San Francisco - A federal appeals court today rejected a dangerous interpretation of the federal anti-hacking law, dismissing charges that would have criminalized any employee's use of a company's computers in violation of corporate policy.

The Electronic Frontier Foundation (EFF) filed an amicus brief in this case, U.S. v. Nosal, urging the court to come to this conclusion as part of its ongoing work to ensure fair application of the federal Computer Fraud and Abuse Act (CFAA).

"Basing criminal liability on violations of private computer use policies can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," said the opinion by Chief Judge Alex Kozinski of the 9th U.S. Circuit Court of Appeals.

In Nosal, the government prosecuted an ex-employee of an executive recruiting firm on the theory that he induced current company employees to use their legitimate credentials to access a proprietary database and provide him with information in violation of corporate computer-use policy. The government claimed that the violation of policy constituted a violation of the CFAA, a law with criminal penalties.

EFF argued in its amicus brief that turning mere violations of company policies into computer crimes could potentially create a massive expansion of the law – making millions of law-abiding workers criminals for innocent activities like sending a personal e-mail or checking sports scores from a work computer, and leaving them vulnerable to prosecution at the government's whim. The court agreed in an en banc decision, replacing a ruling last year in which a three-judge panel found that disloyal employees who breach computer use policies run afoul of the CFAA.

"We shouldn't have to live at the mercy of our local prosecutor," said the opinion. "Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they'd better not visit"

"This is an important victory for all Americans who use computers at work," said EFF Senior Staff Attorney Marcia Hofmann. "Violating a private computer use policy shouldn't be crime, just as violating a website's terms of use shouldn't be a crime. These policies are often vague, arbitrary, confusing and contradictory. Putting people on the hook for criminal liability when they violate these agreements would leave millions of law-abiding computer users vulnerable to federal prosecution."

"EFF has been fighting these aggressive government hacking arguments for years," said EFF Staff Attorney Hanni Fakhoury. "We're happy to see the court recognize that the government overreached here, and it issued a thoughtful decision that protects the rights of users."

Full for the opinion in U.S. v. Nosal:


Marcia Hofmann
   Senior Staff Attorney
   Electronic Frontier Foundation

Hanni Fakhoury
   Staff Attorney
   Electronic Frontier Foundation