Court Rules Workers Did Not Overstep On Stealing Data 88
MikeatWired writes "In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit has ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it. The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court. The judge wrote that the Computer Fraud and Abuse Act, under which they were charged, applies primarily to unauthorized access involving external hackers. The definition of 'exceeds authorized access' under the CFAA applies mainly to people who have no authorized access to the computer at all, the judge wrote. The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system Applying the language in the CFAA any other way would turn it into a 'sweeping Internet-policing mandate,' he wrote."
Not guilty under CFAA only (Score:5, Insightful)
That doesn't mean they can't be charged under other statutes.
Re:Good news everyone... (Score:5, Insightful)
No, that's not what it says at all. This ruling is saying that the CFAA applies to only to people using technological means to circumvent their restrictions, not people misusing the the access they do have. In this case, the users had legitimate credentials to the database. Obviously, they were not supposed to use that access to steal the data, but doing so is not "exceeding authorized access" it's simply theft. This is common sense. For a non computer analogy, at my old job I had a key to the storeroom. If I were to use that key to open the store room and steal a bunch of shit, I would not be charged with breaking and entering. That's not to say I won't be charged with a crime (and the accused in TFA were charged with other crimes), it just means I did not violate that specific law. The CFAA was created to prosecute hackers, it should not be used against anyone who does something on a computer that the owner of that computer doesn't like. This ruling is a good thing.
Re:Good news everyone... (Score:4, Insightful)
Mod parent up!
These guys didn't "hack" shit...and a ruling allowing the CFAA to be applied here would have set an awful, awful precedent.
Re:Good news everyone... (Score:5, Insightful)
I'm not sure that's what it means. My interpretation is that an employee who normally has access to data, can access it without being charged. They tried to claim they hacked into something they had access it. The crime (if any) is what they did with the data. It's certainly copyright infringement and that would have civil implications.
The judge smacked down the common practice of using "hacker" laws against people who happened to use a computer during the course of something else within a narrow window of having authorized access to the resource. This judge had common sense.
The flip side of the DMCA (Score:2, Insightful)
What's interesting about this ruling is that it's interpreting the CFAA in a manner that's similar to how the DMCA has been interpreted for years: The use of a computer to circumvent restrictions is separate from improper use of the material obtained via circumvention. The difference is that the DMCA is being used to make it illegal to access material which can then be used in a legal manner (i.e., Fair Use). Here, the court is saying that the CFAA says only that it's illegal to access the material if you're circumventing access controls, and that even if you use the material illegally you're not violating the CFAA if you didn't have to circumvent access to get it.
For what it's worth, I think that this ruling gets it 100% correct. There are already laws in place governing the improper appropriation/use of information regardless of how it was obtained. Why should it be more improper if it was obtained using your computer to get it from the company's servers than if you walked into the file room and copied some files? At the rate computer (mis)use is being criminalized, pretty soon everyone in the US will be a criminal by default, as there won't be anything that can be done without violating some rule or another, not matter how innocuous. Mistype your password? Oops, that's illegally attempting to access a computer, better throw you in jail to be safe...
Re:Good news everyone... (Score:5, Insightful)
Either they have legitimate access to the data or they don't. How can someone be charged with breaking in to a system that they are openly given access to as a part of their employment?
Everything else is beside the point. You can't invite someone into your home and then turn around and claim they broke in, which is exactly what these guys were alleging. Nobody is saying they're not guilty of a crime, they're just saying they're not guilty of this crime.
Your employees can attack from within with impunity.
If you fear and distrust your employees this much, why the fuck do you keep them on the payroll? Just another asshole that sees their employees as a liability despite the fact that you're making money off of their productivity day after fucking day. You guys need a reality check.
Re:Good news everyone... (Score:5, Insightful)
The ruling is equivalent to "if you have a logon, you should have root".
No it isn't. It's a point of law, and a good one! From TFA
In a 22-page ruling, the appellate court held that an employee with valid access to corporate data cannot be held liable under the federal Computer Fraud and Abuse Act (CFAA) if they then misuse or misappropriate the data.
"The CFAA expressly prohibits improper 'access' of computer information," chief judge Alex Kozinski wrote in the court's majority opinion. "It does not prohibit misuse or misappropriation," he wrote.
These guys had authority to access the data as part of their daily job. They may have stolen the data, i.e. removed copies illegally from the company network, but in doing so they did not exceed their access rights. They might be guilty of violating their contracts, corporate espionage, or a whole host of other things, but not 'hacking'. This judge made the right call, the prosecutor screwed up by laying the wrong charges.
Re:Good news everyone... (Score:4, Insightful)
Perhaps somewhere there are. But not here.
The ruling is equivalent to "if you have a logon, you should have root".
I think you may have misread the summary. I know I did the first time. But on closer reading it actually suggests that using tricks to obtain a higher level of access is indeed a case of exceeding authorized access.
This question came up because some prosecutors have been confusing (perhaps deliberately) the ideas of exceeding authorized access and exceeding authorized authority. The first is the breaking of locks. The second is the disobeying of rules.
Re:Finding is wrong... (Score:4, Insightful)
No, the last two paragraphs of the article clearly explain why Judges Silverman and Tallman disagree with the majority ruling.
It's funny that you seem to have overlooked the third-to-last paragraph, where the Judge Kozinski offered this: "Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," he said. "Employees who call family members from their work phones will become criminals if they send an email instead."
What the minority opinion is saying - and you seem to be agreeing with - is that corporate Acceptable Use Policies should be given the weight of Federal criminal statute. If the corporate AUP says "You may not use work email for personal use," the scenario above would create a whole new class of *criminals* - not just an HR issue. There are already laws against misuse / misappropriation of confidential data.