Court: If You Use Your Computer For Anything Your Employer Doesn't Like, You May Have Committed A Crime

from the holy-crap dept

Last year, we've noted some seriously troubling interpretations of the Computer Fraud and Abuse Act (CFAA). The law is designed to deal with malicious computer hacking -- someone breaking into a secure computer and accessing secret or private info. Yet, it's been twisted time and time again (sometimes in very different ways by different courts). However, this latest ruling is simply ridiculous. It effectively says if you do anything on your employer's computer that the employer doesn't like, you've committed a federal crime.

In this case, the United States vs. Nosal, it involved an employee who accessed some information on a computer system from his employer (which he was perfectly authorized to access while employed there), which he wanted because he was going to a competitor and knew that info could be useful. Now, there may be issues there in terms of trade secrets and other contractual or civil issues, but is it a crime? And is it computer hacking? Amazingly, the court said yes (disagreeing with the lower court ruling). It argued that because he was using the computer for a purpose that was not "authorized" by the employer, his overall use of the system was unauthorized, and thus, no different than if he hacked in. Seriously.

Part of the court's decision relies on its interpretation of the word "so." You see, the CFAA (in part) notes that unauthorized access means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." It then says that the all important "so" really means "in that manner," restating the law as "to obtain or alter information in the computer that the accesser is not entitled [in that manner] to obtain or alter." It then concludes that since the employer's policy did not allow employees to access the info for use by a competitor, this violates the law, and is a crime:

As long as the employee has knowledge of the employer's limitations on that authorization, the employee "exceeds authorized access" when the employee violates those limitations. It is as simple as that.

Except, it's not that simple. Lots of employers put silly restrictions on how employees can use computers, such as saying you can't do any personal surfing or check a personal email account. And yet, of course, plenty of people do just that. Should they be charged with being a federal criminal by the government? As Orin Kerr notes:

So it seems to me that under the majority’s reading of the statute, whenever any employer anywhere in the world puts any clear restriction of any kind on any computer -- computer including anything with a microchip, and even perhaps just a thumb drive — it is now a crime if the employee breaks the restriction. Sheesh, be careful out there, people. Whatever you do, don’t get on the wrong side of any Assistant U.S. Attorneys. And don't tick off your boss.

Filed Under: computer fraud, computer fraud and abuse act, hacking, laws

Not Reading Ticketmaster's Terms Of Service Shouldn't Make You A Criminal

from the yet-again dept

There have been an awful lot of similar stories lately, but it is really quite troubling just how much the Computer Fraud and Abuse Act (CFAA) is being abused to turn actions like not reading a website's terms of service into a criminal offense. We had just recently discussed how this was playing out in a lawsuit involving Facebook and Power.com, but it's showing up elsewhere as well. In fact, the judge in the Facebook/Power.com case apparently based the decision on an earlier case involving Ticketmaster and a ticket reseller which used automated means to order tickets, that it could then resell.

In a similar case, it appears that there has been a criminal indictment of the company Wiseguy Tickets, who similarly automated ticket purchases from Ticketmaster's website. This isn't to say that ticket scalpers and resellers who buy up all the tickets aren't necessarily a problem, but should they be criminally liable because they violate a website's terms of service? The EFF and some others have now filed an amicus brief in the case, suggesting that this is a ridiculous outcome. No one should be criminally liable for not obeying the terms of service on a website. If that's the case, it's easy to make anyone a criminal. I could just quickly put up a terms of service that says something as ridiculous as "you must be 8 feet tall to read this website." And, if you're not, you've then violated the terms, and are guilty of criminal hacking under the CFAA -- which could potentially result in jail time. That makes no sense, and the EFF is hoping the judge recognizes this:

"Under the government's theory, anyone who disregards -- or doesn't read -- the terms of service on any website could face computer crime charges," said EFF Civil Liberties Director Jennifer Granick. "That gives Ticketmaster and other online services extraordinary power over their users: the power to decide what is criminal behavior and what is not. Price comparison services, social network aggregators, and users who skim a few years off their ages could all be criminals if the government prevails."

Filed Under: computer fraud, hacking, terms of service
Companies: ticketmaster

Courts Stretching Computer Hacking Law In Dangerous Ways

from the that's-not-what-it's-for dept

Michael Scott points us to a very interesting analysis of how to different appeals courts have very different interpretations of our federal anti-hacking law. The Computer Fraud and Abuse Act was passed by Congress to create criminal sanctions for malicious computer hacking. The problem, of course, is that whenever you have politicians passing laws about technology, they may be a bit vague. So, the way hacking was defined was effectively to say that the perpetrator accessed info "without authorization" or (more troubling) that the activity "exceeds authorized access." Now, it's pretty obvious what's meant by this. If you're breaking into parts of a computer system where you don't belong for nefarious purposes, you're probably violating this law.

But that's not how all courts are interpreting it. The article notes that the Seventh Circuit, in International Airport Centers, LLC v. Citrin, found that an employee violated this law by deleting information on his laptop (which would have presented evidence of a breach of contract by the guy), after he had resigned. Obviously, that's a totally different situation than what the CFAA was intended to cover, but the court found that once he quit, he was no longer authorized to use the laptop, and doing so was effectively hacking. That seems like an extreme stretch of the law. But at least some other courts are following suit:

For example, in a case in the U. S. District Court for the Eastern District of Missouri, the district court relied upon the Citrin decision and held that, even if employees were authorized to access their employer's computer records, they cannot use such authorization (and, hence, their access can become "unauthorized"), if they use the information for their own interests.... The court concluded that the employer sufficiently alleged that the employees "acted without authorization when they obtained [the employer's] information for their personal use and in contravention of their fiduciary duty to their employer."

Yes, you read that right. If you use your employer's computer simply to access the company's data for your personal use, you may be guilty of computer hacking. That's quite clearly not what the law was intended to cover.

Thankfully, the Ninth Circuit (which all too often comes out with weird decisions) seems to have gotten this one right:

In declining to adopt the Seventh Circuit's interpretation of "without authorization," the court held that a "person uses a computer 'without authorization'... [only] [1] when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone's computer without any permission), or [2] when the employer has rescinded to access the computer and the defendant uses the computer anyway."... The Ninth Circuit declined to hold that the "defendant's authorization to obtain information stored in a company computer is 'exceeded' if the defendant breaches a state law duty of loyalty to an employer" because no such language was found in the CFAA.... The Ninth Circuit noted that because the CFAA was "primarily a criminal statute," and because there was ambiguity as to the meaning of the phrase "without authorization," it would construe any ambiguity against the government....

Obviously, I agree that this is the proper interpretation of the law -- and stretching the definition of criminal hacking "without authorization" to things like accessing personal information on an employer's computer is dangerous. Of course, with the split rulings, it's likely that eventually this will get to the Supreme Court to sort out, and hopefully they get it right. Or, in the meantime, Congress could clarify the law -- but chances are they'd just make it worse.

Filed Under: computer fraud, computer fraud and abuse act, hacking, laws

Why The Lori Drew Ruling Could Put More Kids At Risk

from the perverse-incentives dept

We have some serious problems with the implications of the ruling in the Lori Drew case, where Drew was found guilty of computer hacking, because a fake MySpace profile (which she did not sign up for) was blamed for the suicide of a young girl. However, Bennett Haselton, over at Slashdot takes on another problematic aspect of the case: how the ruling creates perverse incentives that could lead more kids to harm themselves. That's because Drew was punished not because of her own actions, but the actions of Megan Meier, possibly due to what Drew (or others) said to her. As such, the ruling effectively says that if a kid does something bad enough or dangerous enough, it's fine to blame someone else for saying something to them. That means if there's a kid who wants to punish someone for saying something mean to them, they can try to kill themselves, and then blame whoever said something mean to them, recognizing they're likely to get punished. It creates dangerous incentives when your punishing someone based on the actions of the actions of someone else.

Filed Under: computer fraud, lori drew, megan meier, unintended consequences

Thanks To The Lori Drew Case, I Can Make Each Of You A Criminal

from the oh,-the-power... dept

We've already talked about how the Lori Drew case represents a dangerous slippery slope, in that it effectively turns just about everyone into an internet criminal who can face years in jail for "criminal computer fraud," simply because they disobeyed a website's terms of service -- even if they didn't read the terms or even approve them. With the initial verdict in, Orin Kerr -- who is involved with the case as a part of Drew's legal team -- demonstrates how awful this case is by changing the terms of service on the blog he writes for in order to demonstrate how easy it is for any website to turn pretty much everyone into a criminal:

New Terms of Use for the Volokh Conspiracy: In light of the verdict in the Lori Drew case, I have decided to promulgate new Terms of Use for the Volokh Conspiracy. You are only permitted to visit the Volokh Conspiracy if you are in compliance with the Terms of Use. Any accessing the Volokh Conspiracy in a way that violates these terms is unauthorized, and according to the Justice Department is a federal crime that can lead to your arrest and imprisonment for up to one year for every visit to the blog.

By visiting this blog, you promise that:

1. You will not post comments that are abusive, profane, or irrelevant. Civil and relevant comments only, as indicated by our comment policy.
2. You are not an employee of the U.S. government. Yes, that includes postal service employees, law clerks, judges, and interns. We're a libertarian-leaning blog, and we're for the private sector only. Government types, keep out.
3. Your middle name is not "Ralph." I've always thought Ralph was a funny name, and even odder as a middle name. No one with the middle name "Ralph" is welcome here.
4. You're super nice. We have strict civility rules here, and this blog is only for people who are super nice. If you are not super nice, as judged by me, your visit to this blog is unauthorized.
5. You have never visited Alaska. Okay, this one is totally arbitrary, but it's our blog and we can keep out who we want. Alaska visitors are out, too.

If you post an abusive comment; you are an employee of the U.S. government; your middle name is Ralph; you're not super nice, as judged by me; or you have visited Alaska, I have kinda bad news for you: You are a criminal, as you have just violated 18 U.S.C. 1030(a)(2)(C) by accessing the Volokh Conspiracy's service without authorization or in excess of authorization. You are only authorized to visit the blog in compliance with the Terms of Use, and by violating these terms you have become a criminal by essentially "hacking in" to the Volokh Conspiracy.

Filed Under: computer fraud, lori drew, orin kerr, terms of service

Lori Drew Not Guilty Of Felonies, But Guilty Of Misdemeanors

from the twisty-laws dept

In the landmark cyberbullying case, Lori Drew was found not guilty of three felonies, but guilty of three misdemeanors. The jury is deadlocked on the fourth count of felony conspiracy. The three counts of "accessing a computer without authorization" relate to the creation of a fictitious account on MySpace that was used to engage in an online relationship with Megan Meier. This verdict is not surprising considering the emotionally charged nature of this case. Prosecutors were desperate to convict Lori Drew of something, despite the fact that she may not have technically done anything illegal. If what Lori Drew did was truly criminal, then laws need to be passed to make it that way. To twist around computer fraud laws to simply get a conviction not only sets a dangerous precedent, but it is not the appropriate way to serve justice.

Filed Under: computer fraud, lori drew, megan meier
Companies: myspace

Defense In Lori Drew Case Rests, As Judge Considers Dismissing The Case

from the time-to-end-this dept

The case against Lori Drew looks weaker and weaker by the day. The defense has rested its side, and the judge is considering whether to dismiss the case outright after it was established that it wasn't even Drew who set up the account used to communicate with Megan Meier. Based on that, it's even more ridiculous (and it already was ridiculous) to charge Drew with computer fraud for violating the terms of service -- considering she wasn't even there to review the terms of service, nor did she actually set up (or use, apparently) the account. This case has been a travesty from the start. Yes, people somehow want vengeance for Meier's suicide, but trumped up bogus charges against Drew don't help matters. It's nothing more than a witch hunt against someone who it appears did not actually break the law. If people want the law to be changed -- then work to change the law, but don't twist the laws to convict Drew.

Filed Under: computer fraud, evidence, lori drew, megan meier

Lori Drew's Lawyers Worried About Finding Jury That Hasn't Prejudged Drew

from the tough-case dept

With the judge agreeing that the information about Megan Meier's suicide can be included in the computer fraud lawsuit against Lori Drew, Drew's lawyers are discovering that the emotional aspects of the case may be difficult to get past. In fact, in reviewing questionnaires that potential jurors were asked to fill out, many expressed outright disgust and "viciousness" for Drew. Once again, it's becoming increasingly clear, that it will be impossible for Drew to get a fair hearing on what the case is actually about: whether or not it's a violation of computer fraud and hacking laws to break the terms of service for an online service. Instead, people are focusing on Meier's suicide, which has absolutely nothing to do with the actual charges. This is a witch hunt appealing to emotional responses, rather than reasoned ones. It's been rather depressing to see how many folks have no problem abusing the law in this manner. If the lynch mob aspect of this case is allowed to go on, it will eventually be looked back on as a mockery of the law.

Filed Under: computer fraud, evidence, jury, lori drew, megan meier

Bad Decisions: Judge Allows Evidence Of Suicide In Lori Drew Computer Fraud Case

from the bad,-bad,-bad dept

While the entire lawsuit against Lori Drew is a joke, the one good thing was that it appeared the judge was going to exclude any evidence related to Megan Meier's suicide -- as the fact that the girl committed suicide has no bearing on whether or not Drew violated computer fraud laws. Unfortunately, though, the judge has now reversed himself and will allow such evidence to be presented at the trial. This makes the case officially ridiculous. There is simply no way that Drew can get a fair trial.

She is being charged with computer fraud. The fact that a girl eventually committed suicide should have absolutely no bearing on whether or not computer fraud happened. But, because of the emotional connection to the fact that a girl committed suicide, some folks want to string up someone out of revenge. Unfortunately, the emotions surrounding the case will lead way too many people to conclude that it's okay to find a woman guilty on an entirely separate issue that will set a horrible precedent. At this point, it's quite clear that the lawsuit has nothing to do with the actual law, but it's an attempt to punish someone because a young girl killed herself. It's understandable that people are angry over Megan Meier's suicide, but that's simply no excuse for twisting laws for lynch-mob justice.

Filed Under: computer fraud, evidence, lori drew, megan meier

Judge Likely To Exclude Evidence Of Suicide In Lori Drew Lawsuit

from the makes-at-least-some-sense dept

We've already pointed out how ridiculous it was that prosecutors charged Lori Drew with violating computer hacking laws. It was, quite clearly, a case where prosecutors were stretching the use of the law beyond its intention in order to file any charges in an emotionally-charged case. Drew, of course, is the woman who many people blame for the eventual suicide of teenager Megan Meier. Drew had created a fake MySpace account to see what Meier was saying about Drew's own daughter -- who had been friends with Meier. A few different people had access to the MySpace account, and eventually created a false persona of a boy who became friendly with Meier. In an effort to end things before it went too far, a friend of Drew's daughter tried to cut off conversation by being especially mean to Meier, which may have lead to her committing suicide. Meier's suicide is tragic, no doubt, but to go from there to charging Drew with computer hacking for creating a fake profile would set a very dangerous precedent. It could open up almost anyone to felony charges. No matter what you think of Drew or her actions, it's ridiculous to support this lawsuit.

While the judge in the case decided not to dismiss the case, he apparently has decided that evidence of Meier's suicide will not be allowed in the case. This, at least, is a good decision. The lawsuit itself has nothing to do with the suicide, and allowing it to be used in front of a jury would likely lead to the same emotional response that resulted in the original charges being filed. Of course, with the case getting so much widespread publicity, you'd have to imagine that many jury members will already be familiar with what happened in the case.

Filed Under: computer fraud, evidence, lori drew, megan meier