Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Businesses Privacy The Courts Your Rights Online

Court Rules Workers Did Not Overstep On Stealing Data 88

Posted by samzenpus
from the no-harm-no-foul dept.
MikeatWired writes "In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit has ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it. The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court. The judge wrote that the Computer Fraud and Abuse Act, under which they were charged, applies primarily to unauthorized access involving external hackers. The definition of 'exceeds authorized access' under the CFAA applies mainly to people who have no authorized access to the computer at all, the judge wrote. The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system Applying the language in the CFAA any other way would turn it into a 'sweeping Internet-policing mandate,' he wrote."
This discussion has been archived. No new comments can be posted.

Court Rules Workers Did Not Overstep On Stealing Data

Comments Filter:
  • by schwit1 (797399) on Friday April 20, 2012 @07:10AM (#39744455)

    That doesn't mean they can't be charged under other statutes.

    • THANK YOU!

      The judge was quite clear why "violations of the CFAA" was not appropriate. Christ he was indicted on 20 counts, including mail fraud and trade secret theft. They have plenty of other indictments to work from.
      • Christ he was indicted on 20 counts, including mail fraud and trade secret theft. They have plenty of other indictments to work from.

        Counts that they wouldn't have to spend nearly as much effort on, to boot.

        I had the experience of being on a jury for a similar case in the Silicon Valley area a couple years ago. I'd have to say that the whole "e-mailing rather sensitive documents to yourself on the way out *and* using it in a competing startup" approach seems to be a foolproof way to get yourself found liable for little things like misappropriation of trade secrets.

        • by mekkab (133181)

          I'd have to say that the whole "e-mailing rather sensitive documents to yourself on the way out *and* using it in a competing startup" approach seems to be a foolproof way to get yourself found liable for little things like misappropriation of trade secrets.

          this is good stuff!
          *writes this down*
          Hey, do you know how I can un-send e-mail? Oh, No reason, really.

  • From TFA, it sounded like there was a separate charge of trade secret theft that continued on independently of the CFAA charge. Does anyone know how that turned out?
  • by iPaul (559200) on Friday April 20, 2012 @07:14AM (#39744483) Homepage

    There are some judges who have a clue.

    • Re: (Score:2, Redundant)

      Not really, because it junks the entire concept of limited authorisation within a corporation - if 'exceeds authorized access' doesn't apply when your authorisation is limited just because you are a legitimate employee of that company, then a significant portion of the point of limited authorisation is thrown out.

      Your employees can attack from within with impunity.

      • by realxmp (518717)

        Your employees can attack from within with impunity.

        Not so, and I think you'll probably admit that particular statement a lil bit of FUD really. What this ruling does is prevents you from charging people with a statute meant for hacking when you should be charging them with statutes related to trade secret infringement (and probably suing them too).

        Unfortunately the way most systems are designed security is an afterthought, once you're past the gates, there's no limits on the number of records you can download etc. If an employee's access rights to your sy

      • by nedlohs (1335013)

        Please explain how your interpretation meshes with the statement (in the summary even):

        The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system.

        All it is saying is that if you do have authorized access to something, then misusing that something isn't an offence under the CFAA.

        So there's is no "attack from within with impunity". If an employee doesn';t have authorized access to something that they access it still applies after a

        • by KGIII (973947)

          Perhaps they think that access to the supply closet means that they can take all the batteries and pencils they want? ;)

          • They cannot, for the same reason the accountant can't simply withdraw cash from the company's account with impunity just 'cause he has the credit card for it.

            Companies bestow power upon you and entrust you with information so you can do your job. It's my job to keep my company's IT systems secure. Of course I know about every single problem these babies might have, and abusing a flaw in the tiny time frame between me learning about it and our programmers fixing it would be very trivial to me (for obvious re

      • by laffer1 (701823) <luke&foolishgames,com> on Friday April 20, 2012 @08:00AM (#39744761) Homepage Journal

        I'm not sure that's what it means. My interpretation is that an employee who normally has access to data, can access it without being charged. They tried to claim they hacked into something they had access it. The crime (if any) is what they did with the data. It's certainly copyright infringement and that would have civil implications.

        The judge smacked down the common practice of using "hacker" laws against people who happened to use a computer during the course of something else within a narrow window of having authorized access to the resource. This judge had common sense.

        • by txsable (169665)

          It's certainly copyright infringement and that would have civil implications.

          Where in the world did you get copyright infringement out of this story? and yes, i did RTFA. There is no mention of copyright at all. It may have been a violation of some "trade secret" law, but certainly not any copyright laws.

        • Pretty much dead on. I used a lot more words but I enjoy your terse explanation.

          Seems someone tried to twist it into a criminal case to cut corners.

      • by alen (225700)

        no, it just means it's not a criminal offense when employees take data with them. sales people have been doing this for decades. companies have had data security policies before computers and this is no different

        • by David Chappell (671429) on Friday April 20, 2012 @08:37AM (#39745051) Homepage

          no, it just means it's not a criminal offense when employees take data with them. sales people have been doing this for decades. companies have had data security policies before computers and this is no different

          It could still be an offense under a different law. The judge here is making a distinction between exceeding unauthorized access and abusing authorized access. An example: If I pick the lock on a filing cabinet in the boss's office and photocopy the trade secret documents inside and give them to a competitor I have exceeded authorized access. On the other hand if I use my key to open a filing cabinet in my own office and photocopy the same documents and give them to a competitor, I have abused (but not exceeded) my authorized access.

          In both cases multiple offenses are committed. But there is one more offense in the first scenario than in the second.

          This is not hair splitting. Without this distinction any misconduct by persons with authorized access makes their access unauthorized. This could have very surprising consequences. In one recent case a prosecutor argued that a user who violated the terms of use of a web site had obtained 'unauthorized access' because she had used the site in an 'unauthorized manner'. If we were to access this theory, then web site operators and employers could in effect write their own laws and get people sent to jail for violating them.

          • Physically, it seems that there are some parallels between breaking+entering and theft.
            Similar to your file-cabinet example, if Bob the janitor has a key to the office for cleaning purposes, but uses it to rifle through the boss's drawers and steal stuff, then it's theft, but not B&E.
            If Bob doesn't have key to an office or secure area, but he picks the lock then steals stuff, it's B&E+theft.

            In this case, nobody broke in. Bob had a computer account with legitimate access which he logged in with, so t

      • by AngryDeuce (2205124) on Friday April 20, 2012 @08:26AM (#39744965)

        Either they have legitimate access to the data or they don't. How can someone be charged with breaking in to a system that they are openly given access to as a part of their employment?

        Everything else is beside the point. You can't invite someone into your home and then turn around and claim they broke in, which is exactly what these guys were alleging. Nobody is saying they're not guilty of a crime, they're just saying they're not guilty of this crime.

        Your employees can attack from within with impunity.

        If you fear and distrust your employees this much, why the fuck do you keep them on the payroll? Just another asshole that sees their employees as a liability despite the fact that you're making money off of their productivity day after fucking day. You guys need a reality check.

      • How do you get that idea from the ruling?

        It simply means that some employees will have access to sensitive data and this right to access that data has to be granted to them for obvious reasons so they can do their job. A salesperson must have access to your cost price. Your accountant has to have access to your financial status. Both key sensitive informations for most companies out there, the publication of either could or maybe even certainly would cause damage to the company. So these people have access

      • Not really, because it junks the entire concept of limited authorisation within a corporation - if 'exceeds authorized access' doesn't apply when your authorisation is limited just because you are a legitimate employee of that company, then a significant portion of the point of limited authorisation is thrown out.

        How do you figure? Does this ruling somehow get rid of access control lists?

      • by sjames (1099)

        No, it just insists that employees that do something improper with data they DO have authorization to access be charged with what they actually did.

  • by Anonymous Coward

    So the court says that the CFAA is not written to encompass unauthorized use, merely unauthorized access. They explicitly say that Congress should modify the statute if they want it to cover use.

    It was asked earlier what has happened to the other, non-CFAA counts. It doesn't look like those have gone forward yet, but the 9th Cir. says that the government is free to prosecute on those counts.

    For anyone that cares, the case can be found at 2012 WL 1176119.

  • by Anonymous Coward on Friday April 20, 2012 @07:24AM (#39744535)

    If there's one thing I learned from Slashdot, it's that data cannot be stolen.

    Only physical goods that can be manufactured (usually more cheaply in the Far East or Latin America than in the US) can be stolen.

    • Of course data "can" be stolen. You make a copy on your system and delete it from the original and all backups. But nobody actually does this.

    • by mounthood (993037)

      If there's one thing I learned from Slashdot, it's that data cannot be stolen.

      Only physical goods that can be manufactured (usually more cheaply in the Far East or Latin America than in the US) can be stolen.

      Also, Data is an active agent, struggling for it's own freedom. It may manipulate people or try to get itself marked executable to achieve freedom. That's why we need to fight against DEP -- it's just unfair to the data.

    • by Fned (43219)

      If there's one thing I learned from Slashdot, it's that data cannot be stolen.

      This is correct. However, private data can be illegally accessed.

    • This seems to be the heart of a lot of the confusion in this thread. Basically, whether or not they stole data (or whether it's possible to steal data) isn't relevant, because that isn't the crime they were charged with.

      What they WERE charged with was trying to get system access they weren't authorized for, which they didn't do; they just logged in and took what was within the purview of their own authorized account access. That's what the judge pointed out.

      Whether they're guilty of some other crim
  • by Anonymous Coward

    What's interesting about this ruling is that it's interpreting the CFAA in a manner that's similar to how the DMCA has been interpreted for years: The use of a computer to circumvent restrictions is separate from improper use of the material obtained via circumvention. The difference is that the DMCA is being used to make it illegal to access material which can then be used in a legal manner (i.e., Fair Use). Here, the court is saying that the CFAA says only that it's illegal to access the material if you

    • Most espionage cases involve someone with access (clearance, passwords, keys, etc.) getting information and passing it outside of the security perimeter. The access was legal, the passing was not. This case sounds exactly the same, and looking it up on the computer today should be no different from pulling it out of the file cabinet years ago (cue B&W film image of spy snapping pictures with Minox).
  • Wrong. The court did not say that there was no harm nor that there was no crime: just that there was no CFAA violation. This is a reasonable and proper decision.

    • by Todd Knarr (15451)

      Exactly. If I'm employed at a warehouse and while on shift I'm quietly slipping boxes of goods to my friend Fred out the side door, I can't be charged with breaking-and-entering merely because the company didn't authorize me to steal stuff from them. I can still be charged with theft, because I did steal stuff from them, but that has to do with what I did while I was there not whether I was authorized to be there.

Hold on to the root.

Working...