Court: Violating work computer-use policies not a crime

An appeals court says that a DOJ prosecution of a former employee would have expanded computer crime law

An ex-employee who persuaded former coworkers to access their company's customer lists and give them to him is not guilty of computer hacking crimes, a U.S. appeals court has ruled.

The U.S. Court of Appeals for the Ninth Circuit ruled Tuesday that David Nosal, a former employee of executive search firm Korn/Ferry, did not violate the Computer Fraud and Abuse Act (CFAA), a 1986 law that outlaws the act of knowingly accessing a protected computer with the intent to defraud.

Nosal "convinced" some of his former colleagues working for Korn/Ferry to assist in his efforts start a competing business, wrote Judge Alex Kozinski, in the appeals court opinion. The employees used their log-in credentials to download source lists, names and contact information from a confidential company database, despite a Korn/Ferry policy forbidding employees from disclosing confidential information.

The U.S. Department of Justice indicted Nosal on 20 counts, including trade secret theft, mail fraud, conspiracy and violations of the CFAA. Nosal was charged with violations of the CFAA for aiding the Korn/Ferry employees in exceeding their authorized access with an intent to defraud.

The DOJ appealed a U.S. District Court for the Northern District of California ruling dismissing the CFAA charges against him.

The appeals court agreed with the lower court, saying the DOJ's reading of the CFAA was too expansive and would allow criminal charges against any employee that accesses company computers in violation of policy.

The law focused on criminal hacking, not employee access to information, Kozinski wrote. "The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer. This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime."

The DOJ's interpretation could mean criminal charges for employees that play games on company computers, Kozinski wrote.

"Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights," he said. "Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes."

Judge Barry Silverman wrote a dissenting opinion. "This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values," he wrote. "It has everything to do with stealing an employer's valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants' employment contracts."

The Electronic Frontier Foundation praised the decision, saying the DOJ's interpretation would create a "massive expansion" of the CFAA.

"This is an important victory for all Americans who use computers at work," EFF senior staff attorney Marcia Hofmann said in a statement. "Violating a private computer use policy shouldn't be crime, just as violating a website's terms of use shouldn't be a crime. These policies are often vague, arbitrary, confusing and contradictory."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies