Disregarding a company's computer policies isn't a federal crime, the 9th Circuit Court of Appeals said today.
The ruling means that prosecutors within the 9th Circuit can't bring federal computer fraud charges against Web users for, say, lying about their height on dating sites, or their age on social media sites.
With the 9-2 decision, the court threw out several charges against David Nosal, who allegedly convinced some of his former co-workers to violate their employer's computer policies by downloading contact lists. The company's policy prohibited employees from disclosing confidential information.
The government indicted Nosal on a host of counts, including theft of trade secrets, mail fraud and violations of the Computer Fraud and Abuse Act -- an anti-hacking law that makes it a crime to access computers without authorization. The computer fraud charge against Nosal was based on the theory that he encouraged his former colleagues to violate their employer's computer access policy.
This wasn't the first time the government had attempted to base a criminal computer fraud prosecution on a terms of service violation. Lori Drew -- infamous for her role in the "MySpace suicide" case -- also faced prosecution for violating the anti-hacking statute.
Drew, an adult Missouri resident, was indicted on computer fraud charges for allegedly helping to hatch a plan to create a fake profile of a boy, "Josh," who sent messages to the teen. The messages were initially playful, but eventually turned cruel. Thirteen-year-old Megan Meier hanged herself after receiving a final message from "Josh" that the world would be a better place without her. Drew herself didn't send the messages or create the account.
The government contended that Drew violated the computer fraud law by violating MySpace's terms of service with the profile of Josh.
The case went to trial and a jury convicted Drew of three misdemeanor computer fraud counts. Shortly afterward, U.S. District Court Judge George Wu dismissed those charges, ruling that people like Drew don't have fair notice that ignoring terms in a user agreement can result in criminal sanctions.
Wu pointed out in his written opinion that MySpace's terms of service are so broad that many people violate them. For instance, he wrote, "the lonely-heart who submits intentionally inaccurate data about his or her age, height and/or physical appearance" violates the site's prohibition against providing false or misleading information. In addition, "the exasperated parent who sends out a group message to neighborhood friends entreating them to purchase his or her daughter's girl scout cookies" breaks the site's rule against advertising to other members.
Today's opinion by the 9th Circuit repeats many of those arguments. "Under the government’s proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist’s policy, or describing yourself as 'tall, dark and handsome,' when you’re actually short and homely, will earn you a handsome orange jumpsuit," Chief Judge Alex Kozinski wrote for the majority of the judges.
After noting that many companies prohibit people from using computers for non-business purposes, Kozinski offered the following argument. "Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," he wrote. "Sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars."
He adds: "The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations. But we shouldn’t have to live at the mercy of our local prosecutor."
Other appellate courts have come to the opposite conclusion and held that employees can be prosecuted for computer fraud for violating their employers' computer policies.