Courts Stretching Computer Hacking Law In Dangerous Ways
from the that's-not-what-it's-for dept
Michael Scott points us to a very interesting analysis of how to different appeals courts have very different interpretations of our federal anti-hacking law. The Computer Fraud and Abuse Act was passed by Congress to create criminal sanctions for malicious computer hacking. The problem, of course, is that whenever you have politicians passing laws about technology, they may be a bit vague. So, the way hacking was defined was effectively to say that the perpetrator accessed info “without authorization” or (more troubling) that the activity “exceeds authorized access.” Now, it’s pretty obvious what’s meant by this. If you’re breaking into parts of a computer system where you don’t belong for nefarious purposes, you’re probably violating this law.
But that’s not how all courts are interpreting it. The article notes that the Seventh Circuit, in International Airport Centers, LLC v. Citrin, found that an employee violated this law by deleting information on his laptop (which would have presented evidence of a breach of contract by the guy), after he had resigned. Obviously, that’s a totally different situation than what the CFAA was intended to cover, but the court found that once he quit, he was no longer authorized to use the laptop, and doing so was effectively hacking. That seems like an extreme stretch of the law. But at least some other courts are following suit:
For example, in a case in the U. S. District Court for the Eastern District of Missouri, the district court relied upon the Citrin decision and held that, even if employees were authorized to access their employer’s computer records, they cannot use such authorization (and, hence, their access can become “unauthorized”), if they use the information for their own interests…. The court concluded that the employer sufficiently alleged that the employees “acted without authorization when they obtained [the employer’s] information for their personal use and in contravention of their fiduciary duty to their employer.”
Yes, you read that right. If you use your employer’s computer simply to access the company’s data for your personal use, you may be guilty of computer hacking. That’s quite clearly not what the law was intended to cover.
Thankfully, the Ninth Circuit (which all too often comes out with weird decisions) seems to have gotten this one right:
In declining to adopt the Seventh Circuit’s interpretation of “without authorization,” the court held that a “person uses a computer ‘without authorization’… [only]  when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or  when the employer has rescinded to access the computer and the defendant uses the computer anyway.”… The Ninth Circuit declined to hold that the “defendant’s authorization to obtain information stored in a company computer is ‘exceeded’ if the defendant breaches a state law duty of loyalty to an employer” because no such language was found in the CFAA…. The Ninth Circuit noted that because the CFAA was “primarily a criminal statute,” and because there was ambiguity as to the meaning of the phrase “without authorization,” it would construe any ambiguity against the government….
Obviously, I agree that this is the proper interpretation of the law — and stretching the definition of criminal hacking “without authorization” to things like accessing personal information on an employer’s computer is dangerous. Of course, with the split rulings, it’s likely that eventually this will get to the Supreme Court to sort out, and hopefully they get it right. Or, in the meantime, Congress could clarify the law — but chances are they’d just make it worse.