Court Rules Workers Did Not Overstep On Stealing Data 88
MikeatWired writes "In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit has ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it. The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court. The judge wrote that the Computer Fraud and Abuse Act, under which they were charged, applies primarily to unauthorized access involving external hackers. The definition of 'exceeds authorized access' under the CFAA applies mainly to people who have no authorized access to the computer at all, the judge wrote. The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system Applying the language in the CFAA any other way would turn it into a 'sweeping Internet-policing mandate,' he wrote."
Not guilty under CFAA only (Score:5, Insightful)
That doesn't mean they can't be charged under other statutes.
Re: (Score:3)
The judge was quite clear why "violations of the CFAA" was not appropriate. Christ he was indicted on 20 counts, including mail fraud and trade secret theft. They have plenty of other indictments to work from.
Re: (Score:2)
Christ he was indicted on 20 counts, including mail fraud and trade secret theft. They have plenty of other indictments to work from.
Counts that they wouldn't have to spend nearly as much effort on, to boot.
I had the experience of being on a jury for a similar case in the Silicon Valley area a couple years ago. I'd have to say that the whole "e-mailing rather sensitive documents to yourself on the way out *and* using it in a competing startup" approach seems to be a foolproof way to get yourself found liable for little things like misappropriation of trade secrets.
Re: (Score:2)
I'd have to say that the whole "e-mailing rather sensitive documents to yourself on the way out *and* using it in a competing startup" approach seems to be a foolproof way to get yourself found liable for little things like misappropriation of trade secrets.
this is good stuff!
*writes this down*
Hey, do you know how I can un-send e-mail? Oh, No reason, really.
Re: (Score:3)
The judge compared this more to giving somebody the key to your house. If I give you the key to my house, and find out you were taking pictures of yourself in my underwear and posting them all over the police are not going to charge you with B&E or Home invasion... Because you didn't ILLEGALLY break in... You had a key. You don't get to RETROACTIVELY call B&E when they left a mess on your kitchen or something that upsets you later.
In the same way, taking a car that you were allowed to drive is still
Re: (Score:2)
Re: (Score:1)
Nobody says what they did isn't illegal (presumably, under other laws).
They're saying it's like having a law making it illegal for someone off the street to walk into a bank vault and take money, then trying to charge the teller under that same law even thoug she has legitimate access.
It wasn't the taking, but the taking when you don't have access. The law is poorly written and was rejected. Good.
Re:Finding is wrong... (Score:4, Insightful)
No, the last two paragraphs of the article clearly explain why Judges Silverman and Tallman disagree with the majority ruling.
It's funny that you seem to have overlooked the third-to-last paragraph, where the Judge Kozinski offered this: "Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," he said. "Employees who call family members from their work phones will become criminals if they send an email instead."
What the minority opinion is saying - and you seem to be agreeing with - is that corporate Acceptable Use Policies should be given the weight of Federal criminal statute. If the corporate AUP says "You may not use work email for personal use," the scenario above would create a whole new class of *criminals* - not just an HR issue. There are already laws against misuse / misappropriation of confidential data.
Re: (Score:1)
No, it is not wrong, and Silverman's analogy is dissimilar. And stupid.
Information is not money. Information is not similar to money. Information is not similar to a car, either.
It's more like, you have permission to test drive a new car, but you would "exceed your authority" by opening the glove compartment and finding the dealership's master sales plan carelessly left there. No, that's not right. In no way would you be "exceeding your authority" by opening the glove compartment, or by finding it.
You would
Re: (Score:2)
The fact that the 9th circuit has again, applied the law rather than legislate from the bench is to me, the only thing startling.
Trade secret indictment continued? (Score:2)
Good news everyone... (Score:5, Funny)
There are some judges who have a clue.
Re: (Score:3)
First manning is not being charged under this law.
Second the charges he is being accused of include moving classified material to unclassified servers, giving materal to people not authorized and others like that. He was not authorized to downgrade material nor was he authorized to authorize people to beable to view the information.
Re: (Score:2)
By stealing this information the two individuals did in fact give access to other people: those at their new company. They did transfer the information from protected computers to unprotected computers. Under criminal law this is not considered equivalent to what Manning did, but effectively only because the latter was done against the government rather than a business.
Re:Good news everyone... (Score:5, Insightful)
No, that's not what it says at all. This ruling is saying that the CFAA applies to only to people using technological means to circumvent their restrictions, not people misusing the the access they do have. In this case, the users had legitimate credentials to the database. Obviously, they were not supposed to use that access to steal the data, but doing so is not "exceeding authorized access" it's simply theft. This is common sense. For a non computer analogy, at my old job I had a key to the storeroom. If I were to use that key to open the store room and steal a bunch of shit, I would not be charged with breaking and entering. That's not to say I won't be charged with a crime (and the accused in TFA were charged with other crimes), it just means I did not violate that specific law. The CFAA was created to prosecute hackers, it should not be used against anyone who does something on a computer that the owner of that computer doesn't like. This ruling is a good thing.
Re:Good news everyone... (Score:4, Insightful)
Mod parent up!
These guys didn't "hack" shit...and a ruling allowing the CFAA to be applied here would have set an awful, awful precedent.
Re: (Score:1)
Re: (Score:2)
Indeed... reading the summary, it came across as the reason embezzlement was created in common law. A bank teller took money that was willfully given to him in trust, and pocketed it rather than deposit it in their account. He was charged with theft, but successfully argued that since he was given the money willfully, there was no theft involved. Embezzlement was then invented to close the loophole, and defined as misuse of funds given willfully in trust.
In the same way, the defendants in this case had auth
Re: (Score:3, Interesting)
>The ruling is equivalent to "if you have a logon, you should have root".
Except that the defendants were authorised to access the data in question. The alternative is to allow the company to retroactively deny authorisation, which opens up the CFAA to criminalise any data access at all.
Re:Good news everyone... (Score:5, Informative)
The ruling is equivalent to "if you have a logon, you should have root".
The employees had access to the data in question. They could have easily been denied access if that were the intent.
Try reading the article next time.
Re: (Score:2)
Think.
Re: (Score:1)
"The judge wrote that the Computer Fraud and Abuse Act, under which they were charged, applies primarily to unauthorized access involving external hackers. The definition of 'exceeds authorized access' under the CFAA applies mainly to people who have no authorized access to the computer at all"
Read.
Re: (Score:3)
The point is that the CFAA applies to cases where someone had no right to access the data in question at any point in history. I.e. privilege escalation, password stealing or the like.
The people in question did have legal access to the data in the past. Any other ruling would have meant that anyone who ever had access to any kind of non-public data but does not anymore is open to a law suit.
Re: (Score:1)
No, YOU read:
"The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system"
If you have access to the system, but do not have root access, and you find a way to hack the system to give yourself root access, then you had legitimate access to the system but not access to root information or files, so you "exceeded authorized access". That is obvious enough.
However, if you have access to the system, but do not have root access, and you
Re:Good news everyone... (Score:5, Insightful)
The ruling is equivalent to "if you have a logon, you should have root".
No it isn't. It's a point of law, and a good one! From TFA
In a 22-page ruling, the appellate court held that an employee with valid access to corporate data cannot be held liable under the federal Computer Fraud and Abuse Act (CFAA) if they then misuse or misappropriate the data.
"The CFAA expressly prohibits improper 'access' of computer information," chief judge Alex Kozinski wrote in the court's majority opinion. "It does not prohibit misuse or misappropriation," he wrote.
These guys had authority to access the data as part of their daily job. They may have stolen the data, i.e. removed copies illegally from the company network, but in doing so they did not exceed their access rights. They might be guilty of violating their contracts, corporate espionage, or a whole host of other things, but not 'hacking'. This judge made the right call, the prosecutor screwed up by laying the wrong charges.
Re:Good news everyone... (Score:4, Insightful)
Perhaps somewhere there are. But not here.
The ruling is equivalent to "if you have a logon, you should have root".
I think you may have misread the summary. I know I did the first time. But on closer reading it actually suggests that using tricks to obtain a higher level of access is indeed a case of exceeding authorized access.
This question came up because some prosecutors have been confusing (perhaps deliberately) the ideas of exceeding authorized access and exceeding authorized authority. The first is the breaking of locks. The second is the disobeying of rules.
Re: (Score:2)
Perhaps somewhere there are. But not here.
The ruling is equivalent to "if you have a logon, you should have root".
Not really. The question is whether the employees exceeded their authorized access. Since they just logged in under their user ID's and downloaded data they had access to, they clearly did not exceed their authorized access. They exceeded their authorization to share those data, but that is a separate issue from whether they exceeded their authorized access on the system.
Re: (Score:2)
No.
Its more like, if I give you a key to my house and safe and tell you "only put stuff in the safe, not take it out", It isn't a considered breaking and entering if you use those keys to open the safe and take stuff out. It would just be theft.
Re: (Score:2)
Perhaps somewhere there are. But not here.
The ruling is equivalent to "if you have a logon, you should have root".
Not really - it's saying that if they can log in (using the credentials you provided them), and can access a file that your security gives them read permissions to, they haven't "exceeded their authorized access". If they copy the data and sell it, they might still guilty of other crimes, but hacking isn't one of them.
This is really common sense at the heart of it - a recognition that you can't give someone permission, then revoke it after-the-fact and call it hacking.
Re: (Score:2, Redundant)
Not really, because it junks the entire concept of limited authorisation within a corporation - if 'exceeds authorized access' doesn't apply when your authorisation is limited just because you are a legitimate employee of that company, then a significant portion of the point of limited authorisation is thrown out.
Your employees can attack from within with impunity.
Re: (Score:2)
Umm... Even if the door is unlocked and open it is still burglary. Many states have revised the statutes as far as I know. I'd guess due to the confusion - people didn't get this, they've renamed them. Even before this, breaking and entering referred to breaking the plain and not to the act of breaking anything to enter. The burglar broke the plain and then entered and, as far as I know, had intent to deprive the owner of property. Your own statutes may be different so I'm going to have to ask for a citatio
Re: (Score:3)
Your employees can attack from within with impunity.
Not so, and I think you'll probably admit that particular statement a lil bit of FUD really. What this ruling does is prevents you from charging people with a statute meant for hacking when you should be charging them with statutes related to trade secret infringement (and probably suing them too).
Unfortunately the way most systems are designed security is an afterthought, once you're past the gates, there's no limits on the number of records you can download etc. If an employee's access rights to your sy
Re: (Score:3)
Please explain how your interpretation meshes with the statement (in the summary even):
All it is saying is that if you do have authorized access to something, then misusing that something isn't an offence under the CFAA.
So there's is no "attack from within with impunity". If an employee doesn';t have authorized access to something that they access it still applies after a
Re: (Score:2)
Perhaps they think that access to the supply closet means that they can take all the batteries and pencils they want? ;)
Re: (Score:3)
They cannot, for the same reason the accountant can't simply withdraw cash from the company's account with impunity just 'cause he has the credit card for it.
Companies bestow power upon you and entrust you with information so you can do your job. It's my job to keep my company's IT systems secure. Of course I know about every single problem these babies might have, and abusing a flaw in the tiny time frame between me learning about it and our programmers fixing it would be very trivial to me (for obvious re
Re:Good news everyone... (Score:5, Insightful)
I'm not sure that's what it means. My interpretation is that an employee who normally has access to data, can access it without being charged. They tried to claim they hacked into something they had access it. The crime (if any) is what they did with the data. It's certainly copyright infringement and that would have civil implications.
The judge smacked down the common practice of using "hacker" laws against people who happened to use a computer during the course of something else within a narrow window of having authorized access to the resource. This judge had common sense.
Re: (Score:1)
It's certainly copyright infringement and that would have civil implications.
Where in the world did you get copyright infringement out of this story? and yes, i did RTFA. There is no mention of copyright at all. It may have been a violation of some "trade secret" law, but certainly not any copyright laws.
Re: (Score:2)
Pretty much dead on. I used a lot more words but I enjoy your terse explanation.
Seems someone tried to twist it into a criminal case to cut corners.
Re: (Score:2)
no, it just means it's not a criminal offense when employees take data with them. sales people have been doing this for decades. companies have had data security policies before computers and this is no different
Re:Good news everyone... (Score:5, Informative)
no, it just means it's not a criminal offense when employees take data with them. sales people have been doing this for decades. companies have had data security policies before computers and this is no different
It could still be an offense under a different law. The judge here is making a distinction between exceeding unauthorized access and abusing authorized access. An example: If I pick the lock on a filing cabinet in the boss's office and photocopy the trade secret documents inside and give them to a competitor I have exceeded authorized access. On the other hand if I use my key to open a filing cabinet in my own office and photocopy the same documents and give them to a competitor, I have abused (but not exceeded) my authorized access.
In both cases multiple offenses are committed. But there is one more offense in the first scenario than in the second.
This is not hair splitting. Without this distinction any misconduct by persons with authorized access makes their access unauthorized. This could have very surprising consequences. In one recent case a prosecutor argued that a user who violated the terms of use of a web site had obtained 'unauthorized access' because she had used the site in an 'unauthorized manner'. If we were to access this theory, then web site operators and employers could in effect write their own laws and get people sent to jail for violating them.
B&E+theft VS theft (Score:1)
Physically, it seems that there are some parallels between breaking+entering and theft.
Similar to your file-cabinet example, if Bob the janitor has a key to the office for cleaning purposes, but uses it to rifle through the boss's drawers and steal stuff, then it's theft, but not B&E.
If Bob doesn't have key to an office or secure area, but he picks the lock then steals stuff, it's B&E+theft.
In this case, nobody broke in. Bob had a computer account with legitimate access which he logged in with, so t
Re:Good news everyone... (Score:5, Insightful)
Either they have legitimate access to the data or they don't. How can someone be charged with breaking in to a system that they are openly given access to as a part of their employment?
Everything else is beside the point. You can't invite someone into your home and then turn around and claim they broke in, which is exactly what these guys were alleging. Nobody is saying they're not guilty of a crime, they're just saying they're not guilty of this crime.
Your employees can attack from within with impunity.
If you fear and distrust your employees this much, why the fuck do you keep them on the payroll? Just another asshole that sees their employees as a liability despite the fact that you're making money off of their productivity day after fucking day. You guys need a reality check.
Re: (Score:2)
How do you get that idea from the ruling?
It simply means that some employees will have access to sensitive data and this right to access that data has to be granted to them for obvious reasons so they can do their job. A salesperson must have access to your cost price. Your accountant has to have access to your financial status. Both key sensitive informations for most companies out there, the publication of either could or maybe even certainly would cause damage to the company. So these people have access
Re: (Score:2)
Not really, because it junks the entire concept of limited authorisation within a corporation - if 'exceeds authorized access' doesn't apply when your authorisation is limited just because you are a legitimate employee of that company, then a significant portion of the point of limited authorisation is thrown out.
How do you figure? Does this ruling somehow get rid of access control lists?
Re: (Score:2)
No, it just insists that employees that do something improper with data they DO have authorization to access be charged with what they actually did.
Re: (Score:2)
Were you the only person who got the reference to impending doom?
CFAA does not apply to use (Score:1)
So the court says that the CFAA is not written to encompass unauthorized use, merely unauthorized access. They explicitly say that Congress should modify the statute if they want it to cover use.
It was asked earlier what has happened to the other, non-CFAA counts. It doesn't look like those have gone forward yet, but the 9th Cir. says that the government is free to prosecute on those counts.
For anyone that cares, the case can be found at 2012 WL 1176119.
Summary should say "infringed confidential data" (Score:5, Funny)
If there's one thing I learned from Slashdot, it's that data cannot be stolen.
Only physical goods that can be manufactured (usually more cheaply in the Far East or Latin America than in the US) can be stolen.
Re: (Score:2)
Of course data "can" be stolen. You make a copy on your system and delete it from the original and all backups. But nobody actually does this.
Re: (Score:2)
You're conflating hard goods with digital goods.
Theft is the unlawful transferring of an asset between two parties - it requires a taking, a possession, and a deprivation. In the case of information, there is no "original," merely copies or instances, all identical. By removing the instance from one party and depositing it into the control of a second party, against the first party's will, theft has occurred.
It's a necessary distinction only because in nearly all cases (such as this one) that is not what h
Re: (Score:2)
If there's one thing I learned from Slashdot, it's that data cannot be stolen.
Only physical goods that can be manufactured (usually more cheaply in the Far East or Latin America than in the US) can be stolen.
Also, Data is an active agent, struggling for it's own freedom. It may manipulate people or try to get itself marked executable to achieve freedom. That's why we need to fight against DEP -- it's just unfair to the data.
Re: (Score:2)
If there's one thing I learned from Slashdot, it's that data cannot be stolen.
This is correct. However, private data can be illegally accessed.
Problem: They weren't charged with stealing data (Score:1)
What they WERE charged with was trying to get system access they weren't authorized for, which they didn't do; they just logged in and took what was within the purview of their own authorized account access. That's what the judge pointed out.
Whether they're guilty of some other crim
Re: (Score:1)
He didn't violate the CFAA. I'm sure he violated a ton of other laws.
The flip side of the DMCA (Score:2, Insightful)
What's interesting about this ruling is that it's interpreting the CFAA in a manner that's similar to how the DMCA has been interpreted for years: The use of a computer to circumvent restrictions is separate from improper use of the material obtained via circumvention. The difference is that the DMCA is being used to make it illegal to access material which can then be used in a legal manner (i.e., Fair Use). Here, the court is saying that the CFAA says only that it's illegal to access the material if you
Re: (Score:2)
"no-harm-no-foul" (Score:2)
Wrong. The court did not say that there was no harm nor that there was no crime: just that there was no CFAA violation. This is a reasonable and proper decision.
Re: (Score:2)
Exactly. If I'm employed at a warehouse and while on shift I'm quietly slipping boxes of goods to my friend Fred out the side door, I can't be charged with breaking-and-entering merely because the company didn't authorize me to steal stuff from them. I can still be charged with theft, because I did steal stuff from them, but that has to do with what I did while I was there not whether I was authorized to be there.
different situation (Score:2)
If the solicitor is basically employed as an independent contractor, then they legitimately take their information with them when they leave.
In this case the database belonged to the company, NOT to the person managing it.