Appeals court rules that surfing the web on a work computer isn’t a federal offense

April 12, 2012

Cyberlaw logoThe federal Computer Fraud and Abuse Act (CFAA) was passed in 1984 to combat computer hacking.

Among other things, the CFAA makes it a crime to intentionally access a computer without authorization or to exceed authorized access, and thereby obtain information from any “protected computer.”

The term “protected computer” means a computer “which is used in or affecting interstate or foreign commerce or communication,” including computers located outside of the U.S.

This definition is obviously quite broad.

Or, at least, it is now because the Internet of today that connects a single computer to countless others across the globe wasn’t around in 1984 when Congress passed the law.

“Without authorization” probably doesn’t need much explanation, but the Act does provide a needed definition for “exceeds authorized access.”

The term is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”

“Entitled” has been repeatedly argued by the government in numerous criminal cases to apply not only to restrict physical access, but also to restrict use of the information.

The 5th Circuit, 7th Circuit, and 11th Circuit Courts of Appeals have all made rulings agreeing with this position.

The problem is that such a broad interpretation of the law criminalizes everyday behavior of otherwise law-abiding citizens using the Internet.

For instance, if you post something on Twitter or Facebook that violates either’s respective terms of use, you could be charged with committing a federal crime.

Here’s how:

Let’s say that you post a photo on Facebook that someone finds offensive, and, since Facebook’s broad terms of use agreement that gives it the right to subjectively deem any material as offensive, it removes the photo.

Technically, you violated Facebook’s terms of use by posting that photo.

You also may have committed a federal crime: posting that photo constituted “altering” information (i.e. adding it to Facebook) on a “protected computer” (Facebook’s servers).

Under the broader reading of the CFAA, doing so in violation of Facebook’s stated acceptable uses (in violation of its terms of use) would be “exceeding authorized access.”

This violation means that you could face a sizeable fine and up to a year in prison (unless you have a prior CFAA conviction, in which case, you could be looking at up to 10 years).

Such concerns finally found support with a federal circuit court of appeals on Monday with the 9th Circuit’s en banc ruling in U.S. v. Nosal.

Nosal involved the defendant allegedly enlisting others to access “a protected computer” to acquire a database of clients from his previous employer for use in his own competing business.

The others Nosal enlisted were current employees of the company, and had full access to the database, but the government, in bringing the charges, argued that Nosal and the others exceeded their “use” authorization.

The full panel of 9th Circuit appeals judges didn’t agree, discussing in detail the issues briefly touched on above that would be introduced by such an expansive interpretation.

The opinion also cited possible abuses by employers, since using a work computer for any personal use would be criminally punishable.

Since the 9th Circuit’s ruling was the first federal court of appeals circuit to limit the CFAA’s scope (in direct opposition to the three other circuits mentioned earlier), there is now an official split in the circuits, which increases the chances of the Supreme Court hearing the issue at some later point.

We can only hope that, if the Supreme Court takes up the question, it will come down in favor of limiting the Act.

Otherwise, a lot of people going on Facebook at work could be in a lot of trouble.