Slashdot Mirror

← Back to Stories (view on slashdot.org)

Court Rules Workers Did Not Overstep On Stealing Data

Posted by samzenpus on from the no-harm-no-foul dept.

MikeatWired writes "In a somewhat startling decision, the U.S. Court of Appeals for the Ninth Circuit has ruled that several employees at an executive recruitment firm did not exceed their authorized access to their company's database when they logged into the system and stole confidential data from it. The appellate court's decision affirms a previous ruling made by the U.S. District Court for the Northern District of California. The government must now decide if it wants to take the case all the way to the U.S. Supreme Court. The judge wrote that the Computer Fraud and Abuse Act, under which they were charged, applies primarily to unauthorized access involving external hackers. The definition of 'exceeds authorized access' under the CFAA applies mainly to people who have no authorized access to the computer at all, the judge wrote. The term would also apply to insiders who might have legitimate access to a system but not to specific information or files on the system Applying the language in the CFAA any other way would turn it into a 'sweeping Internet-policing mandate,' he wrote."

9 of 88 comments (clear)

  1. Not guilty under CFAA only by schwit1 · · Score: 4, Insightful

    That doesn't mean they can't be charged under other statutes.

  2. Good news everyone... by iPaul · · Score: 4, Funny

    There are some judges who have a clue.

    --
    Leave the gun, take the cannoli -- Clemenza, The Godfather
    1. Re:Good news everyone... by Anonymous Coward · · Score: 5, Insightful

      No, that's not what it says at all. This ruling is saying that the CFAA applies to only to people using technological means to circumvent their restrictions, not people misusing the the access they do have. In this case, the users had legitimate credentials to the database. Obviously, they were not supposed to use that access to steal the data, but doing so is not "exceeding authorized access" it's simply theft. This is common sense. For a non computer analogy, at my old job I had a key to the storeroom. If I were to use that key to open the store room and steal a bunch of shit, I would not be charged with breaking and entering. That's not to say I won't be charged with a crime (and the accused in TFA were charged with other crimes), it just means I did not violate that specific law. The CFAA was created to prosecute hackers, it should not be used against anyone who does something on a computer that the owner of that computer doesn't like. This ruling is a good thing.

    2. Re:Good news everyone... by benjamindees · · Score: 4, Informative

      The ruling is equivalent to "if you have a logon, you should have root".

      The employees had access to the data in question. They could have easily been denied access if that were the intent.

      Try reading the article next time.

      --
      "I assumed blithely that there were no elves out there in the darkness"
    3. Re:Good news everyone... by laffer1 · · Score: 4, Insightful

      I'm not sure that's what it means. My interpretation is that an employee who normally has access to data, can access it without being charged. They tried to claim they hacked into something they had access it. The crime (if any) is what they did with the data. It's certainly copyright infringement and that would have civil implications.

      The judge smacked down the common practice of using "hacker" laws against people who happened to use a computer during the course of something else within a narrow window of having authorized access to the resource. This judge had common sense.

      --
      MidnightBSD: The BSD for Everyone
    4. Re:Good news everyone... by AngryDeuce · · Score: 4, Insightful

      Either they have legitimate access to the data or they don't. How can someone be charged with breaking in to a system that they are openly given access to as a part of their employment?

      Everything else is beside the point. You can't invite someone into your home and then turn around and claim they broke in, which is exactly what these guys were alleging. Nobody is saying they're not guilty of a crime, they're just saying they're not guilty of this crime.

      Your employees can attack from within with impunity.

      If you fear and distrust your employees this much, why the fuck do you keep them on the payroll? Just another asshole that sees their employees as a liability despite the fact that you're making money off of their productivity day after fucking day. You guys need a reality check.

    5. Re:Good news everyone... by sirlark · · Score: 4, Insightful

      The ruling is equivalent to "if you have a logon, you should have root".

      No it isn't. It's a point of law, and a good one! From TFA

      In a 22-page ruling, the appellate court held that an employee with valid access to corporate data cannot be held liable under the federal Computer Fraud and Abuse Act (CFAA) if they then misuse or misappropriate the data.

      "The CFAA expressly prohibits improper 'access' of computer information," chief judge Alex Kozinski wrote in the court's majority opinion. "It does not prohibit misuse or misappropriation," he wrote.

      These guys had authority to access the data as part of their daily job. They may have stolen the data, i.e. removed copies illegally from the company network, but in doing so they did not exceed their access rights. They might be guilty of violating their contracts, corporate espionage, or a whole host of other things, but not 'hacking'. This judge made the right call, the prosecutor screwed up by laying the wrong charges.

    6. Re:Good news everyone... by David+Chappell · · Score: 5, Informative

      no, it just means it's not a criminal offense when employees take data with them. sales people have been doing this for decades. companies have had data security policies before computers and this is no different

      It could still be an offense under a different law. The judge here is making a distinction between exceeding unauthorized access and abusing authorized access. An example: If I pick the lock on a filing cabinet in the boss's office and photocopy the trade secret documents inside and give them to a competitor I have exceeded authorized access. On the other hand if I use my key to open a filing cabinet in my own office and photocopy the same documents and give them to a competitor, I have abused (but not exceeded) my authorized access.

      In both cases multiple offenses are committed. But there is one more offense in the first scenario than in the second.

      This is not hair splitting. Without this distinction any misconduct by persons with authorized access makes their access unauthorized. This could have very surprising consequences. In one recent case a prosecutor argued that a user who violated the terms of use of a web site had obtained 'unauthorized access' because she had used the site in an 'unauthorized manner'. If we were to access this theory, then web site operators and employers could in effect write their own laws and get people sent to jail for violating them.

  3. Summary should say "infringed confidential data" by Anonymous Coward · · Score: 5, Funny

    If there's one thing I learned from Slashdot, it's that data cannot be stolen.

    Only physical goods that can be manufactured (usually more cheaply in the Far East or Latin America than in the US) can be stolen.