If you are reading this column online at work, you may be committing a federal crime. Or so says the Justice Department, which reads the Computer Fraud and Abuse Act (CFAA) broadly enough to encompass personal use of company computers as well as violations of fine-print website rules that people routinely ignore.
Last week, the U.S. Court of Appeals for the 9th Circuit rightly rejected this view of the CFAA, which Chief Judge Alex Kozinski noted could make a criminal out of "everyone who uses a computer in violation of computer use restrictions -- which may well include everyone who uses a computer." Unfortunately, other appeals courts have been more receptive to the Justice Department's interpretation, which gives U.S. attorneys the power to prosecute just about anyone who offends or annoys them.
Congress passed the original version of the CFAA in 1984, when the Internet was in its infancy and the World Wide Web did not exist, to protect government computer systems and financial databases from hackers. As a result of amendments and technological developments, George Washington University law professor Orin Kerr explains in a 2010 Minnesota Law Review article, "the law that began as narrow and specific has become breathtakingly broad," potentially regulating "every use of every computer in the United States."
The 9th Circuit case involved David Nosal, who left the executive search firm Korn/Ferry International in 2004 and allegedly enlisted two former colleagues to feed him proprietary client information with an eye toward starting a competing business. In addition to conspiracy, mail fraud and trade secret theft, Nosal was charged with violating the CFAA, which criminalizes unauthorized computer access in various circumstances.
Although Nosal's confederates were authorized to use Korn/Ferry's database, federal prosecutors argued that improperly sharing information with him retroactively rendered their access unauthorized. As Judge Kozinski noted, "The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer."
The felony Nosal was accused of committing involves unauthorized access "with intent to defraud." But the CFAA also makes someone guilty of a misdemeanor, punishable by up to a year in jail, if he "intentionally accesses a computer without authorization or exceeds authorized access" and "thereby obtains ... information."