Judge Silverman wrote an interesting dissent in United States v. Nosal, 2012 WL 1176119 (9th Cir. 2012) in which Judge Tallman joined. First off, let me be clear that Chief Judge Kozinski was accurate in his majority opinion that the Computer Fraud and Abuse Act (CFAA), when enacted, contemplated hackers and not necessarily violations of acceptable use policies or corporate internet policies. That being said, and giving Kozinski his well-deserved due deference, viewing the case in an as-applied fashion, as the dissent does, the following quote is quite persuasive:
This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.At the heart of the case lies a successful attempt by an ex-employee to exfiltrate data from his former company for unjust enrichment. While the CFAA is surely meant to address hackers and their attempts to exploit protected computers, the critical conundrum is: should it be cabined so narrowly as to exempt a situation such as this? The implication is not that any violation of an acceptable use policy or the like is a federal crime, what it really boils down to is the nature of the crime and how the information is used. Judge Kozinski appropriately tries to counter this by stating the following:
Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.However, Judge Kozinski bases this assertion on the idea that “[m]inds have wandered since the beginning of time and the computer gives employees new ways to procrastinate.” Is that judicial acceptance of the fact that shirking employment duties is to be expected, and just because that type of behavior is widespread, we should not pursue efforts to criminalize it? Does an employee not owe a contractual obligation (and possibly a duty of loyalty to the employer) to focus on their job, and not on match.com?
These are very interesting questions, and I think the antiquated CFAA shows it stripes when confronted with novel cases like this that push its open texture to the extreme limit. No matter where you come out on this case (I tend to agree with Kozinski that there is a potential for OVER enforcement of this, because its an easy route for employers to nail employees committing acts that are by nature non-criminal, but contractually questionable) one cannot help but be convinced by the following quote from the dissent:
The majority’s opinion is driven out of a well meaning but ultimately misguided concern that if employment agreements or internet terms of service violations could subject someone to criminal liability, all internet users will suddenly become criminals overnight. I fail to see how anyone can seriously conclude that reading ESPN.com in contravention of office policy could come within the ambit of 18 U.S.C. § 1030(a)(4), a statute explicitly requiring an intent to defraud, the obtaining of something of value by means of that fraud, while doing so “knowingly.” And even if an imaginative judge can conjure up far-fetched hypotheticals producing federal prison terms for accessing word puzzles, jokes, and sports scores while at work, well, . . . that is what an as-applied challenge is for.In the end, I believe the disagreement in the Ninth Circuit is not one of statutory interpretation as the opinion paints it to be, but more of a call to legislators to refine laws that were enacted when the internet was merely in its crib. It’s all grown up now and should be treated as such.
I disagree. Judge Silverman's dissent interprets 1030(a)(4) as if it were the Wire Fraud statute, 18 U.S.C. 1343. But we already have a Wire Fraud statute, and 1030(a)(4) was supposed to target different activity than just basic wire fraud. 1030(a)(4) was supposed to codify the Seidlitz case, which was a classic hacking case: The defendant hacked into a computer to try to download valuable code and set up a competing business. I don't think it's persuasive statutory interpretation to read the statute as if the requirement of "access without authorization" or "exceeding authorized access" just didn't exist.
ReplyDelete