Appeals Court: Breaking Policy by Playing on Facebook at Work Not a Crime

• Appeals court ruled breaking company computer use policy, whether it be checking prohibited sites like Facebook or accessing company information to which you should not have been privy, is not a crime. 
• Prosecutors have used the anti-hacking statute -- the Computer Fraud and Abuse Act -- to not only convict those breaking into computer systems, but also those violating computer and website terms of use policies. 
• This decision contradicts what other circuit courts have ruled, leading some to believe the Supreme Court could soon weigh in on the issue. 
• The minority, dissenting opinion of the court said this case, and others, have nothing to do with "playing sudoko" at work and violating policy. It has to do with stealing company information. 

The 9th U.S. Circuit Court of Appeals has issued a ruling that breaking a company's computer terms use policy is not a crime, even if the prohibited activity involved gaining access to information you shouldn't have seen.

It is such a ruling that will protect employees who like to sneak onto sites like Facebook at work, which could be banned according to their companies' policies, from being charged as hackers.

Wired reports that the Computer Fraud and Abuse Act, passed in the 1980s, has since been used by federal prosecutors as an anti-hacking statute to not only prosecute those breaking into systems but also those who weren't "hacking" per se but simply violating a company or website's terms of use. The court ruled that the act does not extend to the latter because, if it did, "millions of unsuspecting individuals would find that they are engaging in criminal conduct.”

Judge Alex Kozinski wrote the majority opinion of the court:

 Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.

According to Wired, this ruling is contrary to what at least three other circuit courts have ruled on similar cases, leading it to speculate the Supreme Court could soon be called in to rule on the issue. Here's how it gets sticky. While the court provided the examples of a person misrepresenting themselves on a dating website, posting a prohibited item on Craigslist for sale, or playing on Facebook at work as some violations of terms of use that could "earn you a handsome orange jumpsuit," some violations are a bit more nefarious in nature.

The majority opinion of the appeals court has asked its sister courts to reconsider their prior decisions with regard to this statute.

Wired reports the case in which this ruling was made involved David Nosal, who was charged with gaining access to company information to which he should not have been privy. PC World has more detail on Nosal's charges:

Nosal "convinced" some of his former colleagues working for Korn/Ferry to assist in his efforts start a competing business.

[...]

The U.S. Department of Justice indicted Nosal on 20 counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA. Nosal was charged with violations of the CFAA for aiding the Korn/Ferry employees in exceeding their authorized access with an intent to defraud.

Nosal was initially convicted as a hacker for these crimes, a ruling which on Tuesday was overturned. Other cases where prosecutors have used this anti-hacking statute include the following, according to Wired:

The same legal theory was used to prosecute Lori Drew, who was charged criminally for participating in a MySpace cyberbullying scheme against a 13-year-old Missouri girl who later committed suicide. The Los Angeles federal court case against Drew hinged on the government’s argument that violating MySpace’s terms of service was the legal equivalent of computer hacking and a violation of the CFAA. A federal judge who presided over the prosecution tossed the guilty verdicts in July 2009, and the government declined to appeal.

The feds used the same theory to get hacking convictions of two New Jersey men who used computer scripts to help them buy, with real money, lots of concert tickets from Ticketmaster.com, which they later scalped.

Accused WikiLeaks leaker Bradley Manning is also accused of, among other things, breaching the CFAA by allegedly exceeding his authorized access of a government computer and providing files to secret-spilling site WikiLeaks. The prosecution doesn’t allege, however, that Manning actually broke into any computer system.

So you can see, how there is a wide range of what is considered breaking terms of use and the activities that can be involved in doing so. PC World reports the dissenting opinion from Judge Barry Silverman as saying "this has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values." He said it has to do with stealing valuable company information.