Slashdot Mirror

← Back to Stories (view on slashdot.org)

Court Rules Workers Did Not Overstep On Stealing Data

Posted by samzenpus on from the no-harm-no-foul dept.

MikeatWired writes "In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit has ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it. The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court. The judge wrote that the Computer Fraud and Abuse Act, under which they were charged, applies primarily to unauthorized access involving external hackers. The definition of 'exceeds authorized access' under the CFAA applies mainly to people who have no authorized access to the computer at all, the judge wrote. The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system Applying the language in the CFAA any other way would turn it into a 'sweeping Internet-policing mandate,' he wrote."

88 comments

  1. Not guilty under CFAA only by schwit1 · · Score: 4, Insightful

    That doesn't mean they can't be charged under other statutes.

    1. Re:Not guilty under CFAA only by oh_my_080980980 · · Score: 2

      THANK YOU!

      The judge was quite clear why "violations of the CFAA" was not appropriate. Christ he was indicted on 20 counts, including mail fraud and trade secret theft. They have plenty of other indictments to work from.

    2. Re:Not guilty under CFAA only by Anonymous Coward · · Score: 0

      Actually, they can't be charged twice. Once this "act" has gone to court they can't be charged separately for a different crime for the same act just because the first charge didn't pan out.

    3. Re:Not guilty under CFAA only by ocdscouter · · Score: 2

      Christ he was indicted on 20 counts, including mail fraud and trade secret theft. They have plenty of other indictments to work from.

      Counts that they wouldn't have to spend nearly as much effort on, to boot.

      I had the experience of being on a jury for a similar case in the Silicon Valley area a couple years ago. I'd have to say that the whole "e-mailing rather sensitive documents to yourself on the way out *and* using it in a competing startup" approach seems to be a foolproof way to get yourself found liable for little things like misappropriation of trade secrets.

    4. Re:Not guilty under CFAA only by mekkab · · Score: 1

      I'd have to say that the whole "e-mailing rather sensitive documents to yourself on the way out *and* using it in a competing startup" approach seems to be a foolproof way to get yourself found liable for little things like misappropriation of trade secrets.

      this is good stuff!
      *writes this down*
      Hey, do you know how I can un-send e-mail? Oh, No reason, really.

      --
      In the future, I would want to not be isolated from my friends in the Space Station.
  2. Trade secret indictment continued? by michaelmalak · · Score: 1

    From TFA, it sounded like there was a separate charge of trade secret theft that continued on independently of the CFAA charge. Does anyone know how that turned out?

  3. Good news everyone... by iPaul · · Score: 4, Funny

    There are some judges who have a clue.

    --
    Leave the gun, take the cannoli -- Clemenza, The Godfather
    1. Re:Good news everyone... by Hognoxious · · Score: 0, Troll

      Perhaps somewhere there are. But not here.

      The ruling is equivalent to "if you have a logon, you should have root".

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    2. Re:Good news everyone... by Anonymous Coward · · Score: 0

      Pretty much. This can also (possibly) be argued somewhat in the Bradley Manning case.

    3. Re:Good news everyone... by Anonymous Coward · · Score: 5, Insightful

      No, that's not what it says at all. This ruling is saying that the CFAA applies to only to people using technological means to circumvent their restrictions, not people misusing the the access they do have. In this case, the users had legitimate credentials to the database. Obviously, they were not supposed to use that access to steal the data, but doing so is not "exceeding authorized access" it's simply theft. This is common sense. For a non computer analogy, at my old job I had a key to the storeroom. If I were to use that key to open the store room and steal a bunch of shit, I would not be charged with breaking and entering. That's not to say I won't be charged with a crime (and the accused in TFA were charged with other crimes), it just means I did not violate that specific law. The CFAA was created to prosecute hackers, it should not be used against anyone who does something on a computer that the owner of that computer doesn't like. This ruling is a good thing.

    4. Re:Good news everyone... by Anonymous Coward · · Score: 3, Interesting

      >The ruling is equivalent to "if you have a logon, you should have root".

      Except that the defendants were authorised to access the data in question. The alternative is to allow the company to retroactively deny authorisation, which opens up the CFAA to criminalise any data access at all.

    5. Re:Good news everyone... by Richard_at_work · · Score: 1, Redundant

      Not really, because it junks the entire concept of limited authorisation within a corporation - if 'exceeds authorized access' doesn't apply when your authorisation is limited just because you are a legitimate employee of that company, then a significant portion of the point of limited authorisation is thrown out.

      Your employees can attack from within with impunity.

    6. Re:Good news everyone... by will_die · · Score: 2

      No it cannot.
      First manning is not being charged under this law.
      Second the charges he is being accused of include moving classified material to unclassified servers, giving materal to people not authorized and others like that. He was not authorized to downgrade material nor was he authorized to authorize people to beable to view the information.

    7. Re:Good news everyone... by AngryDeuce · · Score: 3, Insightful

      Mod parent up!

      These guys didn't "hack" shit...and a ruling allowing the CFAA to be applied here would have set an awful, awful precedent.

    8. Re:Good news everyone... by Anonymous Coward · · Score: 0

      Bingo! Good explanation for the uninitiated.
       

    9. Re:Good news everyone... by Anonymous Coward · · Score: 0

      Your employees can attack from within with impunity.

      Are things really that bad? Do you have to assume the employees are antagonistic to their employers by default?

    10. Re:Good news everyone... by benjamindees · · Score: 4, Informative

      The ruling is equivalent to "if you have a logon, you should have root".

      The employees had access to the data in question. They could have easily been denied access if that were the intent.

      Try reading the article next time.

      --
      "I assumed blithely that there were no elves out there in the darkness"
    11. Re:Good news everyone... by Anonymous Coward · · Score: 0

      no, it just says that you cannot call it 'exceeds authorized access' if the company gave them acess.
      just like there is a difference between walking through an open door and stealing stuff, and breaking through a door and stealing the same stuff

    12. Re:Good news everyone... by Anonymous Coward · · Score: 0

      Not really. The law is about hacking into systems that you don't have access to, not about misusing data you ARE granted access to.

      A real world example would be if you did something like yelled at the boss, that would cause you to be fired, and they tried to charge you with B&E because you were now "illegally" in the building.. But they haven't actually walked you out of the office and taken you key yet.

    13. Re:Good news everyone... by realxmp · · Score: 2

      Your employees can attack from within with impunity.

      Not so, and I think you'll probably admit that particular statement a lil bit of FUD really. What this ruling does is prevents you from charging people with a statute meant for hacking when you should be charging them with statutes related to trade secret infringement (and probably suing them too).

      Unfortunately the way most systems are designed security is an afterthought, once you're past the gates, there's no limits on the number of records you can download etc. If an employee's access rights to your system allow them to access data and whether or not they are allowed to access that data is dependant on company policy and what they intend to do with it then CFAA isn't really the proper law to apply. Instead you should be charging them with stealing your trade secrets and if appropriate industrial espionage, etc. Those crimes carry more than enough punishment without the need to scream OMGHAX!!!

    14. Re:Good news everyone... by oh_my_080980980 · · Score: 1

      RTFA. Yes it applies here. He had authorized access. He could not be charged to have "unauthorized access." He had proper access to private information. What he did not have was permission to take private information to a new employer, that's what mail fraud and trade secret theft are for.

      Think.

    15. Re:Good news everyone... by nedlohs · · Score: 2

      Please explain how your interpretation meshes with the statement (in the summary even):

      The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system.

      All it is saying is that if you do have authorized access to something, then misusing that something isn't an offence under the CFAA.

      So there's is no "attack from within with impunity". If an employee doesn';t have authorized access to something that they access it still applies after all.

      The case itself is a perfect example so I see no point in trying to provide one.

    16. Re:Good news everyone... by laffer1 · · Score: 4, Insightful

      I'm not sure that's what it means. My interpretation is that an employee who normally has access to data, can access it without being charged. They tried to claim they hacked into something they had access it. The crime (if any) is what they did with the data. It's certainly copyright infringement and that would have civil implications.

      The judge smacked down the common practice of using "hacker" laws against people who happened to use a computer during the course of something else within a narrow window of having authorized access to the resource. This judge had common sense.

      --
      MidnightBSD: The BSD for Everyone
    17. Re:Good news everyone... by alen · · Score: 1

      no, it just means it's not a criminal offense when employees take data with them. sales people have been doing this for decades. companies have had data security policies before computers and this is no different

    18. Re:Good news everyone... by KGIII · · Score: 1

      Umm... Even if the door is unlocked and open it is still burglary. Many states have revised the statutes as far as I know. I'd guess due to the confusion - people didn't get this, they've renamed them. Even before this, breaking and entering referred to breaking the plain and not to the act of breaking anything to enter. The burglar broke the plain and then entered and, as far as I know, had intent to deprive the owner of property. Your own statutes may be different so I'm going to have to ask for a citation because, well, I checked my own state's laws and they confirm what I'd been told.

      --
      "So long and thanks for all the fish."
    19. Re:Good news everyone... by Hognoxious · · Score: 0

      "The judge wrote that the Computer Fraud and Abuse Act, under which they were charged, applies primarily to unauthorized access involving external hackers. The definition of 'exceeds authorized access' under the CFAA applies mainly to people who have no authorized access to the computer at all"

      Read.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    20. Re:Good news everyone... by KGIII · · Score: 1

      Perhaps they think that access to the supply closet means that they can take all the batteries and pencils they want? ;)

      --
      "So long and thanks for all the fish."
    21. Re:Good news everyone... by AngryDeuce · · Score: 4, Insightful

      Either they have legitimate access to the data or they don't. How can someone be charged with breaking in to a system that they are openly given access to as a part of their employment?

      Everything else is beside the point. You can't invite someone into your home and then turn around and claim they broke in, which is exactly what these guys were alleging. Nobody is saying they're not guilty of a crime, they're just saying they're not guilty of this crime.

      Your employees can attack from within with impunity.

      If you fear and distrust your employees this much, why the fuck do you keep them on the payroll? Just another asshole that sees their employees as a liability despite the fact that you're making money off of their productivity day after fucking day. You guys need a reality check.

    22. Re:Good news everyone... by Anonymous Coward · · Score: 0

      Good news everyone...

      "...You'll be delivering a package to Chapek 9, a world where humans are killed on sight!"

      With all these "Re:Good news everyone"'s, I couldn't help reading all the comments in Farnsworth's voice. :D

    23. Re:Good news everyone... by sirlark · · Score: 4, Insightful

      The ruling is equivalent to "if you have a logon, you should have root".

      No it isn't. It's a point of law, and a good one! From TFA

      In a 22-page ruling, the appellate court held that an employee with valid access to corporate data cannot be held liable under the federal Computer Fraud and Abuse Act (CFAA) if they then misuse or misappropriate the data.

      "The CFAA expressly prohibits improper 'access' of computer information," chief judge Alex Kozinski wrote in the court's majority opinion. "It does not prohibit misuse or misappropriation," he wrote.

      These guys had authority to access the data as part of their daily job. They may have stolen the data, i.e. removed copies illegally from the company network, but in doing so they did not exceed their access rights. They might be guilty of violating their contracts, corporate espionage, or a whole host of other things, but not 'hacking'. This judge made the right call, the prosecutor screwed up by laying the wrong charges.

    24. Re:Good news everyone... by David+Chappell · · Score: 5, Informative

      no, it just means it's not a criminal offense when employees take data with them. sales people have been doing this for decades. companies have had data security policies before computers and this is no different

      It could still be an offense under a different law. The judge here is making a distinction between exceeding unauthorized access and abusing authorized access. An example: If I pick the lock on a filing cabinet in the boss's office and photocopy the trade secret documents inside and give them to a competitor I have exceeded authorized access. On the other hand if I use my key to open a filing cabinet in my own office and photocopy the same documents and give them to a competitor, I have abused (but not exceeded) my authorized access.

      In both cases multiple offenses are committed. But there is one more offense in the first scenario than in the second.

      This is not hair splitting. Without this distinction any misconduct by persons with authorized access makes their access unauthorized. This could have very surprising consequences. In one recent case a prosecutor argued that a user who violated the terms of use of a web site had obtained 'unauthorized access' because she had used the site in an 'unauthorized manner'. If we were to access this theory, then web site operators and employers could in effect write their own laws and get people sent to jail for violating them.

    25. Re:Good news everyone... by David+Chappell · · Score: 3, Insightful

      Perhaps somewhere there are. But not here.

      The ruling is equivalent to "if you have a logon, you should have root".

      I think you may have misread the summary. I know I did the first time. But on closer reading it actually suggests that using tricks to obtain a higher level of access is indeed a case of exceeding authorized access.

      This question came up because some prosecutors have been confusing (perhaps deliberately) the ideas of exceeding authorized access and exceeding authorized authority. The first is the breaking of locks. The second is the disobeying of rules.

    26. Re:Good news everyone... by Anonymous Coward · · Score: 0

      Perhaps somewhere there are. But not here.

      The ruling is equivalent to "if you have a logon, you should have root".

      Are you serious in your interpretation of the ruling? Gawd, your employer must be proud of you. Idiot!

    27. Re:Good news everyone... by Anonymous Coward · · Score: 0

      Your employees can attack from within with impunity.

      Are things really that bad? Do you have to assume the employees are antagonistic to their employers by default?

      Apparently, the person to whom you were replying is in management if he/she holds such a view.

    28. Re:Good news everyone... by Opportunist · · Score: 2

      The point is that the CFAA applies to cases where someone had no right to access the data in question at any point in history. I.e. privilege escalation, password stealing or the like.

      The people in question did have legal access to the data in the past. Any other ruling would have meant that anyone who ever had access to any kind of non-public data but does not anymore is open to a law suit.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    29. Re:Good news everyone... by Anonymous Coward · · Score: 0

      Obviously, they were not supposed to use that access to steal the data, but doing so is not "exceeding authorized access" it's simply theft.

      No, it's corporate espionage. The data was still there.

    30. Re:Good news everyone... by Opportunist · · Score: 1

      How do you get that idea from the ruling?

      It simply means that some employees will have access to sensitive data and this right to access that data has to be granted to them for obvious reasons so they can do their job. A salesperson must have access to your cost price. Your accountant has to have access to your financial status. Both key sensitive informations for most companies out there, the publication of either could or maybe even certainly would cause damage to the company. So these people have access to this information.

      In a nutshell, if your warehouse worker hacks the accountant's password gets access to your financial data and sells it to the next tabloid, you can charge him under the CFAA. If your accountant does, you cannot, because he had legal access to that data. You can of course sue him for propagation of trade secrets and for the damages that incurred, but it is NOT a computer fraud crime.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    31. Re:Good news everyone... by txsable · · Score: 1

      It's certainly copyright infringement and that would have civil implications.

      Where in the world did you get copyright infringement out of this story? and yes, i did RTFA. There is no mention of copyright at all. It may have been a violation of some "trade secret" law, but certainly not any copyright laws.

    32. Re:Good news everyone... by kilfarsnar · · Score: 1

      Perhaps somewhere there are. But not here.

      The ruling is equivalent to "if you have a logon, you should have root".

      Not really. The question is whether the employees exceeded their authorized access. Since they just logged in under their user ID's and downloaded data they had access to, they clearly did not exceed their authorized access. They exceeded their authorization to share those data, but that is a separate issue from whether they exceeded their authorized access on the system.

      --
      "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
    33. Re:Good news everyone... by Nadaka · · Score: 1

      No.

      Its more like, if I give you a key to my house and safe and tell you "only put stuff in the safe, not take it out", It isn't a considered breaking and entering if you use those keys to open the safe and take stuff out. It would just be theft.

    34. Re:Good news everyone... by Opportunist · · Score: 2

      They cannot, for the same reason the accountant can't simply withdraw cash from the company's account with impunity just 'cause he has the credit card for it.

      Companies bestow power upon you and entrust you with information so you can do your job. It's my job to keep my company's IT systems secure. Of course I know about every single problem these babies might have, and abusing a flaw in the tiny time frame between me learning about it and our programmers fixing it would be very trivial to me (for obvious reasons). Considering the market we're in, this information could easily sell well.

      Selling this information would still not constitute a crime addressed by the CFAA. I did not hack anything, nor escalate any privileges or peeked where I shouldn't peek to access this information. I got this information "legally". It's part of my job to have this information. That does NOT mean that I can distribute it with impunity! I would of course be liable for any damages the occur because of my selling it.

      It is simply a different crime. By no means any less less illegal, if anything, more morally wrong, at least in my books betraying trust trumps hacking computers on my moral ladder of evilness, but it is NOT a computer fraud issue.

      The verdict is solid and sound, and I'm glad a judge understands the difference between abusing information entrusted to you and gaining illegal access to information.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    35. Re:Good news everyone... by Opportunist · · Score: 1

      Pretty much dead on. I used a lot more words but I enjoy your terse explanation.

      Seems someone tried to twist it into a criminal case to cut corners.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    36. Re:Good news everyone... by kilfarsnar · · Score: 1

      Not really, because it junks the entire concept of limited authorisation within a corporation - if 'exceeds authorized access' doesn't apply when your authorisation is limited just because you are a legitimate employee of that company, then a significant portion of the point of limited authorisation is thrown out.

      How do you figure? Does this ruling somehow get rid of access control lists?

      --
      "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
    37. Re:Good news everyone... by ChikMag777 · · Score: 1

      A database download is not theft. The company still has the information in their database. It's more akin to copyright infringement, though I doubt you can copyright a client list.

    38. Re:Good news everyone... by anyGould · · Score: 1

      Perhaps somewhere there are. But not here.

      The ruling is equivalent to "if you have a logon, you should have root".

      Not really - it's saying that if they can log in (using the credentials you provided them), and can access a file that your security gives them read permissions to, they haven't "exceeded their authorized access". If they copy the data and sell it, they might still guilty of other crimes, but hacking isn't one of them.

      This is really common sense at the heart of it - a recognition that you can't give someone permission, then revoke it after-the-fact and call it hacking.

    39. Re:Good news everyone... by iPaul · · Score: 1

      Were you the only person who got the reference to impending doom?

      --
      Leave the gun, take the cannoli -- Clemenza, The Godfather
    40. Re:Good news everyone... by SockPuppetOfTheWeek · · Score: 1

      No, YOU read:

      "The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system"

      If you have access to the system, but do not have root access, and you find a way to hack the system to give yourself root access, then you had legitimate access to the system but not access to root information or files, so you "exceeded authorized access". That is obvious enough.

      However, if you have access to the system, but do not have root access, and you download information under your ASSIGNED login and with its permissions, you WERE authorized to access the information. If you then do something with that information that you weren't authorized to do with the information, that does not change the fact that you were authorized to access it.

    41. Re:Good news everyone... by Anonymous Coward · · Score: 0

      What (criminal) offenses occurred in the second case? Photocopying without a license?

      Breaking a contractual agreement (i.e. an NDA) is not a criminal offense, is it?

    42. Re:Good news everyone... by snowgirl · · Score: 1

      Indeed... reading the summary, it came across as the reason embezzlement was created in common law. A bank teller took money that was willfully given to him in trust, and pocketed it rather than deposit it in their account. He was charged with theft, but successfully argued that since he was given the money willfully, there was no theft involved. Embezzlement was then invented to close the loophole, and defined as misuse of funds given willfully in trust.

      In the same way, the defendants in this case had authorized access to the data that they stole... and that's what the CFAA turns upon. It is necessary that they exceed their authorization to obtain the data in order to be covered by the CFAA, but they did not exceed their authorization... they just abused their authorization. Which is not explicitly covered by the CFAA, and thus not covered.

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
    43. Re:Good news everyone... by sjames · · Score: 1

      No, it just insists that employees that do something improper with data they DO have authorization to access be charged with what they actually did.

    44. Re:Good news everyone... by andymadigan · · Score: 1

      The only difference is that classification of documents by the federal government is backed by federal criminal law.

      By stealing this information the two individuals did in fact give access to other people: those at their new company. They did transfer the information from protected computers to unprotected computers. Under criminal law this is not considered equivalent to what Manning did, but effectively only because the latter was done against the government rather than a business.

      --
      The right to protest the State is more sacred than the State.
  4. sweeping Internet-policing mandate by Anonymous Coward · · Score: 0

    I thought that's why the government passed the law, to have a sweeping internet-policing mandate!

  5. CFAA does not apply to use by Anonymous Coward · · Score: 1

    So the court says that the CFAA is not written to encompass unauthorized use, merely unauthorized access. They explicitly say that Congress should modify the statute if they want it to cover use.

    It was asked earlier what has happened to the other, non-CFAA counts. It doesn't look like those have gone forward yet, but the 9th Cir. says that the government is free to prosecute on those counts.

    For anyone that cares, the case can be found at 2012 WL 1176119.

  6. Did they already have access to the files? by Anonymous Coward · · Score: 0

    If so, they were legitimate users of the information, and didn't exceed their authority....except that they kept it when they left. That's more of an internal procedural problem.

  7. redux by Anonymous Coward · · Score: 0

    Old news wasn't this already covered a week or so ago here?

    In either case it's a good ruling in the limited scope in which it applies, folks in most of these cases though are still likely and rightfully so criminally libel under other statutes both fed and state, not to mention in civil court.

  8. Summary should say "infringed confidential data" by Anonymous Coward · · Score: 5, Funny

    If there's one thing I learned from Slashdot, it's that data cannot be stolen.

    Only physical goods that can be manufactured (usually more cheaply in the Far East or Latin America than in the US) can be stolen.

  9. Warning: tracker heavy link by Anonymous Coward · · Score: 0

    Be careful with that link, best hit it in privacy mode. I have never seen such a long list of trackers on a single webpage - Ghostery must have nearly crashed processing it all.. Seems to be a "feature" of that site. :(

  10. Should have kept parallel records by Anonymous Coward · · Score: 0

    rather than copying the data before he left.

  11. So Bradley Manning... by Anonymous Coward · · Score: 0

    ... hasn't committed any wrongdoings at all in the view of US law? He only downloaded data he had access to.

    Okay, then gave it to somebody who didn't have military confidential clearance.

    If we impose that he has done it all.

    1. Re:So Bradley Manning... by geoffrobinson · · Score: 1

      He didn't violate the CFAA. I'm sure he violated a ton of other laws.

      --
      Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
  12. The flip side of the DMCA by Anonymous Coward · · Score: 2, Insightful

    What's interesting about this ruling is that it's interpreting the CFAA in a manner that's similar to how the DMCA has been interpreted for years: The use of a computer to circumvent restrictions is separate from improper use of the material obtained via circumvention. The difference is that the DMCA is being used to make it illegal to access material which can then be used in a legal manner (i.e., Fair Use). Here, the court is saying that the CFAA says only that it's illegal to access the material if you're circumventing access controls, and that even if you use the material illegally you're not violating the CFAA if you didn't have to circumvent access to get it.

    For what it's worth, I think that this ruling gets it 100% correct. There are already laws in place governing the improper appropriation/use of information regardless of how it was obtained. Why should it be more improper if it was obtained using your computer to get it from the company's servers than if you walked into the file room and copied some files? At the rate computer (mis)use is being criminalized, pretty soon everyone in the US will be a criminal by default, as there won't be anything that can be done without violating some rule or another, not matter how innocuous. Mistype your password? Oops, that's illegally attempting to access a computer, better throw you in jail to be safe...

    1. Re:The flip side of the DMCA by DutchUncle · · Score: 1

      Most espionage cases involve someone with access (clearance, passwords, keys, etc.) getting information and passing it outside of the security perimeter. The access was legal, the passing was not. This case sounds exactly the same, and looking it up on the computer today should be no different from pulling it out of the file cabinet years ago (cue B&W film image of spy snapping pictures with Minox).

  13. Finding is wrong... by Bryan-10021 · · Score: 0

    In a dissenting opinion, Circuit Judges Barry Silverman and Richard Tallman wrote that the majority had taken a clearly written federal statute and parsed it in a manner that distorts the original intent.

    "This is not an esoteric concept," Silverman wrote. "A bank teller is entitled to access a bank's money for legitimate banking purposes, but not to take the bank's money for himself." Similarly, while a new car buyer might be entitled to test drive a new car, he would "exceed his authority" to take the car to Mexico. "No other circuit that has considered this statute finds the problems that the majority does," he wrote.

    The last two paragraphs of the article clearly explains why the court's finding is wrong ("What, you want me to read the article before commenting?!")

    1. Re:Finding is wrong... by Mabhatter · · Score: 2

      The judge compared this more to giving somebody the key to your house. If I give you the key to my house, and find out you were taking pictures of yourself in my underwear and posting them all over the police are not going to charge you with B&E or Home invasion... Because you didn't ILLEGALLY break in... You had a key. You don't get to RETROACTIVELY call B&E when they left a mess on your kitchen or something that upsets you later.

      In the same way, taking a car that you were allowed to drive is still stealing the car, but it's not carjacking or B&E because they GAVE you the key. It's still breaking "A" law, but it's your word against theirs for your "level of access" to the car... You didn't "rob" them of the car... Robbery is very specific.

      The judge is also pointing out that authorized people borrow computers from coworkers and share passwords with other authorized people all the time... The law has to be applied uniformly, fairly, and predictably... Not IGNORED until the boss finds something else you did wrong.

    2. Re:Finding is wrong... by Impy+the+Impiuos+Imp · · Score: 1

      Nobody says what they did isn't illegal (presumably, under other laws).

      They're saying it's like having a law making it illegal for someone off the street to walk into a bank vault and take money, then trying to charge the teller under that same law even thoug she has legitimate access.

      It wasn't the taking, but the taking when you don't have access. The law is poorly written and was rejected. Good.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    3. Re:Finding is wrong... by Americano · · Score: 3, Insightful

      No, the last two paragraphs of the article clearly explain why Judges Silverman and Tallman disagree with the majority ruling.

      It's funny that you seem to have overlooked the third-to-last paragraph, where the Judge Kozinski offered this: "Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," he said. "Employees who call family members from their work phones will become criminals if they send an email instead."

      What the minority opinion is saying - and you seem to be agreeing with - is that corporate Acceptable Use Policies should be given the weight of Federal criminal statute. If the corporate AUP says "You may not use work email for personal use," the scenario above would create a whole new class of *criminals* - not just an HR issue. There are already laws against misuse / misappropriation of confidential data.

    4. Re:Finding is wrong... by Anonymous Coward · · Score: 0

      If were illegal to break a corporate AUP I'd have multiple life sentences. Thank god we have some judges with sense.

    5. Re:Finding is wrong... by pnutjam · · Score: 1

      So this would be "conversion" rather then "theft".

      --
      Cheap storage VM.
    6. Re:Finding is wrong... by SockPuppetOfTheWeek · · Score: 1

      No, it is not wrong, and Silverman's analogy is dissimilar. And stupid.

      Information is not money. Information is not similar to money. Information is not similar to a car, either.

      It's more like, you have permission to test drive a new car, but you would "exceed your authority" by opening the glove compartment and finding the dealership's master sales plan carelessly left there. No, that's not right. In no way would you be "exceeding your authority" by opening the glove compartment, or by finding it.

      You would be breaking the law if you copied that information and contacted the dealership's competition with an offer to sell it to them. But you would not be breaking the law by accessing the information, nor would you be overstepping your authority.

    7. Re:Finding is wrong... by NemoinSpace · · Score: 1

      Once again, if the legislature doesn't want their intent to misinterpreted, they should write the law the way they intended.
      The fact that the 9th circuit has again, applied the law rather than legislate from the bench is to me, the only thing startling.

  14. Re:Summary should say "infringed confidential data by Overzeetop · · Score: 1

    Of course data "can" be stolen. You make a copy on your system and delete it from the original and all backups. But nobody actually does this.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  15. Re:Summary should say "infringed confidential data by Anonymous Coward · · Score: 0

    I was going to post the same thing. The defendants in this case didn't steal anything, because they didn't remove anyone from having access to it. They made copies of it, which may lead be copyright infringement, unauthorized distribution of trade secrets, or used for extortion. It is not, however, stealing.

  16. Re:Summary should say "infringed confidential data by Anonymous Coward · · Score: 0

    except that is still *not* stealing.
    If i photocopy a document and then destroy the original I have not stolen the original, I have copy of the original and the original no longer exists.

  17. define the crime better by Anonymous Coward · · Score: 0

    data privacy not data security.. obvious distinction... shame you have no data privacy laws in america

  18. "no-harm-no-foul" by John+Hasler · · Score: 1

    Wrong. The court did not say that there was no harm nor that there was no crime: just that there was no CFAA violation. This is a reasonable and proper decision.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    1. Re:"no-harm-no-foul" by Todd+Knarr · · Score: 1

      Exactly. If I'm employed at a warehouse and while on shift I'm quietly slipping boxes of goods to my friend Fred out the side door, I can't be charged with breaking-and-entering merely because the company didn't authorize me to steal stuff from them. I can still be charged with theft, because I did steal stuff from them, but that has to do with what I did while I was there not whether I was authorized to be there.

  19. Pirates by Anonymous Coward · · Score: 0

    Damn Pirates

  20. B&E+theft VS theft by phorm · · Score: 1

    Physically, it seems that there are some parallels between breaking+entering and theft.
    Similar to your file-cabinet example, if Bob the janitor has a key to the office for cleaning purposes, but uses it to rifle through the boss's drawers and steal stuff, then it's theft, but not B&E.
    If Bob doesn't have key to an office or secure area, but he picks the lock then steals stuff, it's B&E+theft.

    In this case, nobody broke in. Bob had a computer account with legitimate access which he logged in with, so there's no B&E (hacking).
    Theft of trade secrets, industrial espionage, or other such things may apply though.

  21. prain Engrish ? by Anonymous Coward · · Score: 0

    They are to bling theil ovelpliced olanges for sair to the suplemium appre coult?

  22. Re:Summary should say "infringed confidential data by Anonymous Coward · · Score: 0

    Or you can take the hard drive or other device on which said original is stored.

  23. Sense of ownership... by Anonymous Coward · · Score: 0

    When you spend three years of your life entering data into a corporate database and using it to manage the relationship with the companys' clients for which you have a responsibility you develop a sense of ownership. Before you leave I can understand wanting to have a copy. Solicitors actively develop a 'following' and take that with them to their next employer. Without it they would be unemployable.

  24. Re:Summary should say "infringed confidential data by mounthood · · Score: 1

    If there's one thing I learned from Slashdot, it's that data cannot be stolen.

    Only physical goods that can be manufactured (usually more cheaply in the Far East or Latin America than in the US) can be stolen.

    Also, Data is an active agent, struggling for it's own freedom. It may manipulate people or try to get itself marked executable to achieve freedom. That's why we need to fight against DEP -- it's just unfair to the data.

    --
    tomorrow who's gonna fuss
  25. different situation by Chirs · · Score: 1

    If the solicitor is basically employed as an independent contractor, then they legitimately take their information with them when they leave.

    In this case the database belonged to the company, NOT to the person managing it.

  26. Re:Summary should say "infringed confidential data by Fned · · Score: 1

    If there's one thing I learned from Slashdot, it's that data cannot be stolen.

    This is correct. However, private data can be illegally accessed.

  27. Re:Summary should say "infringed confidential data by Anonymous Coward · · Score: 0

    Then you're stealing the hard drive that holds certain data... there are still backups, records, raw data, etc.

  28. Re:Summary should say "infringed confidential data by Overzeetop · · Score: 1

    You're conflating hard goods with digital goods.

    Theft is the unlawful transferring of an asset between two parties - it requires a taking, a possession, and a deprivation. In the case of information, there is no "original," merely copies or instances, all identical. By removing the instance from one party and depositing it into the control of a second party, against the first party's will, theft has occurred.

    It's a necessary distinction only because in nearly all cases (such as this one) that is not what happens.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  29. Problem: They weren't charged with stealing data by Narrowband · · Score: 1

    This seems to be the heart of a lot of the confusion in this thread. Basically, whether or not they stole data (or whether it's possible to steal data) isn't relevant, because that isn't the crime they were charged with.

    What they WERE charged with was trying to get system access they weren't authorized for, which they didn't do; they just logged in and took what was within the purview of their own authorized account access. That's what the judge pointed out.

    Whether they're guilty of some other crime or not remains to be seen. But the judge is saying you can't charge someone with a random crime that sounds related, you have to charge them with whatever crime they committed, if you want it to stick. Just because a computer was involved doesn't make it hacking. It's like someone used a crane to drop a car on top of something to destroy it, and the person responsible got charged with wreckless driving.