When an anti-hacking law was expanded beyond its intended scope
What America really needs is move over-criminalization of the innocuous, or at least that’s what the 9th Circuit seems to think.
Though this is nothing new, the 9th Circuit’s latest opinion reiterated the awful bastardization of Computer Fraud and Abuse Act (CFAA). Meant to be an anti-hacking act, the CFAA could be broadly interpreted to view all unauthorized database access as prosecutable.
The decision came in the case of David Nosal, an employee at the executive search (or headhunter) firm Korn/Ferry International. Nosal left the firm in 2004 after being denied a promotion. Though he stayed on for a year as a contractor, he was simultaneously preparing to launch a competing search firm, along with several co-conspirators. Though all of their computer access was revoked, they continued to access a Korn/Ferry candidate database, known as Searcher, using the login credentials of Nosal’s former assistant, who was still with the firm.
Nosal was eventually charged with conspiracy, theft of trade secrets and three counts under CFAA, and was sentenced to prison time, probation, and nearly $900,000 in restitution and fines.
Nosal’s conviction under CFAA hinged on a clause that criminalizes anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization”. Though CFAA is often understood to be an anti-hacking law, that clause in particular has been applied to many cases that fall far short of actual systems tampering.
CFAA has, for instance, been used to prosecute violation of Terms of Service agreements (which are themselves a contested practice). Most notoriously, the law was used to pursue Aaron Swartz, the young programmer who committed suicide after being charged with mass-downloading research papers from an MIT database, in violation of its terms of service—despite the fact that he was then a research fellow at MIT, with authorized access to the involved database.
One of the Ninth Circuit judges, Stephen Reinhardt, seemed to agree with those interpretations in his dissenting opinion. While Reinhardt took no issue with Nosal’s convictions on trade secrets violations, he said the new decision also makes “consensual password sharing” a prosecutable offense. Reinhardt noted that the decision “loses sight of the anti-hacking purpose of the CFAA, and . . . threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”
Scott Shackford at Reason writes the ACLU has filed a complaint, hoping to block part of the CFAA:
The ability to interpret the prohibitions of the law extremely broadly has prompted the American Civil Liberties Union (ACLU) to file suit to block part of the law. They argue that the law’s bans on unauthorized access or violating a site’s terms of agreement make it a felony for researchers and journalists to investigate whether sites engage in discrimination in their use of consumer-driven algorithms by pretending to be somebody that they’re not for auditing purposes. Read more about their suit here.
[Featured image a screen grab from included video]
Follow Kemberlee on Twitter @kemberleekayeDONATE
Donations tax deductible
to the full extent allowed by law.