Employees may be prosecuted under a federal antihacking statute for taking computer files that they were authorized to access and using them in a manner prohibited by the company, a federal appeals court has ruled.
The case decided 2-1 Thursday by the 9th U.S. Circuit Court of Appeals concerned the Computer Fraud and Abuse Act. Congress adopted the CFAA in 1986 to enhance the government’s ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality.
“As long as the employee has knowledge of the employer’s limitations on that authorization, the employee ‘exceeds authorized access’ when the employee violates those limitations. It is as simple as that,” Judge Stephen Trott wrote in an opinion (.pdf) joined by Judge Diarmuid O’Scannlain.
In dissent, Judge Tena Campbell wrote that, under the majority’s ruling, “any person who obtains information from any computer connected to the internet, in violation of her employer’s computer-use restrictions, is guilty of a federal crime.”
The majority’s decision, which mirrors rulings in two other federal appellate circuits, bolsters an interpretation of the CFAA that’s playing a role in the government’s grand jury probe of WikiLeaks founder Julian Assange. A grand jury subpoena recently issued in the case (first reported by Salon.com, and confirmed by the Washington Post) was accompanied by a letter indicating that one of the charges the government is considering is conspiracy to violate the CFAA by “exceeding authorized access” to a computer system — the same language at issue in the new decision. Read More
