(Reuters) - A U.S. appeals court rejected the government’s broad reading of a computer fraud law to prosecute workers who steal from company computers, saying it could expose millions of Americans to prosecution for harmless activities at work.
The 9-2 decision by the 9th U.S. Circuit Court of Appeals in San Francisco diverges from broader readings of the federal Computer Fraud and Abuse Act by three other federal appeals courts. This raises the chance that the U.S. Supreme Court might decide to try to resolve the issue.
Tuesday’s decision written by Chief Judge Alex Kozinski upheld a lower court’s dismissal of five of 20 counts against David Nosal, a former manager at Korn/Ferry International (KFY.N) who left that executive search firm in October 2004.
Nosal had been accused of convincing former colleagues to use their log-in credentials to steal confidential client data from Korn/Ferry, to help him start a rival business.
The defendant was also charged with mail fraud, theft of trade secrets and conspiracy, and has yet to be tried.
The U.S. Department of Justice did not immediately respond to requests for comment.
Dennis Riordan, a lawyer for Nosal, welcomed the decision. “It leaves in place all the purposes of the anti-hacking statute, but it frees people from fearing they could be prosecuted for violating arcane provisions of employer policies,” he said.
Nosal had sought to dismiss the CFAA counts on the ground that the 1984 law targets hackers, not people who misuse data that was obtained legally - in this case, obtained by the former colleagues.
U.S. District Judge Marilyn Hall Patel agreed in a January 2010 ruling to dismiss those counts, but a divided three-judge 9th Circuit panel in April 2011 reversed that ruling. Tuesday’s decision overturns that panel ruling.
Kozinski said the law’s criminalization of computer activity that “exceeds authorized access” addresses how information is accessed, not how it is used.
He said the government’s interpretation would transform the law into an “sweeping Internet-policing mandate” to criminalize any unauthorized use of information from a computer, rather than simply a statute to thwart hacking.
He said such an approach could make “minor dalliances” at work such as playing games online, emailing family, social networking or even watching ESPN.com against the law.
“While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be,” Kozinski wrote. “And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.”
Judge Barry Silverman dissented, saying “this case has nothing to do with playing sudoku, checking email, fibbing on dating sites,” or other ordinarily noncriminal activity.
“It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts,” he wrote.
In a recent case, prosecutors used the computer fraud law to convict Lori Drew, a Missouri woman accused of using a fake MySpace account to bully a 13-year-old girl who then committed suicide. A California federal judge later threw out Drew’s conviction.
The case is U.S. v. Nosal, 9th U.S. Circuit Court of Appeals, No. 10-10038.
Reporting By Terry Baynes and Jonathan Stempel in New York; Editing by Tim Dobbyn