Court to DOJ: Surfing on Work PC Isn’t Hacking

Have you ever checked your personal email from a work computer? The idea that checking email, or a quick visit to Facebook, Twitter or other any social media site might be considered “hacking” and land you in prison is preposterous. The 9th U.S. Circuit Court of Appeals injected a dose of sanity into the government’s insane push to make people criminals under the Computer Fraud and Abuse Act (CFAA) for violating their employer’s computer use policy. The 9-2 decision in U.S. v. Nosal will make it difficult for the Justice Department to successfully use the same twisted CFAA argument to prosecute Bradley Manning.

Remember when the DOJ claimed you might be a felon if you click a link or open an email under the government’s broad interpretation of CFAA? That’s because according to the Department of Justice, any employee who violates their company’s computer use policy “exceeds authorized access.”  If that were true, most Americans were headed to prison. But you can breathe easy for now as we’re not all doomed . . . yet.

Chief Judge Alex Kozinski who wrote the court’s decision asked [PDF], “What exactly is a ‘nonbusiness purpose’?” Checking the weather, a dating site, or playing Farmville? The court noted, “Were we to adopt the government’s proposed interpretation, millions of unsuspecting individuals would find that they are engaging in criminal conduct.”

The U.S. appeals court said [PDF]:

The government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute….If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions -which may well include everyone who uses a computer – we would expect it to use language better suited to that purpose…. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer.

In fact, the court hammered the DOJ, listing one valid example after another of how ludicrous it would be to allow such broad interpretations of CFAA. Have you ever placed a personal call on a business phone? If you opted to instead send an email then it would be a criminal offense by the Justice Department’s CFAA argument. If you checked sport scores via a newspaper at work, doing the same thing but checking online would be a federal crime. If an employee played Farmville at work, he or she might expect to be fired for violating the business work computer policy. But under the government’s “exceeds authorized access” interpretation of CFAA, an employer could have the employee arrested for the federal offense of defrauding the company.

It’s no shocker that people don’t always tell the truth online. The court wrote, “Under the government’s proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist’s policy, or describing yourself as ‘tall, dark and handsome,’ when you’re actually short and homely, will earn you a handsome orange jumpsuit.”

Do you even read a website’s terms of service? By the DOJ’s definition of CFAA, any teenagers or preteens would instantly become juvenile delinquents for running a search or checking Gmail since minors are prohibited from using Google. If a person violates Facebook’s TOS, the court said, “Some may be aware that, if discovered, they may suffer a rebuke from the ISP or a loss of access, but few imagine they might be marched off to federal prison for doing so.”

Trust us, the DOJ had said, you don’t need to worry; the government won’t prosecute people for minor violations. But the court scoffed as the “difference between puffery and prosecution” all depends if you are someone the prosecutors want to go after.

The court concluded, “We hold that ‘exceeds authorized access’ in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.” Since not all courts have concluded the same, three others ruled differently, the U.S. Supreme Court may eventually be called upon to decide.

Five of 20 counts were dismissed against David Nosal, a former manager at Korn/Ferry International, who had been accused of convincing previous colleagues to steal confidential client data via their log-in credentials, allegedly so Nosal could start a rival business.

EFF Senior Staff Attorney Marcia Hofmann announced:

This is an important victory for all Americans who use computers at work. Violating a private computer use policy shouldn’t be crime, just as violating a website’s terms of use shouldn’t be a crime. These policies are often vague, arbitrary, confusing and contradictory. Putting people on the hook for criminal liability when they violate these agreements would leave millions of law-abiding computer users vulnerable to federal prosecution.

EFF Staff Attorney Hanni Fakhoury added, “We’re happy to see the court recognize that the government overreached here, and it issued a thoughtful decision that protects the rights of users.”

You should read the court’s decision [PDF] as you are likely to get a kick out of Chief Judge Alex Kozinski making one valid point after another to strike down the DOJ’s extremely broad interpretation of CFAA. You might also be interested in the two dissenting opinions.

Like this? Here’s more posts:

• Indoor Navigation with Pinpoint Precision: The Better to Track You via Smartphone
• Smile for the drone: Coming to police stations near you soon
• FBI Warns Smart Meter Hacking May Cost Utility Companies $400 Million A Year
• This message will self-destruct: Destroy digital evidence before it destroys you
• Senator Al Franken: Privacy is a Fundamental Right
• Counterterrorism database stores all Americans as potential domestic terrorists
• Mass Surveillance and No Privacy Bill is ‘For the Children’
• New Gov’t Weapon: Warrantless Cell Phone Surveillance
• CIA wants to spy on you through your appliances
• Microsoft takes down Zeus botnets, but censors Pirate Bay links in Messenger
• Device to suck out phone data in under 2 minutes prevents military mission failure?
• How Hacktivism Led to Discovering Digital Arms Dealers
• Yawn, pace, or stare into space? Ridiculous DHS List: You Might Be a Terrorist If…
• You consent to a search if a camera sees you? Facial Recognition vs 4th Amendment
• First Amendment Be Damned: Out of control TSA threatens bloggers

Follow me on Twitter @PrivacyFanatic