Court Rules Workers Did Not Overstep On Stealing Data
MikeatWired writes "In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit has ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it. The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court. The judge wrote that the Computer Fraud and Abuse Act, under which they were charged, applies primarily to unauthorized access involving external hackers. The definition of 'exceeds authorized access' under the CFAA applies mainly to people who have no authorized access to the computer at all, the judge wrote. The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system Applying the language in the CFAA any other way would turn it into a 'sweeping Internet-policing mandate,' he wrote."
That doesn't mean they can't be charged under other statutes.
No, that's not what it says at all. This ruling is saying that the CFAA applies to only to people using technological means to circumvent their restrictions, not people misusing the the access they do have. In this case, the users had legitimate credentials to the database. Obviously, they were not supposed to use that access to steal the data, but doing so is not "exceeding authorized access" it's simply theft. This is common sense. For a non computer analogy, at my old job I had a key to the storeroom. If I were to use that key to open the store room and steal a bunch of shit, I would not be charged with breaking and entering. That's not to say I won't be charged with a crime (and the accused in TFA were charged with other crimes), it just means I did not violate that specific law. The CFAA was created to prosecute hackers, it should not be used against anyone who does something on a computer that the owner of that computer doesn't like. This ruling is a good thing.
I'm not sure that's what it means. My interpretation is that an employee who normally has access to data, can access it without being charged. They tried to claim they hacked into something they had access it. The crime (if any) is what they did with the data. It's certainly copyright infringement and that would have civil implications.
The judge smacked down the common practice of using "hacker" laws against people who happened to use a computer during the course of something else within a narrow window of having authorized access to the resource. This judge had common sense.
MidnightBSD: The BSD for Everyone
Either they have legitimate access to the data or they don't. How can someone be charged with breaking in to a system that they are openly given access to as a part of their employment?
Everything else is beside the point. You can't invite someone into your home and then turn around and claim they broke in, which is exactly what these guys were alleging. Nobody is saying they're not guilty of a crime, they're just saying they're not guilty of this crime.
Your employees can attack from within with impunity.
If you fear and distrust your employees this much, why the fuck do you keep them on the payroll? Just another asshole that sees their employees as a liability despite the fact that you're making money off of their productivity day after fucking day. You guys need a reality check.
The ruling is equivalent to "if you have a logon, you should have root".
No it isn't. It's a point of law, and a good one! From TFA
In a 22-page ruling, the appellate court held that an employee with valid access to corporate data cannot be held liable under the federal Computer Fraud and Abuse Act (CFAA) if they then misuse or misappropriate the data.
"The CFAA expressly prohibits improper 'access' of computer information," chief judge Alex Kozinski wrote in the court's majority opinion. "It does not prohibit misuse or misappropriation," he wrote.
These guys had authority to access the data as part of their daily job. They may have stolen the data, i.e. removed copies illegally from the company network, but in doing so they did not exceed their access rights. They might be guilty of violating their contracts, corporate espionage, or a whole host of other things, but not 'hacking'. This judge made the right call, the prosecutor screwed up by laying the wrong charges.