Slashdot Mirror

← Back to Stories (view on slashdot.org)

Court Rules Workers Did Not Overstep On Stealing Data

Posted by samzenpus on from the no-harm-no-foul dept.

MikeatWired writes "In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit has ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it. The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court. The judge wrote that the Computer Fraud and Abuse Act, under which they were charged, applies primarily to unauthorized access involving external hackers. The definition of 'exceeds authorized access' under the CFAA applies mainly to people who have no authorized access to the computer at all, the judge wrote. The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system Applying the language in the CFAA any other way would turn it into a 'sweeping Internet-policing mandate,' he wrote."

22 of 88 comments (clear)

  1. Not guilty under CFAA only by schwit1 · · Score: 4, Insightful

    That doesn't mean they can't be charged under other statutes.

    1. Re:Not guilty under CFAA only by oh_my_080980980 · · Score: 2

      THANK YOU!

      The judge was quite clear why "violations of the CFAA" was not appropriate. Christ he was indicted on 20 counts, including mail fraud and trade secret theft. They have plenty of other indictments to work from.

    2. Re:Not guilty under CFAA only by ocdscouter · · Score: 2

      Christ he was indicted on 20 counts, including mail fraud and trade secret theft. They have plenty of other indictments to work from.

      Counts that they wouldn't have to spend nearly as much effort on, to boot.

      I had the experience of being on a jury for a similar case in the Silicon Valley area a couple years ago. I'd have to say that the whole "e-mailing rather sensitive documents to yourself on the way out *and* using it in a competing startup" approach seems to be a foolproof way to get yourself found liable for little things like misappropriation of trade secrets.

  2. Good news everyone... by iPaul · · Score: 4, Funny

    There are some judges who have a clue.

    --
    Leave the gun, take the cannoli -- Clemenza, The Godfather
    1. Re:Good news everyone... by Anonymous Coward · · Score: 5, Insightful

      No, that's not what it says at all. This ruling is saying that the CFAA applies to only to people using technological means to circumvent their restrictions, not people misusing the the access they do have. In this case, the users had legitimate credentials to the database. Obviously, they were not supposed to use that access to steal the data, but doing so is not "exceeding authorized access" it's simply theft. This is common sense. For a non computer analogy, at my old job I had a key to the storeroom. If I were to use that key to open the store room and steal a bunch of shit, I would not be charged with breaking and entering. That's not to say I won't be charged with a crime (and the accused in TFA were charged with other crimes), it just means I did not violate that specific law. The CFAA was created to prosecute hackers, it should not be used against anyone who does something on a computer that the owner of that computer doesn't like. This ruling is a good thing.

    2. Re:Good news everyone... by Anonymous Coward · · Score: 3, Interesting

      >The ruling is equivalent to "if you have a logon, you should have root".

      Except that the defendants were authorised to access the data in question. The alternative is to allow the company to retroactively deny authorisation, which opens up the CFAA to criminalise any data access at all.

    3. Re:Good news everyone... by will_die · · Score: 2

      No it cannot.
      First manning is not being charged under this law.
      Second the charges he is being accused of include moving classified material to unclassified servers, giving materal to people not authorized and others like that. He was not authorized to downgrade material nor was he authorized to authorize people to beable to view the information.

    4. Re:Good news everyone... by AngryDeuce · · Score: 3, Insightful

      Mod parent up!

      These guys didn't "hack" shit...and a ruling allowing the CFAA to be applied here would have set an awful, awful precedent.

    5. Re:Good news everyone... by benjamindees · · Score: 4, Informative

      The ruling is equivalent to "if you have a logon, you should have root".

      The employees had access to the data in question. They could have easily been denied access if that were the intent.

      Try reading the article next time.

      --
      "I assumed blithely that there were no elves out there in the darkness"
    6. Re:Good news everyone... by realxmp · · Score: 2

      Your employees can attack from within with impunity.

      Not so, and I think you'll probably admit that particular statement a lil bit of FUD really. What this ruling does is prevents you from charging people with a statute meant for hacking when you should be charging them with statutes related to trade secret infringement (and probably suing them too).

      Unfortunately the way most systems are designed security is an afterthought, once you're past the gates, there's no limits on the number of records you can download etc. If an employee's access rights to your system allow them to access data and whether or not they are allowed to access that data is dependant on company policy and what they intend to do with it then CFAA isn't really the proper law to apply. Instead you should be charging them with stealing your trade secrets and if appropriate industrial espionage, etc. Those crimes carry more than enough punishment without the need to scream OMGHAX!!!

    7. Re:Good news everyone... by nedlohs · · Score: 2

      Please explain how your interpretation meshes with the statement (in the summary even):

      The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system.

      All it is saying is that if you do have authorized access to something, then misusing that something isn't an offence under the CFAA.

      So there's is no "attack from within with impunity". If an employee doesn';t have authorized access to something that they access it still applies after all.

      The case itself is a perfect example so I see no point in trying to provide one.

    8. Re:Good news everyone... by laffer1 · · Score: 4, Insightful

      I'm not sure that's what it means. My interpretation is that an employee who normally has access to data, can access it without being charged. They tried to claim they hacked into something they had access it. The crime (if any) is what they did with the data. It's certainly copyright infringement and that would have civil implications.

      The judge smacked down the common practice of using "hacker" laws against people who happened to use a computer during the course of something else within a narrow window of having authorized access to the resource. This judge had common sense.

      --
      MidnightBSD: The BSD for Everyone
    9. Re:Good news everyone... by AngryDeuce · · Score: 4, Insightful

      Either they have legitimate access to the data or they don't. How can someone be charged with breaking in to a system that they are openly given access to as a part of their employment?

      Everything else is beside the point. You can't invite someone into your home and then turn around and claim they broke in, which is exactly what these guys were alleging. Nobody is saying they're not guilty of a crime, they're just saying they're not guilty of this crime.

      Your employees can attack from within with impunity.

      If you fear and distrust your employees this much, why the fuck do you keep them on the payroll? Just another asshole that sees their employees as a liability despite the fact that you're making money off of their productivity day after fucking day. You guys need a reality check.

    10. Re:Good news everyone... by sirlark · · Score: 4, Insightful

      The ruling is equivalent to "if you have a logon, you should have root".

      No it isn't. It's a point of law, and a good one! From TFA

      In a 22-page ruling, the appellate court held that an employee with valid access to corporate data cannot be held liable under the federal Computer Fraud and Abuse Act (CFAA) if they then misuse or misappropriate the data.

      "The CFAA expressly prohibits improper 'access' of computer information," chief judge Alex Kozinski wrote in the court's majority opinion. "It does not prohibit misuse or misappropriation," he wrote.

      These guys had authority to access the data as part of their daily job. They may have stolen the data, i.e. removed copies illegally from the company network, but in doing so they did not exceed their access rights. They might be guilty of violating their contracts, corporate espionage, or a whole host of other things, but not 'hacking'. This judge made the right call, the prosecutor screwed up by laying the wrong charges.

    11. Re:Good news everyone... by David+Chappell · · Score: 5, Informative

      no, it just means it's not a criminal offense when employees take data with them. sales people have been doing this for decades. companies have had data security policies before computers and this is no different

      It could still be an offense under a different law. The judge here is making a distinction between exceeding unauthorized access and abusing authorized access. An example: If I pick the lock on a filing cabinet in the boss's office and photocopy the trade secret documents inside and give them to a competitor I have exceeded authorized access. On the other hand if I use my key to open a filing cabinet in my own office and photocopy the same documents and give them to a competitor, I have abused (but not exceeded) my authorized access.

      In both cases multiple offenses are committed. But there is one more offense in the first scenario than in the second.

      This is not hair splitting. Without this distinction any misconduct by persons with authorized access makes their access unauthorized. This could have very surprising consequences. In one recent case a prosecutor argued that a user who violated the terms of use of a web site had obtained 'unauthorized access' because she had used the site in an 'unauthorized manner'. If we were to access this theory, then web site operators and employers could in effect write their own laws and get people sent to jail for violating them.

    12. Re:Good news everyone... by David+Chappell · · Score: 3, Insightful

      Perhaps somewhere there are. But not here.

      The ruling is equivalent to "if you have a logon, you should have root".

      I think you may have misread the summary. I know I did the first time. But on closer reading it actually suggests that using tricks to obtain a higher level of access is indeed a case of exceeding authorized access.

      This question came up because some prosecutors have been confusing (perhaps deliberately) the ideas of exceeding authorized access and exceeding authorized authority. The first is the breaking of locks. The second is the disobeying of rules.

    13. Re:Good news everyone... by Opportunist · · Score: 2

      The point is that the CFAA applies to cases where someone had no right to access the data in question at any point in history. I.e. privilege escalation, password stealing or the like.

      The people in question did have legal access to the data in the past. Any other ruling would have meant that anyone who ever had access to any kind of non-public data but does not anymore is open to a law suit.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    14. Re:Good news everyone... by Opportunist · · Score: 2

      They cannot, for the same reason the accountant can't simply withdraw cash from the company's account with impunity just 'cause he has the credit card for it.

      Companies bestow power upon you and entrust you with information so you can do your job. It's my job to keep my company's IT systems secure. Of course I know about every single problem these babies might have, and abusing a flaw in the tiny time frame between me learning about it and our programmers fixing it would be very trivial to me (for obvious reasons). Considering the market we're in, this information could easily sell well.

      Selling this information would still not constitute a crime addressed by the CFAA. I did not hack anything, nor escalate any privileges or peeked where I shouldn't peek to access this information. I got this information "legally". It's part of my job to have this information. That does NOT mean that I can distribute it with impunity! I would of course be liable for any damages the occur because of my selling it.

      It is simply a different crime. By no means any less less illegal, if anything, more morally wrong, at least in my books betraying trust trumps hacking computers on my moral ladder of evilness, but it is NOT a computer fraud issue.

      The verdict is solid and sound, and I'm glad a judge understands the difference between abusing information entrusted to you and gaining illegal access to information.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Summary should say "infringed confidential data" by Anonymous Coward · · Score: 5, Funny

    If there's one thing I learned from Slashdot, it's that data cannot be stolen.

    Only physical goods that can be manufactured (usually more cheaply in the Far East or Latin America than in the US) can be stolen.

  4. The flip side of the DMCA by Anonymous Coward · · Score: 2, Insightful

    What's interesting about this ruling is that it's interpreting the CFAA in a manner that's similar to how the DMCA has been interpreted for years: The use of a computer to circumvent restrictions is separate from improper use of the material obtained via circumvention. The difference is that the DMCA is being used to make it illegal to access material which can then be used in a legal manner (i.e., Fair Use). Here, the court is saying that the CFAA says only that it's illegal to access the material if you're circumventing access controls, and that even if you use the material illegally you're not violating the CFAA if you didn't have to circumvent access to get it.

    For what it's worth, I think that this ruling gets it 100% correct. There are already laws in place governing the improper appropriation/use of information regardless of how it was obtained. Why should it be more improper if it was obtained using your computer to get it from the company's servers than if you walked into the file room and copied some files? At the rate computer (mis)use is being criminalized, pretty soon everyone in the US will be a criminal by default, as there won't be anything that can be done without violating some rule or another, not matter how innocuous. Mistype your password? Oops, that's illegally attempting to access a computer, better throw you in jail to be safe...

  5. Re:Finding is wrong... by Mabhatter · · Score: 2

    The judge compared this more to giving somebody the key to your house. If I give you the key to my house, and find out you were taking pictures of yourself in my underwear and posting them all over the police are not going to charge you with B&E or Home invasion... Because you didn't ILLEGALLY break in... You had a key. You don't get to RETROACTIVELY call B&E when they left a mess on your kitchen or something that upsets you later.

    In the same way, taking a car that you were allowed to drive is still stealing the car, but it's not carjacking or B&E because they GAVE you the key. It's still breaking "A" law, but it's your word against theirs for your "level of access" to the car... You didn't "rob" them of the car... Robbery is very specific.

    The judge is also pointing out that authorized people borrow computers from coworkers and share passwords with other authorized people all the time... The law has to be applied uniformly, fairly, and predictably... Not IGNORED until the boss finds something else you did wrong.

  6. Re:Finding is wrong... by Americano · · Score: 3, Insightful

    No, the last two paragraphs of the article clearly explain why Judges Silverman and Tallman disagree with the majority ruling.

    It's funny that you seem to have overlooked the third-to-last paragraph, where the Judge Kozinski offered this: "Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," he said. "Employees who call family members from their work phones will become criminals if they send an email instead."

    What the minority opinion is saying - and you seem to be agreeing with - is that corporate Acceptable Use Policies should be given the weight of Federal criminal statute. If the corporate AUP says "You may not use work email for personal use," the scenario above would create a whole new class of *criminals* - not just an HR issue. There are already laws against misuse / misappropriation of confidential data.