Court: If You Use Your Computer For Anything Your Employer Doesn't Like, You May Have Committed A Crime

from the holy-crap dept

Last year, we've noted some seriously troubling interpretations of the Computer Fraud and Abuse Act (CFAA). The law is designed to deal with malicious computer hacking -- someone breaking into a secure computer and accessing secret or private info. Yet, it's been twisted time and time again (sometimes in very different ways by different courts). However, this latest ruling is simply ridiculous. It effectively says if you do anything on your employer's computer that the employer doesn't like, you've committed a federal crime.

In this case, the United States vs. Nosal, it involved an employee who accessed some information on a computer system from his employer (which he was perfectly authorized to access while employed there), which he wanted because he was going to a competitor and knew that info could be useful. Now, there may be issues there in terms of trade secrets and other contractual or civil issues, but is it a crime? And is it computer hacking? Amazingly, the court said yes (disagreeing with the lower court ruling). It argued that because he was using the computer for a purpose that was not "authorized" by the employer, his overall use of the system was unauthorized, and thus, no different than if he hacked in. Seriously.

Part of the court's decision relies on its interpretation of the word "so." You see, the CFAA (in part) notes that unauthorized access means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." It then says that the all important "so" really means "in that manner," restating the law as "to obtain or alter information in the computer that the accesser is not entitled [in that manner] to obtain or alter." It then concludes that since the employer's policy did not allow employees to access the info for use by a competitor, this violates the law, and is a crime:
As long as the employee has knowledge of the employer's limitations on that authorization, the employee "exceeds authorized access" when the employee violates those limitations. It is as simple as that.
Except, it's not that simple. Lots of employers put silly restrictions on how employees can use computers, such as saying you can't do any personal surfing or check a personal email account. And yet, of course, plenty of people do just that. Should they be charged with being a federal criminal by the government? As Orin Kerr notes:
So it seems to me that under the majority’s reading of the statute, whenever any employer anywhere in the world puts any clear restriction of any kind on any computer -- computer including anything with a microchip, and even perhaps just a thumb drive — it is now a crime if the employee breaks the restriction. Sheesh, be careful out there, people. Whatever you do, don’t get on the wrong side of any Assistant U.S. Attorneys. And don't tick off your boss.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: computer fraud, computer fraud and abuse act, hacking, laws


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    HothMonster, 29 Apr 2011 @ 12:41pm

    depends on what your definition of "is" is

    link to this | view in chronology ]

  • identicon
    MrWilson, 29 Apr 2011 @ 12:59pm

    Since the corporations are becoming our feudal lords, this, sadly, isn't surprising at all.

    We don't need to vote anymore. Our corporate employers hire lobbyists to push legislation. What benefits the corporation, benefits us, right? It's for our own good. Go back to watching your soft porn on HBO and leave running the country to your masters.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Apr 2011 @ 1:05pm

      Re:

      who needs HBO anymore when you have Bing's image and video search results for dirty words

      link to this | view in chronology ]

  • icon
    Christopher Gizzi (profile), 29 Apr 2011 @ 1:01pm

    Not a big worry

    I know it sucks that employees who want to use their work equipment for personal use might find it no longer possible - by filters or by policy enforcement.

    But it's not going to be long when this doesn't matter. Smartphones and 3G connected netbooks and tablets are going to render this moot in a year or so. True, it's an extra expense for the employee. But if it means you can do just about whatever you want on your own equipment and save you the risk of an employer snooping into your affairs, why wouldn't you?

    The fact of the matter remains that if you don't like the policies, don't work at a place that has them. It sucks, yes. But do what I do... use my iPhone and iPad to do my email. Hooking up a wireless keyboard to them (like many other phones and tablets can do) makes it almost like your desktop without any employer able to claim misuse of company property or network.

    Just only do that sort of thing if you're getting your work done.

    link to this | view in chronology ]

    • identicon
      HM, 29 Apr 2011 @ 1:08pm

      Re: Not a big worry

      unfortunately the giant building I work in keeps me from getting 3g so even if i use my equipment I still have to use the companies network.

      its one thing to risk my job dicking around on techdirt, its another entirely to risk being charged with a federal crime

      link to this | view in chronology ]

    • icon
      The Groove Tiger (profile), 29 Apr 2011 @ 1:09pm

      Re: Not a big worry

      There's a big difference between "if you don't like the policy of your workplace, quit, or you might get fired" and "if you don't like the policy and don't quit, you go to jail".

      link to this | view in chronology ]

    • icon
      AdamR (profile), 29 Apr 2011 @ 1:17pm

      Re: Not a big worry

      "The fact of the matter remains that if you don't like the policies, don't work at a place that has them"

      Sorry to say company polices are like eula's, even if you read them how many people actually understand them. Including those how write them.

      link to this | view in chronology ]

    • icon
      Cloksin (profile), 29 Apr 2011 @ 2:03pm

      Re: Not a big worry

      Oh, that's a perfect solution!!! Except for one small problem, how are you supposed to use your iPhone and iPad while you're at work when your employer has a policy against using any personal electronics while at work?

      Kind of debunks your whole point there!

      link to this | view in chronology ]

  • identicon
    Matthew A. Sawtell, 29 Apr 2011 @ 1:01pm

    Nice try at spin, but...

    Nice try at spin, but that's like saying folks like Anna Chapman were just "trying to observe things better". Sorry, but it looks like Mr. Nosal tried to be 'cute' before left a gig for a new gig, and got caught. Instead of taking a physical prototype or confidential rolodex, he tried to take a "virtual" version.

    link to this | view in chronology ]

    • icon
      Josh in CharlotteNC (profile), 29 Apr 2011 @ 1:12pm

      Re: Nice try at spin, but...

      Sorry, but it looks like Mr. Nosal tried to be 'cute' before left a gig for a new gig, and got caught. Instead of taking a physical prototype or confidential rolodex, he tried to take a "virtual" version.

      Mike was very clear in saying that he likely had civil or contractual issues. The question is whether he deserves a federal felony charge under the CFAA for something which was not hacking.

      Don't federal prosecutors have better things to do than put a guy in jail for taking information (which he has legitimate access to) with him when he leaves a job?

      link to this | view in chronology ]

      • identicon
        Matthew A. Sawtell, 29 Apr 2011 @ 2:18pm

        Re: Re: Nice try at spin, but...

        Sorry Josh... but reading the legal brief that Mike provided - it looks like Mr. Nosal had to get other associates of the company to provide that information for him, since he was an 'ex-employee' (paragraph 2 on the fourth page). From the looks of it, either they e-mailed him the info from work (a big no-no) or they gave him the ID/Passwords to access it at his leisure (a bigger no-no). If what happened was the later, it is hacking with a capital H. If it was the former then it hacking with a small h (because he is employing a third party to do the dirty work).

        I have to wonder about those three employees - what charges did they get?

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 Apr 2011 @ 2:31pm

          Re: Re: Re: Nice try at spin, but...

          "it looks like Mr. Nosal had to get other associates of the company to provide that information for him, since he was an 'ex-employee' (paragraph 2 on the fourth page)"

          the paragraph before that says after becoming an ex-employee he was hired on as an independent contractor, so I imagine some of it he had access to the rest he needed the 3 other people for.

          "From the looks of it, either they e-mailed him the info from work (a big no-no) or they gave him the ID/Passwords to access it at his leisure"

          it alleges that they "transferred to Nosal Source lists, names ...." so it certainly implies the former

          "If it was the former then it hacking with a small h" having someone send you data they have access to and you dont is NOT hacking, as we are discussing below they had laws to charge him with, this is not hacking and is not what the CFAA should be used for

          link to this | view in chronology ]

          • identicon
            HM, 29 Apr 2011 @ 2:36pm

            Re: Re: Re: Re: Nice try at spin, but...

            if the three other employees had the info he needed on paper in a filing cabinet and sent him copies it would be the same thing. The fact that it was stored on a computer or a computer was used to transmit the data should not change this from theft of trade secrets to hacking

            link to this | view in chronology ]

    • identicon
      HM, 29 Apr 2011 @ 1:16pm

      Re: Nice try at spin, but...

      I dont think the point is that he didnt do anything wrong, because clearly this is a douche move. But as the article says this is crime involving trade secrets or contract violations not hacking. The have laws they could have used to arrest this guy http://www.nolo.com/legal-encyclopedia/trade-secret-basics-faq-29099-6.html .

      He is not a hacker and this is not the intent this law was written for. It created a ridiculous legal precedent. Don't read the article as "man arrested for bullshit" read it as "CFAA stretched well beyond it purpose, yet again"

      link to this | view in chronology ]

    • icon
      PaulT (profile), 29 Apr 2011 @ 2:20pm

      Re: Nice try at spin, but...

      So, you fail at reading comprehension yet again?

      Mike was very explicit in saying that what he did is wrong, and would likely be a violation of trade secrets, his contract or other civil matters. That's not in question. What is in question is whether or not this should be treated as a criminal matter.

      Do you disagree, or is this one of those instances where you just *have* to attack Mike for something even though you agree with everything he;'s actually said?

      link to this | view in chronology ]

      • icon
        PaulT (profile), 29 Apr 2011 @ 2:25pm

        Re: Re: Nice try at spin, but...

        Hmmm... need an edit button as it appeared to me I was replying to a different user. Ignore most of that, but I think the points stand if Mike's description of them are correct (I can't read the brief).

        link to this | view in chronology ]

    • icon
      The eejit (profile), 29 Apr 2011 @ 2:44pm

      Re: Nice try at spin, but...

      Which is a CIVIL dispute, not a FEDERAL dispute.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Apr 2011 @ 1:07pm

    Umm....

    Ok, from what I see, this guy was committing a crime; Violating trade secret and steeling proprietary information. He is getting charges stacked upon him because of the additional use of a computer during the crime. This is much the same way hate crimes work or armed criminal action charges work.

    This headline and discussion should be much more along the lines of "any use of a computer in a crime declared hacking".

    That isn't to say that position makes sense but that's not what I read from this information.

    link to this | view in chronology ]

    • identicon
      Steve, 29 Apr 2011 @ 1:16pm

      Re: Umm....

      I'm sure someone will correct me if I'm wrong...

      "Stealing" trade secrets is a civil offense, and something you can be sued by your ex-employer for. The problem here lies with the fact that this ruling makes it a criminal offense because it included a computer (like everything does now).

      link to this | view in chronology ]

      • identicon
        Bengie, 29 Apr 2011 @ 3:31pm

        Re: Re: Umm....

        I bet if the info he read was from a file in a drawer, he would've be charged with breaking-and-entering

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Apr 2011 @ 1:17pm

      Re: Umm....

      "Violating trade secret and steeling proprietary information"

      Those are civil issues to be dealt with by one party suing the other. Not federal felonies.

      link to this | view in chronology ]

      • identicon
        HM, 29 Apr 2011 @ 1:24pm

        Re: Re: Umm....

        IANAL but a quick google search seems to suggest otherwise "The Economic Espionage Act (“EEA”) enacted in 1996 provides that stealing trade secrets is a violation of the Federal criminal statutes."

        http://www.smithkramerlaw.com/Article_Illegal-Competition-and-Stealing-Trade-Secrets.a sp

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 29 Apr 2011 @ 2:06pm

          Re: Re: Re: Umm....

          Not a lawyer myself, but when I read the statute, I see phrases like "with the knowledge or intent that the theft will benefit a foreign power".

          I'm sure there's more to it than that, and I'm not saying that it can't be used against someone who stole info from one US company and gave it to another US company (especially with today's corporate-coddling administration), but to date, all the convictions under this statute have been for folks stealing trade secrets and selling them to foreign entities.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 29 Apr 2011 @ 2:19pm

            Re: Re: Re: Re: Umm....

            this site lays it out pretty well

            http://www.poznaklaw.com/articles/econoespionage.htm

            even though the background is atrocious and makes my eyes bleed. I really had to copy paste to Office to read it.

            but the only thing i see relating to foreign is this requirement to be in violation of the law:
            (6) the trade secret was related to or was included in a product that was produced or placed in interstate or foreign commerce.

            so unless its purely an intrastate product you could be charged for taking info from one American company to another. I cant think of anything that would be only an intrastate product these days, although im sure someone will point one out.

            I agree that it seems most of the convictions seem to involve selling secrets to foreign entities, but certainly not ALL of them.
            http://tradesecretshomepage.com/indict.html#_Toc9924962,

            Point being if they wanted to string this guy up they had laws to do it with they didn't need to make me a criminal for typing this post.

            link to this | view in chronology ]

  • icon
    Gwiz (profile), 29 Apr 2011 @ 1:09pm

    As long as the employee has knowledge of the employer's limitations on that authorization, the employee "exceeds authorized access" when the employee violates those limitations. It is as simple as that.

    Oh crap!

    ***closing personal Gmail***
    ***closing Angry Birds****
    ***closing IM chat window with wife***
    ***closing Digg***
    ***closing TechDir.....

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Apr 2011 @ 1:12pm

    Oh Techdirt, you!

    You're articles are so interesting that now I have to go to jail for reading them at work.

    link to this | view in chronology ]

  • icon
    aldestrawk (profile), 29 Apr 2011 @ 3:58pm

    This case is similar to the Lori Drew (cyberbullying) case. Instead of a violation of some web-site's TOS becoming a federal crime, a violation of some employer's work policy is now a federal crime. The judge who overturned her conviction stated in reference to the original decision that it:

    “would convert a multitude of otherwise innocent internet users into misdemeanant criminals.”

    and:
    "allowing a conscious violation of website's Terms of Service to be a misdemeanor violation of the CFAA would essentially give a website owner the power to define criminal conduct."

    The federal prosecutor decided not to appeal that decision. If he had, it would have ended up in the Ninth Circuit Court and Orin Kerr would have been representing the defendant.

    It doesn't take much to go from a misdemeanor violation to a felony. Also, it is very easy to claim there is some sort of fraud involved (e.g stealing bandwidth from the company) which gives an extra count and a potential maximum of 10 years in a federal prison. The enhancement of penalties for using a computer is now akin to using a gun in a crime. The trouble is, computers are universally used for a multitude of reasons unlike a gun. Remember also, a cell phone has been determined to be a computer in this context. The penalties involved can now far outweigh the crime and these decision are starting to make criminals of us all. Something has to give.

    link to this | view in chronology ]

  • identicon
    Darryl, 29 Apr 2011 @ 7:34pm

    Sure, if it was YOUR computer -- but its not.

    Court: If You Use Your Computer For Anything Your Employer Doesn't Like, You May Have Committed A Crime

    first ITS NOT YOUR COMPUTER !!!

    Only an idiot would write a headline like that ! (Mike).

    "If you use YOUR EMPLOYERS COMPUTER for anything YOUR EMPLOYER does not like, YOU HAVE COMMITTED A CRIME"

    If you use anything that is NOT YOURS for a purpose that is not legal then you have or could easily have commited a crime.

    You go to work to get paid, to do a job that you have been employed to do.

    You do not go to work so you can see what 'else' you can 'steal' from the company that has taken the risk to employ you.

    They did not employ you for you to use their internet bandwidth, or to 'do your own thing' or to make extra money on the side, on the companies time and money.

    Or to actively work to subvert the company that you are allready working for.

    Not only are you a leach on the company you are working for, and stealing off, but you cause that company to charge more for their products and services due to the loss you are causing them.

    for example, if 100% of people at a company use their computers (or other company equipment) for their own use for 10% of the time, that is a drop of 10% total productivity.

    That means the products and services that company provides will cost 10% more to create.

    That might mean the difference between success or failure in the market.

    link to this | view in chronology ]

    • icon
      The eejit (profile), 29 Apr 2011 @ 11:18pm

      Re: Sure, if it was YOUR computer -- but its not.

      IT's been scientifically proven that using Facebook et al actually improves your productivity by a considerable margin. It's something to do with making up for lost time.

      link to this | view in chronology ]

    • identicon
      Justin Olbrantz (Quantam), 29 Apr 2011 @ 11:51pm

      Re: Sure, if it was YOUR computer -- but its not.

      "for example, if 100% of people at a company use their computers (or other company equipment) for their own use for 10% of the time, that is a drop of 10% total productivity."

      Factually false.

      You might want to read up on the Japanese and other similar cultures. The Japanese work notoriously long hours, but do not accomplish anywhere near a proportionate amount more than people who work shorter hours.

      The reason, as science tells us, is that time spent working and productivity are not proportionate. There are psychological limits to focus and attention, and if you forcefully exceed that you're gonna see productivity fall (not to mention the possibility of harming the mental health of employees, which would only further decrease productivity far into the future). In fact, in such a case resting often increases productivity (and mental health), despite less time spent working.

      link to this | view in chronology ]

    • icon
      aldestrawk (profile), 30 Apr 2011 @ 10:51am

      Re: Sure, if it was YOUR computer -- but its not.

      So, if an employee does not do a good job by either making a mistake or not working hard enough you would argue that they should be jailed?

      link to this | view in chronology ]

  • identicon
    Gene Cavanaugh, 30 Apr 2011 @ 12:45pm

    Computer crime in employment

    Excellent article, but it appears to me you are misreading the judgment (I haven't read it, so I may be wrong). If it says what you indicate it says, it is no different than copying a set of documents that you know are proprietary and sensitive, and taking them with you to give to a future employer, knowing full well that you are deliberately harming your employer for personal gain.

    Sounds like a good ruling.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Apr 2011 @ 6:32pm

    In today's Amerikkka, what ISN'T a crime?

    link to this | view in chronology ]

  • identicon
    Eric, 2 May 2011 @ 9:16am

    Words are words...

    I agree that he shouldn't be charged with hacking, BUT the Judges can not ignore the law and say it isn't a good law. They have to read the law and abide by it. They aren't the ones who made the law, they are just the ones interpreting it. They possibly could have interpreted it differently and then they would have just appealed it hoping the next judge would see things their way.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.