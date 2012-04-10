* 9th Circuit says US read of law overly broad
* Millions could be prosecuted if law read broadly -court
* Ex-Korn/Ferry manager accused of stealing client data
By Terry Baynes and Jonathan Stempel
April 10 A U.S. appeals court rejected the
government's broad reading of a computer fraud law to prosecute
workers who steal from company computers, saying it could expose
millions of Americans to prosecution for harmless activities at
work.
The 9-2 decision by the 9th U.S. Circuit Court of Appeals in
San Francisco diverges from broader readings of the federal
Computer Fraud and Abuse Act by three other federal appeals
courts. This raises the chance that the U.S. Supreme Court might
decide to try to resolve the issue.
Tuesday's decision written by Chief Judge Alex Kozinski
upheld a lower court's dismissal of five of 20 counts against
David Nosal, a former manager at Korn/Ferry International
who left that executive search firm in October 2004.
Nosal had been accused of convincing former colleagues to
use their log-in credentials to steal confidential client data
from Korn/Ferry, to help him start a rival business.
The defendant was also charged with mail fraud, theft of
trade secrets and conspiracy, and has yet to be tried.
The U.S. Department of Justice did not immediately respond
to requests for comment.
Dennis Riordan, a lawyer for Nosal, welcomed the decision.
"It leaves in place all the purposes of the anti-hacking
statute, but it frees people from fearing they could be
prosecuted for violating arcane provisions of employer
policies," he said.
Nosal had sought to dismiss the CFAA counts on the ground
that the 1984 law targets hackers, not people who misuse data
that was obtained legally - in this case, obtained by the former
colleagues.
U.S. District Judge Marilyn Hall Patel agreed in a January
2010 ruling to dismiss those counts, but a divided three-judge
9th Circuit panel in April 2011 reversed that ruling. Tuesday's
decision overturns that panel ruling.
Kozinski said the law's criminalization of computer activity
that "exceeds authorized access" addresses how information is
accessed, not how it is used.
He said the government's interpretation would transform the
law into an "sweeping Internet-policing mandate" to criminalize
any unauthorized use of information from a computer, rather than
simply a statute to thwart hacking.
He said such an approach could make "minor dalliances" at
work such as playing games online, emailing family, social
networking or even watching ESPN.com against the law.
"While it's unlikely that you'll be prosecuted for watching
Reason.TV on your work computer, you could be," Kozinski wrote.
"And sudoku enthusiasts should stick to the printed puzzles,
because visiting www.dailysudoku.com from their work computers
might give them more than enough time to hone their sudoku
skills behind bars."
Judge Barry Silverman dissented, saying "this case has
nothing to do with playing sudoku, checking email, fibbing on
dating sites," or other ordinarily noncriminal activity.
"It has everything to do with stealing an employer's
valuable information to set up a competing business with the
purloined data, siphoned away from the victim, knowing such
access and use were prohibited in the defendants' employment
contracts," he wrote.
In a recent case, prosecutors used the computer fraud law to
convict Lori Drew, a Missouri woman accused of using a fake
MySpace account to bully a 13-year-old girl who then committed
suicide. A California federal judge later threw out Drew's
conviction.
The case is U.S. v. Nosal, 9th U.S. Circuit Court of
Appeals, No. 10-10038.