Tuesday, April 10, 2012

Is Violation of Employer's Computer Use Policy a Federal Crime?

The Ninth Circuit handed down its opinion in U.S. v. Nosal today, adopting a narrow view of the Computer Fraud and Abuse Act. Judge Kozinski opens the opinion with a great intro:
Computers have become an indispensable part of our daily lives. We use them for work; we use them for play. Sometimes we use them for play at work. Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website? This depends on how broadly we read the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.
It's a pretty short opinion, so feel free to read the whole thing. [Spoiler Alert] The Court adopted a narrow view of the statute:
We need not decide today whether Congress could base criminal liability on violations of a company or website’s computer use restrictions. Instead, we hold that the phrase "exceeds authorized access" in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly . . . . This narrower interpretation is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets—a subject Congress has dealt with elsewhere. Therefore, we hold that "exceeds authorized access" in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.
(emphasis in original). The Court notes that there is a circuit split on this issue, so maybe we'll get some Supreme intervention.

HT: Orin Kerr at Volokh Conspiracy.