No, Violating Your Employer's Computer Use Policy Is Not Criminal Hacking
from the office-facebookers-everywhere-breathe-a-sigh-of-relief dept
You may remember a story from last year about David Nosal, a man who was essentially convicted of computer hacking because the Ninth Circuit Court of Appeals determined that he “exceeded authorized access” on his employer’s computer system when he broke the written rules regarding how data on that system could be used (in this case, by accessing said data before leaving the company for a competitor). Whether or not accessing the data was some other legally actionable offense, its prosecution under the Computer Fraud and Abuse Act (CFAA) set an alarming precedent for the rest of us.
As noted at the time, if breaking any arbitrary rule a company places on its IT system is “hacking”, then most office workers could be in big trouble. Did you check Facebook using a company computer? You could be charged with criminal hacking if the rules say you shouldn’t. To make matters worse, as Orin Kerr argued then, prosecutions like this aren’t necessarily limited to desktop computers, since the line for what constitutes a computer is so blurry these days. Did you use your company smartphone to call home and tell your wife that you’ll be late for dinner? That’s could be good for ten years in prison, if company policy prohibits making personal calls from it.
Of course, this isn’t the first time prosecutors have tried to abuse the CFAA. Recall, if you will, the infamous case of Lori Drew, who was prosecuted under the theory that violating a Terms of Service was also the same thing as hacking. Ridiculous, to be sure, but a jury convicted her anyway. That conviction was eventually overturned by the judge in the case, but others haven’t been so lucky, and given the last decision by the Ninth, things were looking pretty grim for common sense.
Happily, however, the Ninth decided to re-hear David’s case en banc (meaning with all the judges, rather than a small panel of them), and has now reversed the previous ruling. The analysis by the always-entertaining Judge Kozinski makes it perfectly clear where the line is drawn:
We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals. […] This narrower interpretation is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets—a subject Congress has dealt with elsewhere. Therefore, we hold that “exceeds authorized access” in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.
Since decisions have gone the other way in other circuits, Kozinski goes even further, and says that other courts have “failed to apply the long-standing principle that we must construe ambiguous criminal statutes narrowly” and that they at the Ninth “respectfully decline to follow our sister circuits and urge them to reconsider instead.”
Hopefully, other courts will heed this message, but for now, this is a win for everyone on the west coast.