DOJ Gives Up On Arguing That Violating Your Employer's Computer Use Policy Is Criminal Hacking

from the about-time dept

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

For a few years now, we'd been noting serious problems with the Computer Fraud and Abuse Act (CFAA), which was supposed to be about "criminal hacking" of computers. That's the theory, at least. Except that various prosecutors had defined it so broadly that they felt basically anything people did that violated a computer use policy or terms of use policy could make you a criminal hacker. It's why prosecutors went after Lori Drew for supposedly "violating" MySpace's terms of service. There was nothing else they could pin on her, so they twisted the law. Of course, that also creates great power for anyone who creates a terms of service agreement, as it makes it easy to turn your users into criminals.Early last year, we wrote about a very troubling CFAA ruling, which effectively found that if you do anything on a work computer that your employer doesn't like, you're a criminal for violating the CFAA. Yes, by failing to abide by your employer's broad "computer use policy" you could be charged with a being a criminal hacker under the CFAA. That's what happened to David Nosal. He had accessed some information from his employer's computer system -- which he was authorized to access. He wanted to use that info because he was going to a competitor. That's obviously questionable on the ethics scale, but computer hacking? Hardly. Except that the district court thought it was.Thankfully, earlier this year the 9th Circuit appeals court reversed the ruling , with Judge Kozinski noting that it makes little sense to interpret a statute in a manner that turns "ordinary citizens into criminals."A few weeks ago, the DOJ (who seemed to love these kinds of cases) seemed to realize that perhaps it was silly to keep arguing against Nosal here, and admitted that it wouldn't ask the Supreme Court to hear the case on appeal, meaning the 9th Circuit ruling stands. While it's good that the DOJ apparently realized that pursuing this any further was a bad idea, it's still ridiculous that it went forward with this theory in the first place, and argued it all the way through the initial appeal. Either way, while Kozinski's ruling is only binding on the 9th Circuit, hopefully other courts will pay attention to the reasoning behind it.

Filed Under: cfaa, computer use policy, doj, fraud, hacking, terms of use