'Hacking' Case, Remanded by 9th, Results in Conviction
I just violated FindLaw's corporate computer policy. Okay, maybe I didn't. I'm not really sure. I never read it. Most people don't. That little nugget of truth was why the Nosal case was so important when it was decided last year.
David Nosal was passed up for a promotion at Korn/Ferry, a headhunting firm. He plotted to start a rival business, and along with his merry band of followers, accessed some data from the company's database. That data was allegedly used to land a contract for the new company.
One would expect that case to end up in civil court, or at worst, with a theft of trade secrets charge. Instead, he was indicted on 20 counts, including theft of trade secrets, mail fraud, and violations of the Computer Fraud and Abuse Act (CFAA), an outdated 1980s law commonly used against hackers.
The problem was, he arguably didn't hack anyone. Along with his co-conspirators, he merely went beyond the bounds of allowed access and used the data for impermissible purposes. The Ninth Circuit initially ruled that the CFAA applied, but an en banc rehearing overruled the panel, citing the absurd results that could happen if the CFAA was applied in these cases.
Chief Judge Kozinski cleverly quipped in the majority opinion, "Under the government's proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist's policy, or describing yourself as 'tall, dark and handsome,' when you are actually short and homely, will earn you a handsome orange jumpsuit."
Alas, the Ninth Circuit opinion did not set Nosal free - it merely dismissed some counts of the indictment and limited the scope of the CFAA. The ruling held that the CFAA was limited to unauthorized access of data, not misuse of data obtained with lawful access (good means, bad ends). The ruling also put the Ninth Circuit into a split with a handful of other circuits.
Today, according to Vanessa Blum, a reporter who has been covering the case in depth, Nosal was found guilty on all counts, including three CFAA charges. The most likely explanation was because Nosal continued to obtain access to the system, through others' passwords and third parties, even after his username was deactivated.
Something tells us that the oft-criticized and outdated hacking law, and this case, are going to head back to the appeals courts in the near future.
Related Resources:
- Man Convicted of Hacking Despite Not Hacking (Wired)
- Hearst Changes Online TOS Because CFAA is a Terrible Law (FindLaw's Technologist)
- House Passes CISPA, Should We Brace for Another Blackout? (FindLaw's Technologist)