Appeals Court: No Hacking Required to Be Prosecuted as a Hacker

Article by David Kravets. Corporate policy is now law. Hayek once remarked that the hallmark of totalitarian law was not necessarily its brutality (concentration camps, gulags, and all that) as much as its arbitrariness and inconsistency. Here it is.

Employees may be prosecuted under a federal antihacking statute for taking computer files that they were authorized to access and using them in a manner prohibited by the company, a federal appeals court has ruled.

The case decided 2-1 Thursday by the 9th U.S. Circuit Court of Appeals concerned the Computer Fraud and Abuse Act. Congress adopted the CFAA in 1986 to enhance the government’s ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality.

“As long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations. It is as simple as that,” Judge Stephen Trott wrote in an opinion (.pdf) joined by Judge Diarmuid O’Scannlain.

In dissent, Judge Tena Campbell wrote that, under the majority’s ruling, “any person who obtains information from any computer connected to the internet, in violation of her employer’s computer-use restrictions, is guilty of a federal crime.”

The majority’s decision, which mirrors rulings in two other federal appellate circuits, bolsters an interpretation of the CFAA that’s playing a role in the government’s grand jury probe of WikiLeaks founder Julian Assange. A grand jury subpoena recently issued in the case (first reported by Salon.com, and confirmed by the Washington Post) was accompanied by a letter indicating that one of the charges the government is considering is conspiracy to violate the CFAA by “exceeding authorized access” to a computer system — the same language at issue in the new decision.

The act makes it a federal offense if one “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”

The 9th Circuit’s decision, which reverses a lower court judge, came 18 months after the same San Francisco-based circuit ruled the opposite way in a nearly identical case concerning those same three words.

Categories: Uncategorized

Leave a Reply