One of the things that really chaps my hide is when prosecutors use misuse a piece of legislation intended for a specific purpose to prosecute something completely (in my opinion) unrelated. I’ve written about just such shenanigans before here and here. In these cases it was all about trying to prosecute undocumented workers for identity theft. In another (truly) unrelated case outlined in this Ars Technica story a “creative interpretation” of one law is once again being attempted to prosecute something completely different.
The “unauthorized access” provision of the Computer Fraud and Abuse Act (CFAA) has turned out to be quite an asset to those looking to prosecute people for all manner of actions involving computers, even though it was originally meant to target hackers.
A company named LVRC Holdings filed a lawsuit against a former employee, his wife, and their independent consulting business. LVRC had accused [the former employee] of using company computers “without authorization” in order to e-mail himself LVRC client files in order to use that information for his personal business after leaving the company.
Based on that description, one might assume that [the employee] had used his or someone else’s credentials to break into the network after he quit, but that’s not exactly the case. As it turns out, [he] had e-mailed the documents to his home PC while he was still an employee at LVRC, using login information that the company admin had sent to him. The documents he e-mailed included a financial statement for the company, LVRC’s marketing budget, and admissions reports for patients, among other things. Not so coincidentally, [he] apparently did this while he was in talks to acquire part of LVRC. Those talks eventually broke down and [he] left the company.
[He] subsequently used the data to help his own consulting business, which he runs with his wife. You could argue that his actions were unethical and downright slimy, but LVRC brought charges under the CFAA, saying that he had gained unauthorized access to LVRC machines in order to get the data. LVRC had argued that [his] intent at the time of access determined whether or not he was authorized—basically, the company said he was committing a “thought crime.”
Now, I have no problem believing the defendant in this case is a sleazy weasel. But a hacker? Seriously, does that pass anyone’s laugh test? Apparently the Ninth Circuit Court of Appeals agrees with my assessment that regardless of the defendant’s ethics deficiency a hacker he was not.
The Ninth Circuit Court of Appeals has ruled, however, that it cannot be used to prosecute someone for being disloyal with company info after quitting—a decision that is being applauded by CFAA critics who want to limit the statute.
The Ninth Circuit judges disagreed with LVRC’s creative interpretation of “unauthorized access” by noting that [the then employee] had permission to access the computer at the time he sent the e-mails—because, of course, his job with LVRC required him to use that computer. “We hold that a person uses a computer ‘without authorization’… when the person has not received permission to use the computer for any purpose (such as when a hacker accesses someone’s computer without any permission), or when the employer has rescinded permission to access the computer and the defendant uses the computer anyway,” the judges wrote.
(LVRC’s other point of contention was apparent evidence that [the now former employee] had logged onto the company website using his login credentials after he had left in order to mine traffic data, but the court noted that [he] provided “undisputed evidence” that at least two other employees had used his work PC after he left and that the company had apparently not wiped the machine.)
Though it’s clear that [the former employee] was acting against the interests of LVRC at the time he sent the documents, the CFAA was not written for cases like this.
Exactly. It should be noted that the CFAA has been notoriously misused in several other high profile cases including “MySpace Mom” Lori Drew, whose conviction was recently overturned due to this questionable interpretation of the CFAA. Also a domain registrar that spammed customers pretending to be Register.com. Certainly in both of these cases, the defendants engaged in deplorable and unethical behavior involving computers. But they were not by any definition “hackers”. Losers, maybe. Scum, probably. Hackers, not so much.
[...] Hackers everywhere! Really? No not really. « Security For All [...]