Court: If You Use Your Computer For Anything Your Employer Doesn't Like, You May Have Committed A Crime
from the holy-crap dept
Last year, we’ve noted some seriously troubling interpretations of the Computer Fraud and Abuse Act (CFAA). The law is designed to deal with malicious computer hacking — someone breaking into a secure computer and accessing secret or private info. Yet, it’s been twisted time and time again (sometimes in very different ways by different courts). However, this latest ruling is simply ridiculous. It effectively says if you do anything on your employer’s computer that the employer doesn’t like, you’ve committed a federal crime.
In this case, the United States vs. Nosal, it involved an employee who accessed some information on a computer system from his employer (which he was perfectly authorized to access while employed there), which he wanted because he was going to a competitor and knew that info could be useful. Now, there may be issues there in terms of trade secrets and other contractual or civil issues, but is it a crime? And is it computer hacking? Amazingly, the court said yes (disagreeing with the lower court ruling). It argued that because he was using the computer for a purpose that was not “authorized” by the employer, his overall use of the system was unauthorized, and thus, no different than if he hacked in. Seriously.
Part of the court’s decision relies on its interpretation of the word “so.” You see, the CFAA (in part) notes that unauthorized access means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” It then says that the all important “so” really means “in that manner,” restating the law as “to obtain or alter information in the computer that the accesser is not entitled [in that manner] to obtain or alter.” It then concludes that since the employer’s policy did not allow employees to access the info for use by a competitor, this violates the law, and is a crime:
As long as the employee has knowledge of the employer’s limitations on that authorization, the employee “exceeds authorized access” when the employee violates those limitations. It is as simple as that.
Except, it’s not that simple. Lots of employers put silly restrictions on how employees can use computers, such as saying you can’t do any personal surfing or check a personal email account. And yet, of course, plenty of people do just that. Should they be charged with being a federal criminal by the government? As Orin Kerr notes:
So it seems to me that under the majority?s reading of the statute, whenever any employer anywhere in the world puts any clear restriction of any kind on any computer — computer including anything with a microchip, and even perhaps just a thumb drive ? it is now a crime if the employee breaks the restriction. Sheesh, be careful out there, people. Whatever you do, don?t get on the wrong side of any Assistant U.S. Attorneys. And don’t tick off your boss.