Share/E-mail This Story

Email This



No, Violating Your Employer's Computer Use Policy Is Not Criminal Hacking

from the office-facebookers-everywhere-breathe-a-sigh-of-relief dept

You may remember a story from last year about David Nosal, a man who was essentially convicted of computer hacking because the Ninth Circuit Court of Appeals determined that he "exceeded authorized access" on his employer's computer system when he broke the written rules regarding how data on that system could be used (in this case, by accessing said data before leaving the company for a competitor). Whether or not accessing the data was some other legally actionable offense, its prosecution under the Computer Fraud and Abuse Act (CFAA) set an alarming precedent for the rest of us.

As noted at the time, if breaking any arbitrary rule a company places on its IT system is "hacking", then most office workers could be in big trouble. Did you check Facebook using a company computer? You could be charged with criminal hacking if the rules say you shouldn't. To make matters worse, as Orin Kerr argued then, prosecutions like this aren't necessarily limited to desktop computers, since the line for what constitutes a computer is so blurry these days. Did you use your company smartphone to call home and tell your wife that you'll be late for dinner? That's could be good for ten years in prison, if company policy prohibits making personal calls from it.

Of course, this isn't the first time prosecutors have tried to abuse the CFAA. Recall, if you will, the infamous case of Lori Drew, who was prosecuted under the theory that violating a Terms of Service was also the same thing as hacking. Ridiculous, to be sure, but a jury convicted her anyway. That conviction was eventually overturned by the judge in the case, but others haven't been so lucky, and given the last decision by the Ninth, things were looking pretty grim for common sense.

Happily, however, the Ninth decided to re-hear David's case en banc (meaning with all the judges, rather than a small panel of them), and has now reversed the previous ruling. The analysis by the always-entertaining Judge Kozinski makes it perfectly clear where the line is drawn:
We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals. [...] This narrower interpretation is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets—a subject Congress has dealt with elsewhere. Therefore, we hold that “exceeds authorized access” in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.
Since decisions have gone the other way in other circuits, Kozinski goes even further, and says that other courts have "failed to apply the long-standing principle that we must construe ambiguous criminal statutes narrowly" and that they at the Ninth "respectfully decline to follow our sister circuits and urge them to reconsider instead."

Hopefully, other courts will heed this message, but for now, this is a win for everyone on the west coast.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Joe Publius (profile), Apr 11th, 2012 @ 11:34am

    We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals.

    Ahh, so that's why Congress is now writing criminal statutes so broadly. I see now!

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    GMacGuffin (profile), Apr 11th, 2012 @ 11:42am

    Lovely ...

    The CFAA has been problematically applied, er ... bunches of times in both civil and criminal contexts, so this is a comforting result.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Joe Publius (profile), Apr 11th, 2012 @ 12:01pm

    Salting the Wound

    I've always thought that it was just tacky to do it. Isn't it enough that you can fire someone if you tell an employee how work software and hardware uses are allowed, but the employee abuses/misuses it?

    Sending a tasteless joke via email can certainly be grounds for dismissal, but unless it's hiding or distributing malware, there no hacking involved at all.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    doughless (profile), Apr 11th, 2012 @ 12:11pm

    Re:

    Regardless of Congress's shortcomings, this is a very good thing to hear from a judge.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Zos (profile), Apr 11th, 2012 @ 12:19pm

    Re: Re:

    not really, the system is still a stinking broken morass.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Berenerd (profile), Apr 11th, 2012 @ 12:38pm

    I do have some issue with this...

    He accessed information that he had permissions to access? Or was it in a folder he should not have had access to? If he used someone else's password or their system while they stepped away, yes this would be illegal and would warrant a trial. If he accessed his user drive and took that information, then no, not hacking. If you accessed facebook by typing in Facebook.com then no, no illegal, You found a way around the blocks put in place? This would be on the edge. You broke through the web filtering using an exploit? yes, illegal.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Apr 11th, 2012 @ 1:38pm

    Re: I do have some issue with this...

    Wait you are telling me if I find a way to get around my companies web filter I should be tried as a felon using the Computer Fraud and Abuse Act? That is the stupidest thing I have heard all day and I work with the developmentally delayed.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Watchit (profile), Apr 11th, 2012 @ 2:02pm

    Re: Re: Re:

    Think of it as at least being better than if the judge had ruled the other way around

     

    reply to this | link to this | view in thread ]

  9.  
    icon
    wizened (profile), Apr 11th, 2012 @ 2:36pm

    Re: I do have some issue with this...

    Well that was an amazingly uninformed opinion stated as fact.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    AC Cobra, Apr 11th, 2012 @ 5:13pm

    Thank god...

    ...for this glimmer of sanity. I think the biggest "cyber-threat" to all of us nowadays is the technological illiteracy of most of the judiciary!

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    TtfnJohn (profile), Apr 11th, 2012 @ 10:00pm

    Re: I do have some issue with this...

    You don't even have to go to that extreme to get why he was prosecuted and it would have had little or nothing to do with hacking (more properly cracking) but almost all to do with his employment contract. It's standard in any employment contract that an employee treat most documents they see as confidential unless expressly tagged as public. And very few are. Data an employee has access to in the normal course of their job is to be treated the same.

    Nothing in the post indicates that he went around security features of the corporate network only that he took data with him to his new employer something he could have off-loaded onto a thumb drive or whatever or, even foolishly, zipped up and emailed home.

    None of that involves going beyond his normal access except that he took it home to show to his new employer which, until he walks out the door for the last time, breaks his employment contract and his duty of confidentiality.

    He didn't have to crack anything to get the data. So what's popularly called "hacking" never enters into it. It sounds more romantic to call it "hacking" but for the most part these sorts of things don't involve that.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Chris-Mouse (profile), Apr 12th, 2012 @ 6:33am

    Re: Re: I do have some issue with this...

    But then why use the CFAA to prosecute? If the former employee violated an employment contract, then that would leave him open to a civil suit for breach of contract, would it not?

    The only reason I can see for using the CFAA is to get the taxpayer to pick up the legal costs of enforcing a civil contract that may or may not exist.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Cerberus (profile), Apr 12th, 2012 @ 8:49pm

    Re:

    "...the long-standing principle that we must construe ambiguous criminal statutes narrowly": yeah, I wish judges stuck to this always, instead of allowing private parties to have them do the opposite, i.e. interpreting copyright and such in increasingly broader terms, and the loss of the DMCA safe harbor too.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This