Insiders who have valid credentials to access confidential records cannot be charged under the nation's anti-hacking law, according to a ruling handed up this week from 9th U.S. Circuit Court of Appeals in San Francisco.
The decision said employees who violate their organization's user policies -- which may include something as simple as visiting a website they are not supposed to -- do not violate the federal Computer Fraud and Abuse Act (CFAA).
Written Tuesday by Chief Judge Alex Kozinski, the ruling (PDF) involved the case of David Nosal, a former manager at executive search firm Korn/Ferry. He was charged with convincing three of his former co-workers to use their valid login credentials to access and download customer lists and then transfer them to him so he could start a competing company.
Nosal and the employees were prohibited from disclosing private information under their company policy. He eventually was charged with violations under the CFAA for "aiding and abetting" his former colleagues to exceed their authorized privileges "with intent to defraud."
Nosal filed a motion to have the five counts under the CFAA dismissed, saying the law only addresses hackers, not people who are allowed to access a computer and then misuse the information they obtain. Kozinski agreed, affirming a lower court's decision to throw out the counts. Nosal remains charged with mail fraud, trade secret theft and conspiracy, for which he has yet to face trial, according to a Reuters report.
The decision determined that hacking involves "the circumvention of technological access barriers," but not the "misappropriation of trade secrets." In other words, only those individuals who find ways to access data that they are restricted to reach are liable under the law.
Without drawing this distinction, "millions of unsuspecting individuals would find that they are engaging in criminal conduct."
"Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by Gchatting with friends, playing games, shopping or watching sports highlights," Kozinski wrote. "Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes."
In summary, the ruling said: "[W]e hold that 'exceeds authorized access' in the CFAA is limited to violations of restrictions on access to information, and not on restrictions on its use."
"Let's say an employee is given full access to information, provided he logs in with his username and password," Kozinski wrote. "In an effort to cover his tracks, he uses another employee's login to copy information from the database. Once again, this would be an employee who is authorized to access the information, but does so in a manner he was not authorized."
Dan Conaway, a former assistant district attorney in Georgia who now represents accused cyber criminals, told SCMagazine.com on Wednesday that the ruling may draw the line between what is worthy of prosecution and what should be sorted out in civil court.Conaway said Nnososal's case may confirm that criminality under the CFAA should be confined to suspects who clearly have no legitimate reason to access a certain computer and who then harm the privacy or financial interests of individuals, such as in the case of a credit card breach.
For the last several years, prosecutors have shown an increased willingness to pursue alleged thefts that they may not have a generation ago, Conaway said. He attributed this to "established powers" being threatened by computers.
"There's this kind of fear out there of computers in general because the information is being gotten and disseminated in a much more powerful medium," he said. "There's the desire there on the part of governments and large corporations and other big interests to use the criminal justice system to intimidate and keep people from doing that."
The ultimate precedent may be set if the U.S. Supreme Court takes up the matter, a distinct possibility considering other federal appeals courts have disagreed with Kozinski's interpretation.
One high-profile case that may be impacted by such a ruling is that of Bradley Manning, the accused Army private-turned-whistleblower who used his permitted access to steal hundreds of thousands of U.S. diplomatic cables and then transfer them to WikiLeaks. Among other laws, prosecutors have charged Manning under the CFAA.
[An earlier version of this story misspelled the defendant's last name. It should be Nosal]
