Employees may be prosecuted under a federal antihacking statute for taking computer files that they were authorized to access and using them in a manner prohibited by the company, a federal appeals court has ruled.

The case decided 2-1 Thursday by the 9th U.S. Circuit Court of Appeals concerned theComputer Fraud and Abuse Act. Congress adopted the CFAA in 1986 to enhance the government's ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality.

"As long as the employee has knowledge of the employer's limitations on that authorization, the employee 'exceeds authorized access' when the employee violates those limitations. It is as simple as that," Judge Stephen Trott wrote in an opinion (.pdf) joined by Judge Diarmuid O'Scannlain.

In dissent, Judge Tena Campbell wrote that, under the majority's ruling, "any person who obtains information from any computer connected to the internet, in violation of her employer's computer-use restrictions, is guilty of a federal crime."

The majority's decision, which mirrors rulings in two other federal appellate circuits, bolsters an interpretation of the CFAA that's playing a role in the government's grand jury probe of WikiLeaks founder Julian Assange. A grand jury subpoena recently issued in the case (first reported by Salon.com, and confirmed by the Washington Post) was accompanied by a letter indicating that one of the charges the government is considering is conspiracy to violate the CFAA by “exceeding authorized access" to a computer system – the same language at issue in the new decision.

The act makes it a federal offense if one "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period."

The 9th Circuit's decision, which reverses a lower court judge, came 18 months after the same San Francisco-based circuit ruled the opposite way in a nearly identical case concerning those same three words.

In 2009, the nation's largest appellate court ruled that employees are not liable under the antihacking law for accessing their employers' computers for disloyal purposes. The court wrote that workers authorized to access company computers do not lose or "exceed" that access under the Computer Fraud and Abuse Act even if their intent was to acquire data to open a competing business – the same factual circumstances in the case decided Thursday.

The court was quick, however, to point out a "substantial factual distinction" between the two cases: the existence of access restrictions instituted by the employer.

In the older case, the court noted, there was no written policy "that would prohibit employees from e-mailing … documents to personal computers." In the new case, the court noted, "employees were subject to a computer use policy that placed clear and conspicuous restrictions on the employees' access."

The same law was used to prosecute Lori Drew, who was charged criminally for participating in a MySpace cyberbullying scheme against a 13-year-old Missouri girl who later committed suicide. The case against Drew hinged on the government's novel argument that violating MySpace's terms of service was the legal equivalent of computer hacking and a violation of the CFAA.

A federal judge who presided over the prosecution tossed the guilty verdicts in July 2009, and the government declined to appeal.

Photo: viteez/Flickr

See Also: