- Appeals court ruled breaking company computer use policy, whether it be checking prohibited sites like Facebook or accessing company information to which you should not have been privy, is not a crime.
- This decision contradicts what other circuit courts have ruled, leading some to believe the Supreme Court could soon weigh in on the issue.
- The minority, dissenting opinion of the court said this case, and others, have nothing to do with "playing sudoko" at work and violating policy. It has to do with stealing company information.
The 9th U.S. Circuit Court of Appeals has issued a ruling that breaking a company's computer terms use policy is not a crime, even if the prohibited activity involved gaining access to information you shouldn't have seen.
It is such a ruling that will protect employees who like to sneak onto sites like Facebook at work, which could be banned according to their companies' policies, from being charged as hackers.
Judge Alex Kozinski wrote the majority opinion of the court:
Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.
The majority opinion of the appeals court has asked its sister courts to reconsider their prior decisions with regard to this statute.
Wired reports the case in which this ruling was made involved David Nosal, who was charged with gaining access to company information to which he should not have been privy. PC World has more detail on Nosal's charges:
Nosal "convinced" some of his former colleagues working for Korn/Ferry to assist in his efforts start a competing business.
The U.S. Department of Justice indicted Nosal on 20 counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA. Nosal was charged with violations of the CFAA for aiding the Korn/Ferry employees in exceeding their authorized access with an intent to defraud.
Nosal was initially convicted as a hacker for these crimes, a ruling which on Tuesday was overturned. Other cases where prosecutors have used this anti-hacking statute include the following, according to Wired:
The same legal theory was used to prosecute Lori Drew, who was charged criminally for participating in a MySpace cyberbullying scheme against a 13-year-old Missouri girl who later committed suicide. The Los Angeles federal court case against Drew hinged on the government’s argument that violating MySpace’s terms of service was the legal equivalent of computer hacking and a violation of the CFAA. A federal judge who presided over the prosecution tossed the guilty verdicts in July 2009, and the government declined to appeal.
The feds used the same theory to get hacking convictions of two New Jersey men who used computer scripts to help them buy, with real money, lots of concert tickets from Ticketmaster.com, which they later scalped.
Accused WikiLeaks leaker Bradley Manning is also accused of, among other things, breaching the CFAA by allegedly exceeding his authorized access of a government computer and providing files to secret-spilling site WikiLeaks. The prosecution doesn’t allege, however, that Manning actually broke into any computer system.