You don't have to hack to be tried as a hacker

Share this article:
So, you have authorized access to a file, but you do something with that file that your employer hadn't intended you to do. What do you do? The possibilities are as endless as our imagination, but the potential consequences are quite clear, at least in the USA.

In a federal case, apparently designed to make it easier to prosecute people who provide information to WikiLeaks, the 9th U.S. Circuit Court of Appeals decided that any employee who violates the limits of authorization their employer gives them with respect to the use of computer files is in violation of the 1986 Computer Fraud and Abuse Act. The decision is here.

The one judge who dissented raised some very salient points. While the majority opinion stated that “we are persuaded that the specific intent and causation requirements of §1030(a)(4) sufficiently protect against criminal prosecution those employees whose only violation of employer policy is the use of a company computer for personal — but innocuous — reasons.”

Judge Campbell rebutted. “Accordingly, under the majority's interpretation, any person who obtains information from any computer connected to the internet, in violation of her employer's computer use restrictions, is guilty of a federal crime under §1030(a)(2)(C). For example, Mr. Nosal's employer, Korn/Ferry, prohibited use of its proprietary database except for legitimate Korn/Ferry business. Under the majority's interpretation, had Mr. Nosal ever viewed any information in that database out of curiosity instead of for legitimate Korn/Ferry business, he would be guilty of a federal crime.

In other words, if your employer prohibits you from using your computer for personal use, and you do so anyway, you may be in violation of the 1986 Computer Fraud and Abuse Act and subject to criminal prosecution.

It will be interesting to see if an appeal is made and if the ruling is upheld.
Share this article: