to others can give rise to criminal insider trading liability. This ruling will extend insider trading liability for the recipients of tips, who were previously thought to be protected where they obtained information from an insider that was not the result of a quid pro quo exchange.

The case, Salman v. United States, dealt with a defendant who had received tips second-hand from a friend, Michael Kara, whose brother Maher was a trader at Citigroup.  Maher had initially turned to his brother for help understanding technical issues he encountered in his job but, eventually, began to share inside information with Maher with knowledge that Maher intended to trade on it.  Unknown to Maher, Michael shared some of these tips with his own friends, including Bassam Salman.  After making a significant amount of money trading on those tips, Salman was charged with insider trading and convicted following a jury trial.

Under a major 2014 ruling from a federal court in New York, Michael and Salman would have been protected from liability because they did not buy any stock tips from Maher or give him a share of their gains.  That 2014 case, United States v. Newman, emphasized the legal requirement that an insider receive a “personal benefit” from the recipient of a tip before the tippee could be charged with insider trading.  This requirement offered powerful protections for innocent parties who traded on tips they received without doing anything wrong.

But the Supreme Court ruled today that the personal gratification that a tipper enjoys when giving free information as a gift to a friend or relative is enough of a “personal benefit” to satisfy insider trading laws.  This all but does away with the personal benefit requirement, since it presumes that an insider benefits even when he receives nothing for information that he shares with another.

At one level, this may seem to make sense on the facts of Salman’s case.  One of the Court’s concerns was that a free stock tip may be no different from an insider trading on his own behalf and then giving the money away.  And that concern applied with particular force to Maher and Michael, since on one occasion Maher actually offered his brother money but was asked to give him inside information instead.

But the Court easily could have ruled narrowly on that basis; it did not.  Instead, by ruling that “the benefit one would obtain from simply making a gift of confidential information to a trading relative” is sufficient to satisfy insider trading laws, it has essentially removed one of the key limitations to the scope of insider trading laws, allowing for even an unthinking tip to a friend or relative to be the basis for criminal prosecution.  And although the Court left open the possibility that some gifts may not be meaningful enough to give rise to criminal liability, the breadth of today’s ruling suggests that exception is likely to be both small and difficult to prove.

That means that we should all be particularly careful as we get together with our families this December, particularly if a relative in the finance industry—or, indeed, in the corporate sector at all—offers up a stock tip at a family gathering.  Because the joy of giving can now lead to criminal exposure for the whole family.

Jun 08
2016

This Man Is Dodging Wall St.

Rather than confront accusations of baseless zeal and prosecutorial overreach, New York federal prosecutor Preet Bharara would rather spend his energy dodging accountability.

In 2010, Bharara launched a crusade against Wall Street, prosecuting several hedge funds he suspected of insider trading. Highly publicized raids followed. In the wake of the financial meltdown, Bharara was hailed as a hero. A Time cover story proclaimed, “This Man Is Busting Wall St.”

But many of those prosecutions went nowhere. A federal appellate court rejected the legal theory that the prosecutions were built on, and many cases were simply dropped. The SEC even agreed to return some of the money it had seized from several hedge funds.

This was cold comfort to people like David Ganek, the manager of Level Global—one of several hedge funds shut down by Bharara’s inquisition. Even while the case was pending, Bharara all but acknowledged that he meant to shutter Level Global, without regard for the presumption of innocence.

Sadly, even when defendants are harmed by prosecutorial overreach, broad immunity doctrines make it nearly impossible for the wrongly prosecuted to get justice.

But Ganek’s case involved more than just excessive zeal: the warrant used to raid Level Global depended on a false statement. A former employee of Level Global had told federal agents that Ganek did not know he was using information from corporate insiders, but the warrant application falsely said that Ganek did know. That gave Ganek a rare opportunity: federal agents can be shielded for overreaching, but there is no protection for lying.

Ganek sued officials from both the U.S. Attorney’s Office and the FBI (Ganek v. Leibowitz), claiming that the use of the false statement to prosecute him had violated his constitutional right against unreasonable searches and his due process rights. In March, a federal judge ruled that Ganek’s claim could go forward, rejecting claims of governmental immunity.

In most civil cases, overcoming this initial step is a big deal. It would allow Ganek to conduct discovery—that is, to investigate the facts behind his case by methods that can include obtaining documents from prosecutors and the FBI and depositions of federal officials under oath. This process can be extremely onerous—the cost of document production and the risks of laying bare a defendant’s inner workings to a hostile adversary have forced many defendants into settling dubious lawsuits. In addition to uncovering misrepresentations tied to his own case, Ganek also could investigate the conduct of federal officials more generally and, perhaps, even the supervisory practices of prosecutors and the FBI.

In a typical case, there would be no way to avoid this except by an expensive settlement—likely including a premium for avoiding discovery. But this is no typical case, and Preet Bharara is no typical litigant. Although most of us in Bharara’s position would have to wait until the end of a federal case before filing a single, final appeal, Bharara has relied on a narrow legal doctrine that allows him to appeal the court’s decision immediately, based on his claims of immunity. As a result, the court has delayed discovery and other proceedings indefinitely. Instead of accepting the need for transparency and letting Ganek be made whole for his wrongful prosecution, Bharara’s office will get a second bite at the apple by rearguing the issue of immunity in front of the U.S. Court of Appeals for the Second Circuit.

It is hard to imagine that Bharara will prevail on appeal—immunity does not cover outright lies by federal agents. Yet by belaboring a weak immunity argument, Bharara can postpone having to answer for the actions of his office for months, if not longer, while creating additional costs and burdens for Ganek.

This case goes beyond Ganek’s personal quest for justice. Civil suits like this are important for holding public officials accountable and can provide a window into how they operate. Bharara’s resistance sends a discomforting message: however merciless he may be towards his suspects, he should bear no consequences for his actions.

We’ll see if Ganek can prove him wrong.

Feb 26
2016

Police Make iPhone Public Enemy No. 1

AAEAAQAAAAAAAAQvAAAAJDc0MDUzNDFlLTMyMTMtNGQ5MS04ZjMxLWYzZWQ4NjNiYWM1ZA

FBI Director James Comey took a rare break from the posturing typical of investigators and prosecutors in the current showdown between Apple and the FBI.  While prosecutors argue that Apple’s privacy concerns are a smokescreen to avoid “assist[ing] the effort to fully investigate a deadly terrorist attack,” Comey posted a statement over the weekend in which he took the position that the tension between security and privacy “should not be resolved by corporations that sell stuff for a living.  It also should not be resolved by the FBI, which investigates for a living.  It should be resolved by the American people deciding how we want to govern ourselves in a world we have never seen before.”

Comey’s statement highlights a crucial problem with the development of privacy law: it often is developed in the context of important criminal cases.  This comes at a real cost.  We all know that Syed Farook committed a horrific crime, and any rights he once had against government searches are now forfeit.  But though Apple may have chosen to serve as a limited proxy for its consumers in the San Bernardino case, often the interests of private citizens are wholly absent from the courtroom (or, often, judge’s chambers) when issues of fundamental privacy are debated.

This leads to a serious imbalance: Apple is talking about the diffuse privacy rights of its consumers and the risks of potential incursions by more restrictive, less democratic governments such as China.  On the other hand, Manhattan District Attorney Cyrus Vance can point to 175 Apple devices that he cannot physically access even though those devices may contain evidence helpful to the government.

New York Police Commissioner Bill Bratton and one of his deputies put an even finer point on it in an Op-Ed in The New York Times, citing a specific case of a murder victim in Louisiana (more than one thousand miles outside of Mr. Bratton’s jurisdiction) whose murder is unsolved because officers cannot unlock her iPhone, which is believed to contain her killer’s identity. “How is not solving a murder, or not finding the message that might stop the next terrorist attack, protecting anyone?” asks Bratton.

But in assuming that private citizens have no greater fear than whether the police can investigate and prevent crimes, Bratton begs the question.  In reality, citizens may see law enforcement as a threat of itself.  Learning that the NSA was engaging in comprehensive warrantless surveillance likely has given many law-abiding Americans a greater incentive to protect their data from being accessed by the government.  Indeed, in light of the NYPD’s record over the last few years—including a finding by a federal judge that they were systematically violating the rights of black New Yorkers and a lawsuit over religion-based spying on Muslims—it is not hard to see why citizens might want protection against Bratton’s police force.

But even if the police were the angels they purport to be, opening a door for a white hat can easily allow access to a black one.  Less than a year ago, hackers used a “brute force” approach to exploit a flaw in iCloud’s security, and dozens of celebrities had their private photos shared with the world.  These sex crimes are all but forgotten in the context of the San Bernardino shootings, even though the security weakness the FBI wants installed in Farook’s iPhone is markedly similar to that exploited with respect to iCloud.

Nor do those who wish for privacy need to invoke hackers or criminals.  A private, intimate moment with a spouse or loved one; a half-finished poem, story, or work of art; or even a professional relationship with a doctor or mental health professional cannot exist unless they can remain private.  Once these interactions took place in spoken, unrecorded conversations or on easily discarded paper; now many of our daily activities are carried out on our mobile devices.  Even if one has nothing to hide, many citizens might balk at the prospect of having to preserve their private conversations in a format readily accessible by the police.

But if Mr. Comey has shown unusual insight, Mr. Bratton’s one-sided, myopic question illustrates the importance of Apple’s position and the inability of law enforcement officials to be objective about the interests at stake.  Police and prosecutors are not always your friends or your defenders.  Their goals are—and always will be—investigating and solving crimes and convicting suspected criminals.  The less an officer knows, the harder it will be to investigate a case.  As a result, privacy rights—even when asserted by innocent, law-abiding citizens—make their job more difficult, and many officers see those rights as simply standing in their way.

This is hardly news.  Nearly sixty years ago the Supreme Court observed that officers, “engaged in the often competitive enterprise of ferreting out crime,” are simply not capable of being neutral in criminal investigations.  For precisely that reason, the Fourth Amendment requires them to seek approval from a “neutral and detached magistrate” before a search warrant may issue.

That is why Mr. Comey’s acknowledgement that the FBI is not a disinterested party is so refreshing.  Pro-law-enforcement voices have been clamoring to require Apple to compromise the security it built into the iPhone, invoking their role as public servants to buttress their credibility.  But when it comes to privacy, the police do not—and cannot—represent the public interest.  As Comey acknowledged, they are “investigators,” and privacy rights will always stand as an obstacle to investigation.

Feb 19
2016

FBI Recruits Apple to Help Unlock Your iPhone

Alushta, Russia - October 27, 2015: Woman with headphones holding in the hand iPhone6S Rose Gold. iPhone 6S Rose Gold was created and developed by the Apple inc.

It is a well-known maxim that “bad facts make bad law.”  And as anybody even casually browsing social media this week likely has seen, the incredibly tragic facts surrounding the San Bernadino attacks last December have led to a ruling that jeopardizes the privacy rights of all law-abiding Americans.

First, it is important to clearly understand the ruling.  After the horrific attack in San Bernadino on December 2, 2015, the FBI seized and searched many possessions of shooters Syed Rizwan Farook and Tashfeen Malik in their investigation of the attack.  One item seized was Farook’s Apple iPhone5C.  The iPhone itself was locked and passcode-protected, but the FBI was able to obtain backups from Farook’s iCloud account.  These backups stopped nearly six weeks before the shootings, suggesting that Farook had disabled the automatic feature and that his phone may contain additional information helpful to the investigation.

Under past versions of iOS, the iPhone’s operating system, Apple had been able to pull information off of a locked phone in similar situations.  However, Farook’s iPhone—like all newer models—contains security features that make that impossible.  First, the data on the phone is encrypted with a complex key that is hardwired into the device itself.  This prevents the data from being transferred to another computer (a common step in computer forensics known as “imaging”) in a usable format.  Second, the iPhone itself will not run any software that does not contain a digital “signature” from Apple.  This prevents the FBI from loading its own forensic software onto Farook’s iPhone.  And third, to operate the iPhone requires a numeric passcode; each incorrect passcode will lock out a user for an increasing length of time, and the tenth consecutive incorrect passcode entry will delete all data on the phone irretrievably.  This prevents the FBI from trying to unlock the iPhone without a real risk of losing all of its contents.

As Apple CEO Tim Cook has explained, this system was created deliberately to ensure the security of its users’ personal data against all threats.  Indeed, even Apple itself cannot access its customers’ encrypted data.  This creates a unique problem for the FBI.  It is well-settled that, pursuant to a valid search warrant, a court can order a third party to assist law enforcement agents with a search by providing physical access to equipment, unlocking a door, providing camera footage, or even giving technical assistance with unlocking or accessing software or devices.  And, as the government has acknowledged, Apple has “routinely” provided such assistance when it has had the ability to access the data on an iPhone.

But while courts have required third parties to unlock doors, they have never required them to reverse-engineer a key.  That is what sets this case apart: to assist the government, Apple would have to create something that not only does not exist, but that it deliberately declined to create in the first instance.

On February 16, Assistant U.S. Attorneys in Los Angeles filed an ex parte motion (that is, without providing Apple with notice or a chance to respond) in federal court seeking to require Apple to create a new piece of software that would (1) disable the auto-erase feature triggered by too many failed passcode attempts and (2) eliminate the delays between failed passcode attempts.  In theory, this software is to work only on Farook’s iPhone and no other.  This would allow the FBI to use a computer to simply try all of the possible passcodes in rapid succession in a “brute force” attack on the phone.  That same day, Magistrate Judge Sheri Pym signed what appears to be an unmodified version of the order proposed by the government, ordering Apple to comply or to respond within five business days.

Though Apple has not filed a formal response, CEO Tim Cook already has made waves by publicly stating that Apple will oppose the order.  In a clear and well-written open letter, Cook explains that Apple made the deliberate choice not to build a backdoor into the iPhone because to do so would fatally undermine the encryption measures built in.  He explains that the notion that Apple could create specialized software for Farook’s iPhone only is a myth, and that “[o]nce created, this technique could be used over and over again, on any number of devices.  In the physical world, it would be the equivalent of a master key . . . .”

This has re-ignited the long-standing debate over the proper balance between individual privacy and security (and the debate over whether the two principles truly are opposed to one another).  This is all to the good, but misses a key point: Judge Pym’s order, if it stands, has not only short-circuited this debate, it ignores the resolution that Congress already reached on the issue.

Indeed, a 1994 law known as the Communications Assistance for Law Enforcement Act (“CALEA”) appears to prohibit exactly what the government requested here.  Though CALEA preserved the ability of law enforcement to execute wiretaps after changing technology made that more complicated than physically “tapping” a telephone line, it expressly does not require that information service providers or equipment manufacturers do anything to open their consumers to government searches.  But instead of addressing whether that purpose-built law permits the type of onerous and far-reaching order that was granted here, both the government and the court relied only on the All Writs Act—the two-century-old catch-all statute that judges rely on when ordering parties to unlock doors or turn over security footage.

Though judges frequently must weigh in and issue binding decisions on fiercely contested matters of great importance, they rarely do so with so little explanation, or after such short consideration of the matter.  Indeed, when the government sought an identical order this past October in federal court in Brooklyn, N.Y., Magistrate Judge James Orenstein asked for briefs from Apple, the government, and a group of privacy rights organizations and, four months later, has yet to issue an opinion.  Yet Judge Pym granted a similar order, without any stated justification, the same day that it was sought.

An order that is so far-reaching, so under-explained, and so clearly legally incorrect is deeply concerning.  And yet, but for Apple’s choice to publicize its opposition, this unjustified erosion of our privacy could have happened under the radar and without any way to un-ring the bell.  Fortunately, we appear to have avoided that outcome, and we can hope that Apple’s briefing will give the court the additional legal authority—and the additional time—that it will need to revisit its ruling.

Jan 15
2016

Oklahoma Judge Rejects Penalties for Rolling the Dice Before a Jury

Casino chips and gavel in gambling legal concept

As a matter of course, federal prosecutors often pile on charges in order to strong-arm defendants into entering a favorable guilty plea quickly. Those who exercise their jury trial right and put the government to its proof often receive harsh sentences based on these overreaching indictments. But last week, a federal judge in Oklahoma took a rare stand against this practice.

United States v. King, a fifty-nine-defendant prosecution, appeared to be following the typical pattern. Though the only unlawful conduct seemed to be violations of the payment-processing provisions of the Unlawful Internet Gaming and Enforcement Act (“UIGEA”), the government had charged the defendants with gambling, money laundering, and even racketeering offenses carrying lengthy prison sentences. Several defendants entered favorable guilty pleas, likely because of sticker shock at the relevant sentencing guidelines.

However, many other defendants chose to go to trial and several jury trials were held before the Honorable Stephen P. Friot, resulting in convictions on one or more counts. Having given up their chance for a favorable plea, it appeared that those who went to trial would be sentenced harshly under laws intended to combat organized crime. But before sentencing, Judge Friot took the unusual step of issuing “Preliminary Findings and Comments with Respect to Sentencing” in which he took a critical eye to typical charging and sentencing practices.

Judge Friot’s focus was the requirement under federal law that a sentence be “sufficient, but not greater than necessary,” to punish offenders and deter future crimes. To give meaning to this vague standard, Judge Friot took the unusual step of quoting from a letter that was written by the jury foreman in one of the trials, who said:

The way I look at it, with all the “legal” sports gambling that goes on the U.S.[,] coupled with the fact that no one was physically harmed and nobody was forced to place bets, I see no threat to society by allowing both Mr. Dorn and Mr. Korelewski [sic] to avoid prison time. I truly believe that our taxpayer money is better spent on these “criminals” by allowing them the opportunity to make a legal living outside of prison walls. I strongly support some sort of deferred sentence or probation.

Though Judge Friot said that this letter was not “determinative,” he also refused to rely on the government’s charging decisions in deciding how to sentence those convicted, focusing instead on “the real conduct that should be punished.” He concluded by saying that he was “particularly interested in what the government may have to say about” why those particular defendants should be imprisoned. In light of this skepticism, it is not surprising that his subsequent sentences were for probation or time served, not further imprisonment.

The ability of prosecutors to charge minor offenses as if they were serious crimes often turns the constitutional right to a jury trial into a very risky proposition. Judge Friot’s thoughtful opinion recognizes that even if defendants can be punished for their role in unlawful gambling, they should not be penalized for the decision to roll the dice before a jury.

posted in:
Uncategorized
Nov 04
2015

Is It Ever Okay to Share Passwords?

Sign Up Usename Password Log In Protection Concept

If you’ve ever let your kids sign into your Netflix or HBO Go account, or given your marketing department access to your Twitter feed, you may be committing a federal crime, depending on how the Ninth Circuit rules on a case argued before it just last month.

The case, United States v. Nosal, is the latest chapter in a series of cases in which federal prosecutors have used a thirty-year-old anti-hacking statute to turn seemingly routine business disputes into federal felony cases.  The statute, known as the Computer Fraud and Abuse Act (CFAA), contains broad prohibitions on accessing a computer system “without authorization” or in a way that “exceeds authorized access.”  Though intended to prevent malicious hacking and espionage, those prohibitions have repeatedly been applied to disgruntled former employees who logged back into company databases to access proprietary information after their termination and when their authorization to access those files had been revoked.

However, the Nosal case goes a step further, and a ruling in favor of the United States threatens to criminalize password sharing of all kinds.  Nosal was an executive at the recruiting firm Korn Ferry International (KFI).  After he left the firm, he obtained the help of several former colleagues to obtain protected KFI data to start a competing business.  Although several of the charges against Nosal were thrown out in an earlier case, he was still prosecuted for accessing KFI files using his former assistant’s login information, which she had given him willingly.

According to prosecutors, Nosal’s former assistant was not authorized to give him access to KFI’s systems under the company’s computer usage policy, and so his use of that password was “without authorization” by the proper authorities.  Upholding that argument could have a broad reach because so many password-protected services have prohibitions against password sharing in their user agreements, including Netflix, LinkedIn, Facebook, and HBO Go, to name a few.  For that reason, a ruling that the CFAA prohibits password sharing when not authorized by these agreements could turn us all into criminals.

Following argument, this case is difficult to handicap.  Although Judge McKeown seemed particularly concerned with the fact that Nosal clearly had engaged in wrongful conduct when he knew his authorization had been revoked, Chief Judge Thomas and Judge Reinhardt clearly recognized the scope of the issue at stake, and all three panel members were concerned by the government’s apparent lack of a limiting principle.

A ruling can be expected in the next few months.  Until then, all we can do is hold our breath, and hope that the court ensures that the next time we share an account with the others in our household, we won’t end up living an episode ofOrange is the New Black instead of just watching it.

Connect with Us Share

About Ifrah Law

Crime in the Suites is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, health care, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partners Michelle Cohen and George Calhoun, counsels Jeff Hamlin and Drew Barnholtz, and associates Rachel Hirsch, Nicole Kardell, Steven Eichorn, David Yellin, and Jessica Feil. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website