Disregarding a company's computer policies isn't a federal crime, the 9th Circuit Court of Appeals said today.
The ruling means that prosecutors within the 9th Circuit can't bring federal
computer fraud charges against Web users for, say, lying about their height on dating sites, or their age on social media sites.
With the 9-2 decision, the court threw out several charges
against David Nosal, who allegedly convinced some of his former co-workers to violate their employer's computer policies by downloading contact lists. The company's policy prohibited employees from
disclosing confidential information.
The government indicted Nosal on a host of counts, including theft of trade secrets, mail fraud and violations of the Computer Fraud and Abuse Act -- an
anti-hacking law that makes it a crime to access computers without authorization. The computer fraud charge against Nosal was based on the theory that he encouraged his former colleagues to violate
their employer's computer access policy.
This wasn't the first time the government had attempted to base a criminal computer fraud prosecution on a terms of service violation. Lori Drew
-- infamous for her role in the "MySpace suicide" case -- also faced prosecution for violating the anti-hacking statute.
Drew, an adult Missouri resident, was indicted on computer fraud
charges for allegedly helping to hatch a plan to create a fake profile of a boy, "Josh," who sent messages to the teen. The messages were initially playful, but eventually turned cruel.
Thirteen-year-old Megan Meier hanged herself after receiving a final message from "Josh" that the world would be a better place without her. Drew herself didn't send the messages or create the
account.
The government contended that Drew violated the computer fraud law by violating MySpace's terms of service with the profile of Josh.
The case went to trial and a jury
convicted Drew of three misdemeanor computer fraud counts. Shortly afterward, U.S. District Court Judge George Wu dismissed those charges, ruling that people like Drew don't have fair notice that
ignoring terms in a user agreement can result in criminal sanctions.
Wu pointed out in his written opinion that MySpace's terms of service are so broad that many people violate them. For
instance, he wrote, "the lonely-heart who submits intentionally inaccurate data about his or her age, height and/or physical appearance" violates the site's prohibition against providing false or
misleading information. In addition, "the exasperated parent who sends out a group message to neighborhood friends entreating them to purchase his or her daughter's girl scout cookies" breaks the
site's rule against advertising to other members.
Today's opinion by the 9th Circuit repeats many of those arguments. "Under the government’s proposed interpretation of the CFAA, posting
for sale an item prohibited by Craigslist’s policy, or describing yourself as 'tall, dark and handsome,' when you’re actually short and homely, will earn you a handsome orange jumpsuit,"
Chief Judge Alex Kozinski wrote for the majority of the judges.
After noting that many companies prohibit people from using computers for non-business purposes, Kozinski offered the following
argument. "Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is
involved," he wrote. "Sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku
skills behind bars."
He adds: "The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations. But we shouldn’t have to live at the mercy of
our local prosecutor."
Other appellate courts have come to the opposite conclusion and held that employees can be prosecuted for computer fraud for violating their employers' computer
policies.