June 23, 2011 | By Marcia Hofmann

Do-Over, Please: EFF Asks Court to Revisit Ruling That Disloyal Employees Violate Hacking Law

Today EFF filed a "friend of the court" brief (pdf) urging the Ninth Circuit Court of Appeals to reconsider its troubling decision (pdf) that employees face jail time when they access work computers for purposes that violate company policy.

In United States v. Nosal, the former employee of an executive recruiting firm convinced current employees to access the company's proprietary database and pass along information that he could use for competitive advantage. The company's computer-use policy, however, said that employees were only allowed to access the database to further the company's business interests. The government prosecuted the former employee under the federal Computer Fraud and Abuse Act (CFAA), arguing that his accomplices had authority to access the database for some purposes, but exceeded that authority when they accessed it for a purpose that violated corporate policy. Unfortunately, the Ninth Circuit agreed.

This is a dangerous precedent because it gives employers the power to make behavior illegal just by saying in a written policy that it's not allowed. For example, a worker could be sued or prosecuted for reading personal email or checking the score of a baseball game if her employer's policy says that company computers may be used only for work.

That might sound far-fetched, but it's not. Earlier this year, a company sued (pdf) a former employee under the CFAA for making too much personal use of the Internet at work in violation of company policy—apparently in retaliation for a wrongful termination lawsuit that she filed first. The court dismissed (pdf) the company's claim, but Nosal gives a solid foothold to those who would make similar arguments in the future.

The decision also offers ammunition for the argument that people run afoul of the CFAA when they violate web sites' terms of use—a theory that has been rightfully rejected by other courts in cases like United States v. Drew.

We hope the Ninth Circuit will reconsider its approach in this case. The CFAA is broad enough already—it shouldn't be interpreted to criminalize the everyday behavior of millions of employees and (potentially) Internet users.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Look out weekend! Check out the cross-platform video games in Humble Indie Bundle 15 & support EFF's work: https://www.humblebundle.com/

Oct 9 @ 4:58pm

The leaked TPP IP chapter reveals how negotiators have caved to Hollywood demands and betrayed Internet users. https://eff.org/r.do9g

Oct 9 @ 4:30pm

One more California victory for privacy! @JerryBrownGov vetoed bill to put RFID chips in driver licenses: https://eff.org/r.qn8c

Oct 9 @ 4:20pm
JavaScript license information