Court: If You Use Your Computer For Anything Your Employer Doesn't Like, You May Have Committed A Crime

from the holy-crap dept

Last year, we’ve noted some seriously troubling interpretations of the Computer Fraud and Abuse Act (CFAA). The law is designed to deal with malicious computer hacking — someone breaking into a secure computer and accessing secret or private info. Yet, it’s been twisted time and time again (sometimes in very different ways by different courts). However, this latest ruling is simply ridiculous. It effectively says if you do anything on your employer’s computer that the employer doesn’t like, you’ve committed a federal crime.

In this case, the United States vs. Nosal, it involved an employee who accessed some information on a computer system from his employer (which he was perfectly authorized to access while employed there), which he wanted because he was going to a competitor and knew that info could be useful. Now, there may be issues there in terms of trade secrets and other contractual or civil issues, but is it a crime? And is it computer hacking? Amazingly, the court said yes (disagreeing with the lower court ruling). It argued that because he was using the computer for a purpose that was not “authorized” by the employer, his overall use of the system was unauthorized, and thus, no different than if he hacked in. Seriously.

Part of the court’s decision relies on its interpretation of the word “so.” You see, the CFAA (in part) notes that unauthorized access means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” It then says that the all important “so” really means “in that manner,” restating the law as “to obtain or alter information in the computer that the accesser is not entitled [in that manner] to obtain or alter.” It then concludes that since the employer’s policy did not allow employees to access the info for use by a competitor, this violates the law, and is a crime:

As long as the employee has knowledge of the employer’s limitations on that authorization, the employee “exceeds authorized access” when the employee violates those limitations. It is as simple as that.

Except, it’s not that simple. Lots of employers put silly restrictions on how employees can use computers, such as saying you can’t do any personal surfing or check a personal email account. And yet, of course, plenty of people do just that. Should they be charged with being a federal criminal by the government? As Orin Kerr notes:

So it seems to me that under the majority?s reading of the statute, whenever any employer anywhere in the world puts any clear restriction of any kind on any computer — computer including anything with a microchip, and even perhaps just a thumb drive ? it is now a crime if the employee breaks the restriction. Sheesh, be careful out there, people. Whatever you do, don?t get on the wrong side of any Assistant U.S. Attorneys. And don’t tick off your boss.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Court: If You Use Your Computer For Anything Your Employer Doesn't Like, You May Have Committed A Crime”

Subscribe: RSS Leave a comment
37 Comments
MrWilson says:

Since the corporations are becoming our feudal lords, this, sadly, isn’t surprising at all.

We don’t need to vote anymore. Our corporate employers hire lobbyists to push legislation. What benefits the corporation, benefits us, right? It’s for our own good. Go back to watching your soft porn on HBO and leave running the country to your masters.

Christopher Gizzi (profile) says:

Not a big worry

I know it sucks that employees who want to use their work equipment for personal use might find it no longer possible – by filters or by policy enforcement.

But it’s not going to be long when this doesn’t matter. Smartphones and 3G connected netbooks and tablets are going to render this moot in a year or so. True, it’s an extra expense for the employee. But if it means you can do just about whatever you want on your own equipment and save you the risk of an employer snooping into your affairs, why wouldn’t you?

The fact of the matter remains that if you don’t like the policies, don’t work at a place that has them. It sucks, yes. But do what I do… use my iPhone and iPad to do my email. Hooking up a wireless keyboard to them (like many other phones and tablets can do) makes it almost like your desktop without any employer able to claim misuse of company property or network.

Just only do that sort of thing if you’re getting your work done.

Matthew A. Sawtell (profile) says:

Nice try at spin, but...

Nice try at spin, but that’s like saying folks like Anna Chapman were just “trying to observe things better”. Sorry, but it looks like Mr. Nosal tried to be ‘cute’ before left a gig for a new gig, and got caught. Instead of taking a physical prototype or confidential rolodex, he tried to take a “virtual” version.

Josh in CharlotteNC (profile) says:

Re: Nice try at spin, but...

Sorry, but it looks like Mr. Nosal tried to be ‘cute’ before left a gig for a new gig, and got caught. Instead of taking a physical prototype or confidential rolodex, he tried to take a “virtual” version.

Mike was very clear in saying that he likely had civil or contractual issues. The question is whether he deserves a federal felony charge under the CFAA for something which was not hacking.

Don’t federal prosecutors have better things to do than put a guy in jail for taking information (which he has legitimate access to) with him when he leaves a job?

Matthew A. Sawtell (profile) says:

Re: Re: Nice try at spin, but...

Sorry Josh… but reading the legal brief that Mike provided – it looks like Mr. Nosal had to get other associates of the company to provide that information for him, since he was an ‘ex-employee’ (paragraph 2 on the fourth page). From the looks of it, either they e-mailed him the info from work (a big no-no) or they gave him the ID/Passwords to access it at his leisure (a bigger no-no). If what happened was the later, it is hacking with a capital H. If it was the former then it hacking with a small h (because he is employing a third party to do the dirty work).

I have to wonder about those three employees – what charges did they get?

Anonymous Coward says:

Re: Re: Re: Nice try at spin, but...

“it looks like Mr. Nosal had to get other associates of the company to provide that information for him, since he was an ‘ex-employee’ (paragraph 2 on the fourth page)”

the paragraph before that says after becoming an ex-employee he was hired on as an independent contractor, so I imagine some of it he had access to the rest he needed the 3 other people for.

“From the looks of it, either they e-mailed him the info from work (a big no-no) or they gave him the ID/Passwords to access it at his leisure”

it alleges that they “transferred to Nosal Source lists, names ….” so it certainly implies the former

“If it was the former then it hacking with a small h” having someone send you data they have access to and you dont is NOT hacking, as we are discussing below they had laws to charge him with, this is not hacking and is not what the CFAA should be used for

HM says:

Re: Nice try at spin, but...

I dont think the point is that he didnt do anything wrong, because clearly this is a douche move. But as the article says this is crime involving trade secrets or contract violations not hacking. The have laws they could have used to arrest this guy http://www.nolo.com/legal-encyclopedia/trade-secret-basics-faq-29099-6.html .

He is not a hacker and this is not the intent this law was written for. It created a ridiculous legal precedent. Don’t read the article as “man arrested for bullshit” read it as “CFAA stretched well beyond it purpose, yet again”

PaulT (profile) says:

Re: Nice try at spin, but...

So, you fail at reading comprehension yet again?

Mike was very explicit in saying that what he did is wrong, and would likely be a violation of trade secrets, his contract or other civil matters. That’s not in question. What is in question is whether or not this should be treated as a criminal matter.

Do you disagree, or is this one of those instances where you just *have* to attack Mike for something even though you agree with everything he;’s actually said?

Anonymous Coward says:

Umm....

Ok, from what I see, this guy was committing a crime; Violating trade secret and steeling proprietary information. He is getting charges stacked upon him because of the additional use of a computer during the crime. This is much the same way hate crimes work or armed criminal action charges work.

This headline and discussion should be much more along the lines of “any use of a computer in a crime declared hacking”.

That isn’t to say that position makes sense but that’s not what I read from this information.

Steve says:

Re: Umm....

I’m sure someone will correct me if I’m wrong…

“Stealing” trade secrets is a civil offense, and something you can be sued by your ex-employer for. The problem here lies with the fact that this ruling makes it a criminal offense because it included a computer (like everything does now).

Anonymous Coward says:

Re: Re: Re: Umm....

Not a lawyer myself, but when I read the statute, I see phrases like “with the knowledge or intent that the theft will benefit a foreign power”.

I’m sure there’s more to it than that, and I’m not saying that it can’t be used against someone who stole info from one US company and gave it to another US company (especially with today’s corporate-coddling administration), but to date, all the convictions under this statute have been for folks stealing trade secrets and selling them to foreign entities.

Anonymous Coward says:

Re: Re: Re:2 Umm....

this site lays it out pretty well

http://www.poznaklaw.com/articles/econoespionage.htm

even though the background is atrocious and makes my eyes bleed. I really had to copy paste to Office to read it.

but the only thing i see relating to foreign is this requirement to be in violation of the law:
(6) the trade secret was related to or was included in a product that was produced or placed in interstate or foreign commerce.

so unless its purely an intrastate product you could be charged for taking info from one American company to another. I cant think of anything that would be only an intrastate product these days, although im sure someone will point one out.

I agree that it seems most of the convictions seem to involve selling secrets to foreign entities, but certainly not ALL of them.
http://tradesecretshomepage.com/indict.html#_Toc9924962,

Point being if they wanted to string this guy up they had laws to do it with they didn’t need to make me a criminal for typing this post.

aldestrawk says:

This case is similar to the Lori Drew (cyberbullying) case. Instead of a violation of some web-site’s TOS becoming a federal crime, a violation of some employer’s work policy is now a federal crime. The judge who overturned her conviction stated in reference to the original decision that it:

?would convert a multitude of otherwise innocent internet users into misdemeanant criminals.?

and:
“allowing a conscious violation of website’s Terms of Service to be a misdemeanor violation of the CFAA would essentially give a website owner the power to define criminal conduct.”

The federal prosecutor decided not to appeal that decision. If he had, it would have ended up in the Ninth Circuit Court and Orin Kerr would have been representing the defendant.

It doesn’t take much to go from a misdemeanor violation to a felony. Also, it is very easy to claim there is some sort of fraud involved (e.g stealing bandwidth from the company) which gives an extra count and a potential maximum of 10 years in a federal prison. The enhancement of penalties for using a computer is now akin to using a gun in a crime. The trouble is, computers are universally used for a multitude of reasons unlike a gun. Remember also, a cell phone has been determined to be a computer in this context. The penalties involved can now far outweigh the crime and these decision are starting to make criminals of us all. Something has to give.

Darryl says:

Sure, if it was YOUR computer -- but its not.

Court: If You Use Your Computer For Anything Your Employer Doesn’t Like, You May Have Committed A Crime

first ITS NOT YOUR COMPUTER !!!

Only an idiot would write a headline like that ! (Mike).

“If you use YOUR EMPLOYERS COMPUTER for anything YOUR EMPLOYER does not like, YOU HAVE COMMITTED A CRIME”

If you use anything that is NOT YOURS for a purpose that is not legal then you have or could easily have commited a crime.

You go to work to get paid, to do a job that you have been employed to do.

You do not go to work so you can see what ‘else’ you can ‘steal’ from the company that has taken the risk to employ you.

They did not employ you for you to use their internet bandwidth, or to ‘do your own thing’ or to make extra money on the side, on the companies time and money.

Or to actively work to subvert the company that you are allready working for.

Not only are you a leach on the company you are working for, and stealing off, but you cause that company to charge more for their products and services due to the loss you are causing them.

for example, if 100% of people at a company use their computers (or other company equipment) for their own use for 10% of the time, that is a drop of 10% total productivity.

That means the products and services that company provides will cost 10% more to create.

That might mean the difference between success or failure in the market.

Justin Olbrantz (Quantam) (user link) says:

Re: Sure, if it was YOUR computer -- but its not.

“for example, if 100% of people at a company use their computers (or other company equipment) for their own use for 10% of the time, that is a drop of 10% total productivity.”

Factually false.

You might want to read up on the Japanese and other similar cultures. The Japanese work notoriously long hours, but do not accomplish anywhere near a proportionate amount more than people who work shorter hours.

The reason, as science tells us, is that time spent working and productivity are not proportionate. There are psychological limits to focus and attention, and if you forcefully exceed that you’re gonna see productivity fall (not to mention the possibility of harming the mental health of employees, which would only further decrease productivity far into the future). In fact, in such a case resting often increases productivity (and mental health), despite less time spent working.

Gene Cavanaugh (profile) says:

Computer crime in employment

Excellent article, but it appears to me you are misreading the judgment (I haven’t read it, so I may be wrong). If it says what you indicate it says, it is no different than copying a set of documents that you know are proprietary and sensitive, and taking them with you to give to a future employer, knowing full well that you are deliberately harming your employer for personal gain.

Sounds like a good ruling.

Eric says:

Words are words...

I agree that he shouldn’t be charged with hacking, BUT the Judges can not ignore the law and say it isn’t a good law. They have to read the law and abide by it. They aren’t the ones who made the law, they are just the ones interpreting it. They possibly could have interpreted it differently and then they would have just appealed it hoping the next judge would see things their way.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...