Wednesday, April 11, 2012

Misuse Of Your Employer's Computer System Is Not A Crime In The U.S. West Coast

The Ninth Circuit has confirmed what many employees have understood for a long time: while it may be beyond inappropriate for an employee to use access to a workplace computer in a way that misuses the employer’s confidential data, it is not a crime.

In my post from May 2, 2011, and again on December 27, 2011, I discussed the Ninth Circuit's criminal case of U.S. v. Nosal. The Justice Department accused Mr. Nosal under the Computer Fraud and Abuse Act (CFAA) of aiding and abetting the criminal misuse of his employer’s computer.

Nosal’s conduct was absolutely outrageous, assuming the allegations against him are correct. The Ninth Circuit explains:

David Nosal used to work for Korn/Ferry, an executive search film. Shortly after he left the company, he convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business. The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company's computer, and then transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry had a policy that forbade disclosing confidential information. The government indicted Nosal on twenty counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA, The CFAA counts charged Nosal with violations of 18 U.S.C. §1030(a)(4) for aiding and abetting the Korn/Ferry employees in “exceed[ing their] authorized access” with intent to defraud.

The Ninth Circuit wrestled with the question whether the CFAA criminalizes the conduct of an employee who is not a hacker but merely misuses employer data. The Court determined that Congress intended the CFAA to prevent hacking – the unauthorized access to a computer system – and that the CFAA does not address the unauthorized use of data taken from a properly accessed computer system.

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it is unlikely that you’ll be prosecuted for watching Reason.TV on work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

This decision of the Ninth Circuit is in line and consistent with similar interpretations of the CFAA from several district courts in New York, Arizona, Georgia and Maryland. However, the Eleventh Circuit, the Fifth Circuit and the Seventh Circuit have seen things differently, extending the criminal reach of the CFAA to use restrictions, even when hacking is not involved.

Should most people care about how the CFAA is interpreted and applied? Is this a real problem, really?

For example, it's not widely known that, up until very recently, Google forbade minors from using its services. See Google Terms of Service, effective April 16, 2007—March 1, 2012. §2.3, (“You may not use the Services and may not accept the Terms if … you are not of legal age to form a binding contract with Google …”) (last visited Mar. 4, 2012). Adopting the government’s interpretation would turn vast numbers of teens and pre-teens into juvenile delinquents—and their parents and teachers into delinquency contributors. Similarly, Facebook makes it a violation of the terms of service to let anyone log into your account. See Facebook Statement of Rights and Responsibilities § 4.8 (“You will not share your password, … let anyone else access your account, or do anything else that might jeopardize the security of your account.”) (last visited Mar. 4, 2012). Yet it’s very common for people to let close friends and relatives check their email or access their online accounts. Some may be aware that, if discovered, they may stiffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so.
Note to the world: any comments to this post must only contain nice thoughts.

No comments: