Court: If You Use Your Computer For Anything Your Employer Doesn't Like, You May Have Committed A Crime
from the holy-crap dept
Last year, we've noted some seriously troubling interpretations of the Computer Fraud and Abuse Act (CFAA). The law is designed to deal with malicious computer hacking -- someone breaking into a secure computer and accessing secret or private info. Yet, it's been twisted time and time again (sometimes in very different ways by different courts). However, this latest ruling is simply ridiculous. It effectively says if you do anything on your employer's computer that the employer doesn't like, you've committed a federal crime.In this case, the United States vs. Nosal, it involved an employee who accessed some information on a computer system from his employer (which he was perfectly authorized to access while employed there), which he wanted because he was going to a competitor and knew that info could be useful. Now, there may be issues there in terms of trade secrets and other contractual or civil issues, but is it a crime? And is it computer hacking? Amazingly, the court said yes (disagreeing with the lower court ruling). It argued that because he was using the computer for a purpose that was not "authorized" by the employer, his overall use of the system was unauthorized, and thus, no different than if he hacked in. Seriously.
Part of the court's decision relies on its interpretation of the word "so." You see, the CFAA (in part) notes that unauthorized access means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." It then says that the all important "so" really means "in that manner," restating the law as "to obtain or alter information in the computer that the accesser is not entitled [in that manner] to obtain or alter." It then concludes that since the employer's policy did not allow employees to access the info for use by a competitor, this violates the law, and is a crime:
As long as the employee has knowledge of the employer's limitations on that authorization, the employee "exceeds authorized access" when the employee violates those limitations. It is as simple as that.Except, it's not that simple. Lots of employers put silly restrictions on how employees can use computers, such as saying you can't do any personal surfing or check a personal email account. And yet, of course, plenty of people do just that. Should they be charged with being a federal criminal by the government? As Orin Kerr notes:
So it seems to me that under the majority’s reading of the statute, whenever any employer anywhere in the world puts any clear restriction of any kind on any computer -- computer including anything with a microchip, and even perhaps just a thumb drive — it is now a crime if the employee breaks the restriction. Sheesh, be careful out there, people. Whatever you do, don’t get on the wrong side of any Assistant U.S. Attorneys. And don't tick off your boss.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: computer fraud, computer fraud and abuse act, hacking, laws
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
We don't need to vote anymore. Our corporate employers hire lobbyists to push legislation. What benefits the corporation, benefits us, right? It's for our own good. Go back to watching your soft porn on HBO and leave running the country to your masters.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Not a big worry
But it's not going to be long when this doesn't matter. Smartphones and 3G connected netbooks and tablets are going to render this moot in a year or so. True, it's an extra expense for the employee. But if it means you can do just about whatever you want on your own equipment and save you the risk of an employer snooping into your affairs, why wouldn't you?
The fact of the matter remains that if you don't like the policies, don't work at a place that has them. It sucks, yes. But do what I do... use my iPhone and iPad to do my email. Hooking up a wireless keyboard to them (like many other phones and tablets can do) makes it almost like your desktop without any employer able to claim misuse of company property or network.
Just only do that sort of thing if you're getting your work done.
[ link to this | view in chronology ]
Re: Not a big worry
its one thing to risk my job dicking around on techdirt, its another entirely to risk being charged with a federal crime
[ link to this | view in chronology ]
Re: Not a big worry
[ link to this | view in chronology ]
Re: Not a big worry
Sorry to say company polices are like eula's, even if you read them how many people actually understand them. Including those how write them.
[ link to this | view in chronology ]
Re: Not a big worry
Kind of debunks your whole point there!
[ link to this | view in chronology ]
Nice try at spin, but...
[ link to this | view in chronology ]
Re: Nice try at spin, but...
Mike was very clear in saying that he likely had civil or contractual issues. The question is whether he deserves a federal felony charge under the CFAA for something which was not hacking.
Don't federal prosecutors have better things to do than put a guy in jail for taking information (which he has legitimate access to) with him when he leaves a job?
[ link to this | view in chronology ]
Re: Re: Nice try at spin, but...
I have to wonder about those three employees - what charges did they get?
[ link to this | view in chronology ]
Re: Re: Re: Nice try at spin, but...
the paragraph before that says after becoming an ex-employee he was hired on as an independent contractor, so I imagine some of it he had access to the rest he needed the 3 other people for.
"From the looks of it, either they e-mailed him the info from work (a big no-no) or they gave him the ID/Passwords to access it at his leisure"
it alleges that they "transferred to Nosal Source lists, names ...." so it certainly implies the former
"If it was the former then it hacking with a small h" having someone send you data they have access to and you dont is NOT hacking, as we are discussing below they had laws to charge him with, this is not hacking and is not what the CFAA should be used for
[ link to this | view in chronology ]
Re: Re: Re: Re: Nice try at spin, but...
[ link to this | view in chronology ]
Re: Nice try at spin, but...
He is not a hacker and this is not the intent this law was written for. It created a ridiculous legal precedent. Don't read the article as "man arrested for bullshit" read it as "CFAA stretched well beyond it purpose, yet again"
[ link to this | view in chronology ]
Re: Nice try at spin, but...
Mike was very explicit in saying that what he did is wrong, and would likely be a violation of trade secrets, his contract or other civil matters. That's not in question. What is in question is whether or not this should be treated as a criminal matter.
Do you disagree, or is this one of those instances where you just *have* to attack Mike for something even though you agree with everything he;'s actually said?
[ link to this | view in chronology ]
Re: Re: Nice try at spin, but...
[ link to this | view in chronology ]
Re: Nice try at spin, but...
[ link to this | view in chronology ]
Umm....
This headline and discussion should be much more along the lines of "any use of a computer in a crime declared hacking".
That isn't to say that position makes sense but that's not what I read from this information.
[ link to this | view in chronology ]
Re: Umm....
"Stealing" trade secrets is a civil offense, and something you can be sued by your ex-employer for. The problem here lies with the fact that this ruling makes it a criminal offense because it included a computer (like everything does now).
[ link to this | view in chronology ]
Re: Re: Umm....
[ link to this | view in chronology ]
Re: Umm....
Those are civil issues to be dealt with by one party suing the other. Not federal felonies.
[ link to this | view in chronology ]
Re: Re: Umm....
http://www.smithkramerlaw.com/Article_Illegal-Competition-and-Stealing-Trade-Secrets.a sp
[ link to this | view in chronology ]
Re: Re: Re: Umm....
I'm sure there's more to it than that, and I'm not saying that it can't be used against someone who stole info from one US company and gave it to another US company (especially with today's corporate-coddling administration), but to date, all the convictions under this statute have been for folks stealing trade secrets and selling them to foreign entities.
[ link to this | view in chronology ]
Re: Re: Re: Re: Umm....
http://www.poznaklaw.com/articles/econoespionage.htm
even though the background is atrocious and makes my eyes bleed. I really had to copy paste to Office to read it.
but the only thing i see relating to foreign is this requirement to be in violation of the law:
(6) the trade secret was related to or was included in a product that was produced or placed in interstate or foreign commerce.
so unless its purely an intrastate product you could be charged for taking info from one American company to another. I cant think of anything that would be only an intrastate product these days, although im sure someone will point one out.
I agree that it seems most of the convictions seem to involve selling secrets to foreign entities, but certainly not ALL of them.
http://tradesecretshomepage.com/indict.html#_Toc9924962,
Point being if they wanted to string this guy up they had laws to do it with they didn't need to make me a criminal for typing this post.
[ link to this | view in chronology ]
Oh crap!
***closing personal Gmail***
***closing Angry Birds****
***closing IM chat window with wife***
***closing Digg***
***closing TechDir.....
[ link to this | view in chronology ]
You're articles are so interesting that now I have to go to jail for reading them at work.
[ link to this | view in chronology ]
“would convert a multitude of otherwise innocent internet users into misdemeanant criminals.”
and:
"allowing a conscious violation of website's Terms of Service to be a misdemeanor violation of the CFAA would essentially give a website owner the power to define criminal conduct."
The federal prosecutor decided not to appeal that decision. If he had, it would have ended up in the Ninth Circuit Court and Orin Kerr would have been representing the defendant.
It doesn't take much to go from a misdemeanor violation to a felony. Also, it is very easy to claim there is some sort of fraud involved (e.g stealing bandwidth from the company) which gives an extra count and a potential maximum of 10 years in a federal prison. The enhancement of penalties for using a computer is now akin to using a gun in a crime. The trouble is, computers are universally used for a multitude of reasons unlike a gun. Remember also, a cell phone has been determined to be a computer in this context. The penalties involved can now far outweigh the crime and these decision are starting to make criminals of us all. Something has to give.
[ link to this | view in chronology ]
Sure, if it was YOUR computer -- but its not.
first ITS NOT YOUR COMPUTER !!!
Only an idiot would write a headline like that ! (Mike).
"If you use YOUR EMPLOYERS COMPUTER for anything YOUR EMPLOYER does not like, YOU HAVE COMMITTED A CRIME"
If you use anything that is NOT YOURS for a purpose that is not legal then you have or could easily have commited a crime.
You go to work to get paid, to do a job that you have been employed to do.
You do not go to work so you can see what 'else' you can 'steal' from the company that has taken the risk to employ you.
They did not employ you for you to use their internet bandwidth, or to 'do your own thing' or to make extra money on the side, on the companies time and money.
Or to actively work to subvert the company that you are allready working for.
Not only are you a leach on the company you are working for, and stealing off, but you cause that company to charge more for their products and services due to the loss you are causing them.
for example, if 100% of people at a company use their computers (or other company equipment) for their own use for 10% of the time, that is a drop of 10% total productivity.
That means the products and services that company provides will cost 10% more to create.
That might mean the difference between success or failure in the market.
[ link to this | view in chronology ]
Re: Sure, if it was YOUR computer -- but its not.
[ link to this | view in chronology ]
Re: Sure, if it was YOUR computer -- but its not.
Factually false.
You might want to read up on the Japanese and other similar cultures. The Japanese work notoriously long hours, but do not accomplish anywhere near a proportionate amount more than people who work shorter hours.
The reason, as science tells us, is that time spent working and productivity are not proportionate. There are psychological limits to focus and attention, and if you forcefully exceed that you're gonna see productivity fall (not to mention the possibility of harming the mental health of employees, which would only further decrease productivity far into the future). In fact, in such a case resting often increases productivity (and mental health), despite less time spent working.
[ link to this | view in chronology ]
Re: Sure, if it was YOUR computer -- but its not.
[ link to this | view in chronology ]
Re: Re: Sure, if it was YOUR computer -- but its not.
[ link to this | view in chronology ]
Computer crime in employment
Sounds like a good ruling.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Words are words...
[ link to this | view in chronology ]