Violating an employer's computer use policy or a website's terms of service is not a hacking crime covered by US statutes, a federal appeals court ruled on Tuesday.

The US Ninth Circuit Court of Appeals made the determination in a criminal case filed against a former employee of an executive search firm who convinced some of his former colleagues to use their login credentials to download names and contact data from the company's confidential database. Federal prosecutors indicted him on charges involving trade-secret theft, mail fraud, and conspiracy, in addition to violations of the 1984 Computer Fraud and Abuse Act (CFAA), which outlaws computer use that "exceeds authorized access."

A lower court judge dismissed the CFAA charges on grounds that employees were legally authorized to access the database and only violated the employer's restriction on the way the information could be used. A majority of judges hearing an appeal of that dismissal upheld the decision, arguing that to hold otherwise would criminalize even casual terms of service violations imposed by social networking services, online retailers, and search engines.

"The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer," Alex Kozinski, chief judge for the San Francisco-based appeals court, wrote for the nine-judge majority. "This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer."

The concern is more than mere hypothesis, as the majority opinion went on to note. In 2008, federal prosecutors charged a Missouri woman after she masqueraded as a 16-year-old boy and struck up a correspondence with a teenage girl who later went on to commit suicide. The CFAA charges filed against 49-year-old Lori Drew hinged on a fake MySpace profile she set up in violation of the site's terms of service. By flouting requirements imposed by MySpace, the government argued, she exceeded her authority to access the service.

A jury found Drew guilty before the judge hearing the case overturned the verdict.

"Lying on social media websites is common," Kozinski wrote. "People shave years off their age, add inches to their height and drop pounds from their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an [assistant United States attorney] has reason to go after."

The majority opinion also notes that many service terms are "private policies that are lengthy, opaque, subject to change, and seldom read." One example of the vagueness of such policies is the requirement imposed by many employers that company computer use must be for business purposes only. Would using the Internet to check the weather forecast for an upcoming business trip run afoul of such a requirement? What about for a company softball game or for a vacation to Hawaii?

"Basing criminal liability on violations of private computer use policies can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," the opinion continued. "Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they'd better not visit ESPN.com."

Drawing a dividing line

At the heart of Tuesday's decision was language in the CFAA that defines exceeding authorized access as the accessing of "a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." The term "entitled" refers to the way the user obtains or alters the data, the majority reasoned, while the policy the former employee was accused of violating used "entitle" to limit how the information could be used after it was obtained.

The judges noted that at least three other federal appeals courts—the 11th Circuit in 2010, the Fifth Circuit in the same year, and the Seventh Circuit in 2006—have arrived at vastly different interpretations of the CFAA. For the time being, that means lower courts in different parts of the country will be bound by competing guidance. That makes the issue ripe for review by the US Supreme Court unless the appeals courts change their minds. Indeed, the Ninth Circuit majority called on its sister courts to reconsider their rulings.

"These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute's unitary definition of 'exceeds authorized access,'" the opinion stated. "They therefore failed to apply the long-standing principle that we must construe ambiguous criminal statutes narrowly so as to avoid 'making criminal law in Congress's stead,'" the majority continued, quoting from the 2008 US Supreme Court ruling known as United States v. Santos.

Two judges on the 11-judge panel disagreed and warned that the majority was parsing the CFAA in a "hyper-complicated way" that distorted Congress's intentions when the statute was drafted.

"A bank teller is entitled to access a bank's money for legitimate banking purposes, but not to take the bank's money for himself," the dissenting opinion, written by Judge Barry G. Silverman and joined by Judge Richard C. Tallman, stated. "A new car buyer may be entitled to take a vehicle around the block on a test drive. But the buyer would not be entitled—he would 'exceed his authority'—to take the vehicle to Mexico on a drug run."

At times, the text of the 22-page decision read more like an Ars article than an appeals court ruling. Online services mentioned included Reason.TV, Google Chat, Farmville, Amazon, Facebook, eBay, YouTube, and the IMDB, as well as gadgets including the iPad, Kindle, Nook, and Xbox (mistakenly referred to as X-box).

When anyone uses any of these, "we are using one computer to send commands to other computers at remote locations," the majority said. "Our access to those remote computers is governed by a series of private agreements and policies that most people are only dimly aware of and virtually no one reads or understands."