DOJ Gives Up On Arguing That Violating Your Employer's Computer Use Policy Is Criminal Hacking

from the about-time dept

For a few years now, we'd been noting serious problems with the Computer Fraud and Abuse Act (CFAA), which was supposed to be about "criminal hacking" of computers. That's the theory, at least. Except that various prosecutors had defined it so broadly that they felt basically anything people did that violated a computer use policy or terms of use policy could make you a criminal hacker. It's why prosecutors went after Lori Drew for supposedly "violating" MySpace's terms of service. There was nothing else they could pin on her, so they twisted the law. Of course, that also creates great power for anyone who creates a terms of service agreement, as it makes it easy to turn your users into criminals.

Early last year, we wrote about a very troubling CFAA ruling, which effectively found that if you do anything on a work computer that your employer doesn't like, you're a criminal for violating the CFAA. Yes, by failing to abide by your employer's broad "computer use policy" you could be charged with a being a criminal hacker under the CFAA. That's what happened to David Nosal. He had accessed some information from his employer's computer system -- which he was authorized to access. He wanted to use that info because he was going to a competitor. That's obviously questionable on the ethics scale, but computer hacking? Hardly. Except that the district court thought it was.

Thankfully, earlier this year the 9th Circuit appeals court reversed the ruling, with Judge Kozinski noting that it makes little sense to interpret a statute in a manner that turns "ordinary citizens into criminals."

A few weeks ago, the DOJ (who seemed to love these kinds of cases) seemed to realize that perhaps it was silly to keep arguing against Nosal here, and admitted that it wouldn't ask the Supreme Court to hear the case on appeal, meaning the 9th Circuit ruling stands. While it's good that the DOJ apparently realized that pursuing this any further was a bad idea, it's still ridiculous that it went forward with this theory in the first place, and argued it all the way through the initial appeal. Either way, while Kozinski's ruling is only binding on the 9th Circuit, hopefully other courts will pay attention to the reasoning behind it.

Filed Under: cfaa, computer use policy, doj, fraud, hacking, terms of use