No, Violating Your Employer's Computer Use Policy Is Not Criminal Hacking
You may remember a story from last year about David Nosal, a man who was essentially convicted of computer hacking because the Ninth Circuit Court of Appeals determined that he “exceeded authorized access” on his employer’s computer system when he broke the written rules regarding how data on that system could be used (in this case, by accessing said data before leaving the company for a competitor). Whether or not accessing the data was some other legally actionable offense, its prosecution under the Computer Fraud and Abuse Act (CFAA) set an alarming precedent for the rest of us.
As noted at the time, if breaking any arbitrary rule a company places on its IT system is “hacking”, then most office workers could be in big trouble. Did you check Facebook using a company computer? You could be charged with criminal hacking if the rules say you shouldn’t. To make matters worse, as Orin Kerr argued then, prosecutions like this aren’t necessarily limited to desktop computers, since the line for what constitutes a computer is so blurry these days. Did you use your company smartphone to call home and tell your wife that you’ll be late for dinner? That’s could be good for ten years in prison, if company policy prohibits making personal calls from it.
Of course, this isn’t the first time prosecutors have tried to abuse the CFAA. Recall, if you will, the infamous case of Lori Drew, who was prosecuted under the theory that violating a Terms of Service was also the same thing as hacking. Ridiculous, to be sure, but a jury convicted her anyway. That conviction was eventually overturned by the judge in the case, but others haven’t been so lucky, and given the last decision by the Ninth, things were looking pretty grim for common sense.
Happily, however, the Ninth decided to re-hear David’s case en banc (meaning with all the judges, rather than a small panel of them), and has now reversed the previous ruling. The analysis by the always-entertaining Judge Kozinski makes it perfectly clear where the line is drawn:
We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals. […] This narrower interpretation is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets—a subject Congress has dealt with elsewhere. Therefore, we hold that “exceeds authorized access” in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.
Since decisions have gone the other way in other circuits, Kozinski goes even further, and says that other courts have “failed to apply the long-standing principle that we must construe ambiguous criminal statutes narrowly” and that they at the Ninth “respectfully decline to follow our sister circuits and urge them to reconsider instead.”
Hopefully, other courts will heed this message, but for now, this is a win for everyone on the west coast.
Re: No longer worth the effort
Re:
"Ginsburg, J., filed an opinion concurring in part and dissenting in part. Gorsuch, J., took no part in the consideration or decision of the case."
Re: Re: Re: Re:
Me: "The government forcing companies to provide design diagrams and hardware is a bridge too far." David: "I can't believe you think the government forcing companies to provide design diagrams and hardware is a bridge too far. You must be brainwashed." You: "He never said the government should force people to do anything!" Try to keep up, here.
Re: Re:
You seem to be unable to distinguish between "I think XYZ is a good thing" and "The government should force companies/people to do XYZ".
Saying you have a right to repair something you own is a no-brainer.
Saying a manufacturer must provide you with the instructions and parts to do so is a bridge too far, for me.
Re: Re: Re: Re: Re: RLC
Right, but again, that's a burden of proof problem, and not a "right to face your accuser" problem.
If a police officer watches footage of a robbery, and they surmise that the masked individual on camera is me, and they arrest me, it is absolutely valid for me to argue in court that the individual on camera is not actually me, and/or that the police have not met their burden of proof.
It would be weird, however, for me to argue that the use of a camera somehow violates my right to face my accuser.
Re: Re: Re: Re: Re: RLC
I feel like I'm not being properly understood, here.
I'm not saying that you shouldn't be able to face your accuser; I'm saying that the accuser is the police officer, who is testifying using the camera footage as evidence.
You absolutely should be able to argue that the camera is deficient or improperly maintained, or that the state has not met the burden of proving that the person on camera is you. Neither of those things has anything to do with your right to face your accuser, however.
Re: Re: Re: RLC
I don't disagree with any of that, but I don't see how that differentiates between:
* Footage of me running a red light.
* Footage of me robbing the cash register after closing.
The improper standard situation seems more like a burden of proof problem, not a problem of me not being able to face my accuser. I'd have the opportunity to face my accuser (the law enforcement officer who reviewed the tape), they just might be unable to prove that it was me in the car.
Re: RLC
I must admit I've never really understood the "right to face your accuser" argument. Your accuser would be a police officer, using the camera footage as evidence.
Much like if I broke into a store at night and stole a bunch of stuff, the fact that a police officer used security camera footage to identify and eventually arrest me does not implicate my fourth amendment rights.
His actual tweets, as preserved by Patrick
And:
So yeah, this guy's not being truthful.
Re:
Re:
When I moved out into the boonies a year ago, my T-Mobile connection was really spotty at my house and quite a few of the roads on the way to my house. Now it's completely solid everywhere. I think they've been rapidly building out their network.
Re: Re:
It works for the government, too.
Re: Re: Re: Re:
"Their trademark is for software, not open source software!" is not a very compelling argument. If Kik was selling bath salts or something, I'd wonder where the confusion was likely to come in, but if you asked me what doing an "apt-get install kik" was likely to do, I would say "Probably install the Kik messenger?", and I've never even used Kik.
Re: Re:
Kik's emails were perfectly reasonable and affable here. In response, Koculo went to 11 immediately and started raging in "FUCK THE MAN!" mode, and then when he realized he didn't actually have the power he thought he did, he petulantly took his ball and went home. No big loss.
If I created a module called "walmart", I might expect some corporate resistance, and rightfully so. If I rebuff Walmart's polite emails asking to compensate me for changing my module's name, and instead act like an raging asshole lunatic, and Walmart turns to the private party whose services I am currently dependent on to solve the matter, than I have badly misplayed my hand, and I deserve what I get.
Re: But there is no higher speed plan...
Seriously. If they could give me more then 6 Mbps, I'd gladly pay a premium for a business account.
Re: Re: Re:
Other things that qualify as "interstate commerce", according the the federal government:
1. Raising grain on your own land to feed your own cattle (Wickard v. Filburn)
2. Growing pot in your own house to smoke yourself (Gonzales v. Raich)
3. Possessing a gun in a school zone (United States v. Lopez)
Re: Very Real Threat
If I go on TV and call Muhammad a "murderous pedophile who created a death cult", it's highly likely some of his adherents will decide to go on a killing spree to prove how wrong I am, but even so, a judge can't order me not to say it.
Being worried that someone might say something that makes other people angry is not a cause to suppress that person's free speech rights as protected by the first amendment. Unless the group in question is making threats and/or telling listeners to attack pro-choice establishments, their speech is protected.
Re: Euphemism Alert
Police officers are "gunned down".
Average citizens are "struck by a bullet discharged from a firearm while it happened to be in the possession of a member of the police department".
Re: