April 12, 2012
The federal Computer Fraud and Abuse Act (CFAA) was passed in 1984 to combat computer hacking.
Among other things, the CFAA makes it a crime to intentionally access a computer without authorization or to exceed authorized access, and thereby obtain information from any “protected computer.”
The term “protected computer” means a computer “which is used in or affecting interstate or foreign commerce or communication,” including computers located outside of the U.S.
This definition is obviously quite broad.
Or, at least, it is now because the Internet of today that connects a single computer to countless others across the globe wasn’t around in 1984 when Congress passed the law.
“Without authorization” probably doesn’t need much explanation, but the Act does provide a needed definition for “exceeds authorized access.”
The term is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”
“Entitled” has been repeatedly argued by the government in numerous criminal cases to apply not only to restrict physical access, but also to restrict use of the information.
The problem is that such a broad interpretation of the law criminalizes everyday behavior of otherwise law-abiding citizens using the Internet.
You also may have committed a federal crime: posting that photo constituted “altering” information (i.e. adding it to Facebook) on a “protected computer” (Facebook’s servers).
This violation means that you could face a sizeable fine and up to a year in prison (unless you have a prior CFAA conviction, in which case, you could be looking at up to 10 years).
Nosal involved the defendant allegedly enlisting others to access “a protected computer” to acquire a database of clients from his previous employer for use in his own competing business.
The others Nosal enlisted were current employees of the company, and had full access to the database, but the government, in bringing the charges, argued that Nosal and the others exceeded their “use” authorization.
The full panel of 9th Circuit appeals judges didn’t agree, discussing in detail the issues briefly touched on above that would be introduced by such an expansive interpretation.
The opinion also cited possible abuses by employers, since using a work computer for any personal use would be criminally punishable.
Since the 9th Circuit’s ruling was the first federal court of appeals circuit to limit the CFAA’s scope (in direct opposition to the three other circuits mentioned earlier), there is now an official split in the circuits, which increases the chances of the Supreme Court hearing the issue at some later point.
We can only hope that, if the Supreme Court takes up the question, it will come down in favor of limiting the Act.
Otherwise, a lot of people going on Facebook at work could be in a lot of trouble.