DOJ Won't Ask for Supreme Court Review of CFAA Hacking Decision

In April, the Ninth Circuit Court of Appeals dismissed a federal hacking charge against a California man, finding that the Computer Fraud and Abuse Act (CFAA), which outlaws computer use that "exceeds authorized access," was inapplicable to the case. For months, we've wondered whether the Justice Department would appeal that decision to the Supreme Court.

This week, we got our answer. The DOJ has decided not to petition for Supreme Court review, reports Wired.

Shortly after the defendant, David Nosal, left his job, he convinced some of his former colleagues who were still working for the company to help him start a competing business. The employees used their log-in credentials to download information from a confidential company database, and transferred that information to Nosal. The employees were authorized to access the database, but prohibited from disclosing confidential information.

The government indicted Nosal on 20 counts for his role in the data acquisition, including trade secret theft, mail fraud, conspiracy and violations of the CFAA. A district court dismissed the CFAA hacking charge in an interlocutory appeal, and the Ninth Circuit Court of Appeals affirmed.

Ninth Circuit Chief Judge Kozinski observed that the CFAA was designed to penalize hackers, and the government's interpretation of the "exceeds authorized access" provision could yield absurd results. "The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer." According to Kozinski, that interpretation would make criminals of unsuspecting people who shop online, watch video clips, or use social networks during the work day in violation of their employers' computer-use policies.

Kozinski said that prosecution should be limited to violations of restrictions on access to information, and not restrictions on its use. In other words, if a person uses her log-in credentials to access information, she's okay, but if she uses someone else's credentials, (or performs some Hollywood-style hacking), she could be prosecuted.

In honor of the DOJ's decision not to appeal, here's a list of five things that aren't hacking thanks to the DOJ's decision to not to press for Supreme Court review.

1. Online shopping. Maybe your boss will forgive your workday shopping if you buy her something pretty? (Sadly, our boss's taste in pretty things rivals our rent.)
2. Facebook. Before reviewing status updates, remember that billing > liking.
3. Dating websites. How do you have free time to date if you're wasting your working hours browsing the Internet?
4. Reading FindLaw blogs. Shameless self-promotion: Brushing up on legal news is not only not hacking, it's informative. You can get the SCOTUS latest and greatest delivered to your inbox by subscribing to FindLaw's Supreme Court Digest.
5. Angry Birds. Slinging birds at animals probably exceeds your employer's idea of authorized access to company machines, but it won't land you in court.

Just remember: Even if wasting time on a company computer won't result in a CFAA hacking case, you could still get fired.

Related Resources:

• U.S. v. Nosal (FindLaw's CaseLaw)
• Fourth Circuit Refuses to Apply CFAA to Employee Data Breach (FindLaw's Fourth Circuit Blog)
• Employers Empowered By Computer Crime Law Against Departing And Disloyal Employees (FindLaw)