Courts Stretching Computer Hacking Law In Dangerous Ways
from the that's-not-what-it's-for dept
Michael Scott points us to a very interesting analysis of how to different appeals courts have very different interpretations of our federal anti-hacking law. The Computer Fraud and Abuse Act was passed by Congress to create criminal sanctions for malicious computer hacking. The problem, of course, is that whenever you have politicians passing laws about technology, they may be a bit vague. So, the way hacking was defined was effectively to say that the perpetrator accessed info “without authorization” or (more troubling) that the activity “exceeds authorized access.” Now, it’s pretty obvious what’s meant by this. If you’re breaking into parts of a computer system where you don’t belong for nefarious purposes, you’re probably violating this law.
But that’s not how all courts are interpreting it. The article notes that the Seventh Circuit, in International Airport Centers, LLC v. Citrin, found that an employee violated this law by deleting information on his laptop (which would have presented evidence of a breach of contract by the guy), after he had resigned. Obviously, that’s a totally different situation than what the CFAA was intended to cover, but the court found that once he quit, he was no longer authorized to use the laptop, and doing so was effectively hacking. That seems like an extreme stretch of the law. But at least some other courts are following suit:
For example, in a case in the U. S. District Court for the Eastern District of Missouri, the district court relied upon the Citrin decision and held that, even if employees were authorized to access their employer’s computer records, they cannot use such authorization (and, hence, their access can become “unauthorized”), if they use the information for their own interests…. The court concluded that the employer sufficiently alleged that the employees “acted without authorization when they obtained [the employer’s] information for their personal use and in contravention of their fiduciary duty to their employer.”
Yes, you read that right. If you use your employer’s computer simply to access the company’s data for your personal use, you may be guilty of computer hacking. That’s quite clearly not what the law was intended to cover.
Thankfully, the Ninth Circuit (which all too often comes out with weird decisions) seems to have gotten this one right:
In declining to adopt the Seventh Circuit’s interpretation of “without authorization,” the court held that a “person uses a computer ‘without authorization’… [only] [1] when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or [2] when the employer has rescinded to access the computer and the defendant uses the computer anyway.”… The Ninth Circuit declined to hold that the “defendant’s authorization to obtain information stored in a company computer is ‘exceeded’ if the defendant breaches a state law duty of loyalty to an employer” because no such language was found in the CFAA…. The Ninth Circuit noted that because the CFAA was “primarily a criminal statute,” and because there was ambiguity as to the meaning of the phrase “without authorization,” it would construe any ambiguity against the government….
Obviously, I agree that this is the proper interpretation of the law — and stretching the definition of criminal hacking “without authorization” to things like accessing personal information on an employer’s computer is dangerous. Of course, with the split rulings, it’s likely that eventually this will get to the Supreme Court to sort out, and hopefully they get it right. Or, in the meantime, Congress could clarify the law — but chances are they’d just make it worse.
Filed Under: computer fraud, computer fraud and abuse act, hacking, laws
Comments on “Courts Stretching Computer Hacking Law In Dangerous Ways”
It is useful to note that while the federal statute does primarily address conduct that can be prosecuted by the DOJ as a criminal matter, the statute also creates a right for an aggrieved party to file a civil suit.
The circuit split here between the 7th and 9th circuits is not an uncommon occurence in all manner of legal issues.
It is also useful to note that no statute can ever be crafted to cover every situation that may arise in the future. Judges, thus, are called upon daily to fill in the blanks.
Where the 7th and 9th circuits seem to diverge is that the former filled in the blanks by resort to longstanding law associated with relationships between employers and their employees. Apparently the 9th circuit took a much more limited stance…hence the disparity between the two decisions.
Merely as an aside, the 7th circuit opinion was authored by Judge Posner, easily recognized as one of the most knowledgable and respected jurists in the US. In all candor, when Judge Posner talks virtually all members of the bar in the US pay heed to what he has to say.
On issues more relevant to many of the articles presented here, Judge Posner in the “Posner” in the Landes and Posner article published some time back concerning patent law promoting “progress in the useful arts”.
Re: Re:
Just because he’s knowledgeable doesn’t mean he’s always right. In this particular case he seems to have gotten it pretty wrong. I do wonder, since it isn’t entirely clear here, if the laptop being accessed belonged to the man in question or to his previous employer. If it was /his/ laptop, then there could be no unauthorized access.
So, whatch in for?
So, if your employer says that your work computer is for work use only, and you check your personal email with it, you’ve just committed a federal crime these days.
There is no end to the appetite of the criminal justice system.
Not sure how many people agree with me here, but excluding the extreme stretch that seems to have been killed by the 9th, I think I agree with this… I mean if you have quit, or where fired, then you access is done (that instant). Just because an admin hasn’t turned off your account yet doesn’t mean you can still use it. Legally, or morally…
To take it to another extreme, if your account isn’t turned off, and years later you log back into your companies servers for ANY reason, “nefarious” or not, well, that’s “hacking”.
Lets be frank, the guy was trying to hide a violation of his contract.
Also, I would also agree with “exceeds authorized access”. If you have someone who works a teller station at a bank, and finds that they can abuse the system in such a way as to elevate their privileges, and they DO IT, that is “hacking”, and SHOULD be a violation of federal law. And I don’t care if it is at a bank, or a clerk at 7-11. It it NOT the employees property, and they are being payed to do their job, NOT WATCH YOUTUBE!
Sorry, started to spin up there a bit. But this should be common sense, and 9 times out or 10 IS harmless. But this law is there for a reason, and this seems like a fair application of the law.
Re: Re:
In your bank example, couldn’t that simply be (depending on the circumstances) fraud or theft or similar charges without the need for a silly “hacking” charge? For the 7-11 clerk watching YouTube, couldn’t that be solved by simply…firing them?
Re: Re:
“Also, I would also agree with “exceeds authorized access”. If you have someone who works a teller station at a bank, and finds that they can abuse the system in such a way as to elevate their privileges, and they DO IT, that is “hacking”, and SHOULD be a violation of federal law. And I don’t care if it is at a bank, or a clerk at 7-11. It it NOT the employees property, and they are being payed to do their job, NOT WATCH YOUTUBE!”
That should be a civil matter, at most. But a federal crime? Get real! What’s next? Throwing in jail all the employees that don’t roll over and play dead exactly the way the employer wants it?
Re: Re:
P.S. And you wonder about the unemployment figures and about how some people just don’t really even want a job these days… The problem is that in the US the term “employee” is not really representative anymore. A more representative term would be “indentured slave”.
Re: Re:
Not sure how many people agree with me here, but excluding the extreme stretch that seems to have been killed by the 9th, I think I agree with this.
this is a dangerous stance to take because of the nature of information security. peer review and feedback are monumentally important to securing information systems and the improper application of laws like the Computer Fraud and Abuse Act will discourage review and feedback, especially in legal gray areas like independent research.
people find problems with systems and bring them to people’s attention; this is how holes get found and patched. not everyone who finds a bug is going to do so with prior authorization, and not every system administrator is going to appreciate the notification.
not all hacking is dangerous or criminal, in fact, only a small subset of hacking is really criminal. the ethics of hacking basically boil down to intent and disclosure. if you do not intend to do harm, and you disclose your findings appropriately, there should be nothing wrong with hacking a system, even if it’s not yours.
if you start using a law against fraud and abuse to punish activities which are neither fraudulent nor abusive, that threatens security research as a whole, especially independent research.
I mean if you have quit, or where fired, then you access is done (that instant). Just because an admin hasn’t turned off your account yet doesn’t mean you can still use it. Legally, or morally…
the decision to fire someone is a multi-stage process. you may be fired once HR decides you are fired, but if HR hasn’t informed you yet, your activities probably shouldn’t be considered fraudulent or abusive.
in the case mentioned in the article, if the proper steps were taken to build a case for the termination, all the evidence would have been gathered prior to the decision to terminate, and the file deletion would not have affected the case.
To take it to another extreme, if your account isn’t turned off, and years later you log back into your companies servers for ANY reason, “nefarious” or not, well, that’s “hacking”.
uh, that’s not automatically criminal. logging into something that you were given access to isn’t fraud or abuse until you use that access to do something fraudulent or abusive.
if your ex-employer messed up, that doesn’t automatically make you a criminal. that’s the issue here: using the CFAA to punish activites which are neither fraudulent nor abusive.
if you discover that your account is active, do nothing fraudulent or abusive with it, and let someone know about the vulnerability, what is the harm done? have you not helped the system, and your former employer to become more secure?
sure it’s a legal gray area, but intent and disclosure should be considered along with the evidence when deciding the legality of these scenarios.
I would also agree with “exceeds authorized access”. If you have someone who works a teller station at a bank, and finds that they can abuse the system in such a way as to elevate their privileges, and they DO IT, that is “hacking”, and SHOULD be a violation of federal law.
not all hacking is criminal in nature. again, it’s not fraud or abuse until you use the exploit to do something fraudulent or abusive. finding bugs and demonstrating them aren’t fraudulent. keeping them secret and using them for personal gain at the expense of the system’s owner or customers is fraudulent or abusive.
again, it comes down to intent and disclosure. hacking machines in a lab environment and logging bugs with software maintainers isn’t a crime, it’s a community service. finding a vulnerability on a production system and notifying the system administrator shouldn’t be a crime either as long as you don’t use that vulnerability to commit fraud or otherwise abuse the system.
Re: Re:
AC, I disagree. If you fire someone without being prepared for a negative reaction you’re not only stupid you are being negligent.
If someone leaves your company and you dont disable your account – you’re being negligent.
If the violation of his contract was a crime then he can be prosecuted for that crime. If it wasn’t then being dismissed for cause is enough without broadening a law beyond its original intent.
In this specific case, since the access was not immediately revoked and the hardware itself removed from the possession of the employee upon termination, the employer failed to practice due care. I’m not sure why the defense wasn’t all over that in this case. Dude still possessed the physical machine, and still had a valid login for it. While it certainly does stretch the ethical boundaries of the employee/employer relationship to log in and mess with the data after they’ve said you shouldn’t, I’m frankly not sure what they expect since, from a technological point of view, it was allowed. Also, since he obviously had something on there in the first place that he wanted to remove, leaving it in his possession with his account intact was negligent (and I’d suspect that in this case, removing evidence that you were terminated for cause probably has something to do with trying to preserve your ability to collect unemployment benefits, though that’s speculation on my part–but it means that the employer needs to keep that stuff as a matter of course). So I don’t know, I mean, maybe there’s a case to be made criminally, but following that up with a civil suit should be unsuccessful.
Tell you what, though: once we get a case where the CFAA comes into direct conflict with whistleblower protection laws, then we’ll really have a party!
You either have access or you don’t. But “Exceeding Authorized Use” may be an indication of a much larger business problem related to training on the systems *THEY* created.
This is not a criminal problem created by the Government, to be decided by the courts, but between the company and the folks who offer access.
Now, before you get all giddy, do you know the hiring processes that are used by companies these days? Do you not trust your HR Department? Have you ever heard of a company called “The Work Number”? They monitor not only credit ratings but background checks of your employees. They even know when your employees are applying for other jobs! Most HR departments already subscribe to this.
Do you know how many times I glossed over jobs because I decided to buy a TV and it affected my credit report and through The Work Number, I was passed up for a promotion because I didn’t put my money into a Bear Sterns or Lehman Brothers Stock?
Yikes. I guess I should make friends with old employers so my usage after-hours isn’t flagged by The Work Number as being weird.
Seriously. The Work Number is owned by Experian and they can see when you work an extra 3 hours and if you don’t put a part of that money into a fancy, high risk stock like Lehman, they’ll tell your HR department so you don’t get included in the final round of interviews!
Not Hacking
When the violation can be called access “without authorization” or “exceeds authorized access” then possibly that is what it should be called. What this guy did was not hacking.
and obama wanted to solicite for hackers
good luck considering that since the mid 90’s they have persecuted like a madness and now they need htem no one would ever step forward.
and its also why i have neither a chapter of the UHA there nor wish too , they haven’t the privacy nor the freedoms afforded by many other nations.
ITS a joke of a country now and as many beleive in ten years they really are going to start the downward slide.
and i mean slide they have outsourced manufacturing so hard they have now begun to see the affects of over protecting the IP.
when other nations go ha your laws to stupid we better, ugh dumb ceo can even see being over there better.
the USD vs CAD is now literally even.
in 5 years you’ll be beneath us large.
TIME to kick out the 750,000 americans living here year round and or make them pay more in taxes.
We really should begin to build a wall across the border to keep americans out…..
#3 Here
To #4
If any of those where committed yes, but they don’t cover the action of breaking the companies security.
#5
Excellent point, if the notebook was HIS, then it gets real gray, but I doubt that is the case. Most places (including the place I do IT for), don’t let personal computers on a company network for just that reason.
#6
So just because it is a federal law doesn’t make the punishment any less or more painful. It needs to be a federal issue because this commonly crosses state lines. And if the employee cracks a security system on, oh lets say, a computer network that runs your credit card payments, then let in a virus. Just so he/she could get to Gmail, then YES! They need to go to JAIL! You need to get real sir. 😉 This isn’t high school, it’s business. Your actions have consciousness.
As I said though, 9 times out of 10, it’s just not an issue worth be prosecuted. Usually an employee would just be fired. And in this case the person may have been trying to extract money from the company making it worth their time…
As to your P.S. Well, you are trying to do the very thing the author here loooves to bash people for, and so do I. Your changing the subject. Just because people are being abused because there is an abundance of work force has nothing to do with people not braking the law. Sorry, two wrongs doesn’t make a write kinda argument here.
#8
Simple, because HE should have turned it in. Just because you CAN doesn’t mean you should and all. Any removal of data at that point should be negotiated between the two parties. This is fairly standard practice.
#9
Don’t think you got the whole idea that is trying to be made, so I’ll leave it at that.
#10
I simply don’t agree. Just because he used a password that still worked doesn’t change anything. I don’t really care if there is a big sign that says “GO AWAY”, and that is the extent of their security. It’s all about intent. It is is the person had the intent to access a system he/she had no right to.
WOW! Don’t I sound like the corporation jerk. HA! Sorry, devil advocate kicking in there.
Re: Re:
The fact that you do IT for a company and some of your users avoid your locks/firewalls/etc must piss you off, but that doesn’t warrant throwing them in jail because they’re craftier than you are.
So, let’s take it from the top:
comment to #4: “they don’t cover the action of breaking the companies security.”
So, if someone doesn’t really commit any real crime, but penetrates the company’s security to watch YouTube, he should be tried as a criminal? How long until you start asking for kids removing the locks on their school-provided laptops to be tried as criminals?
comment to #6: “if the employee cracks a security system on, oh lets say, a computer network that runs your credit card payments, then let in a virus. Just so he/she could get to Gmail, then YES! They need to go to JAIL!”
Well, in this situation I somewhat agree with you. After all, the clients could sue the pants off the company and the company could sue the pants off that employee after firing him, so I’m not entirely convinced that the govt. should get involved.
As for that P.S., it’s not necessarily changing the subject. The problem is that in the United States, the employers have all the power and the employee has almost no power. Moreover, when the employers gets govt. backing to abuse and threaten employees with criminal proceedings, the balance gets even more skewed and that results in people getting bitter and discouraged.
comment to #8:
As long as you don’t physically prevent the newly fired employee from accessing the device, then you shouldn’t have any expectations that the data on the device won’t be touched. To cite from Dune: “He who can destroy a thing, controls a thing.”
comment to #10:
His point is quite good. That’s the whole crux of the matter actually. It’s the same situation as this one http://techdirt.com/articles/20060914/110036.shtml. The fact that your security is made up of just stern warnings and hope doesn’t mean that it’s effective security. If that were the case, the whole computer and network security business would be non-existent.
“If you use your employer’s computer simply to access the company’s data for your personal use, you may be guilty of computer hacking. That’s quite clearly not what the law was intended to cover.”
Maybe it should, Mike. I’ve heard you complain countless times about people, who had authorized access to certain computer systems, then accessing data on those systems they should not have had a right to, for a particular purpose.
Let me see if I have this straight. If this scenario happens on a government system the government employee is doing something illegal. But if it happens in the private sector, the law is somehow being interpreted wrong?
What’s the basis for the distinction?
Computer Hacking Law
Excellent article, and I agree wholeheartedly.
Let me point out though, as Obama implied, this is clearly the worst Supreme Court we have ever had. I can’t believe much that is good will come from them, and we will likely spend years passing laws to reverse their decisions.
computer fraud & abuse
the act of computer fraud & abuse should be maintained and those found breaking the law should face the law squrely”for example yestaday in my college i wrote my curiculum vitae and saved it but a hacker came and deleted’