Today EFF filed a "friend of the court" brief (pdf) urging the Ninth Circuit Court of Appeals to reconsider its troubling decision (pdf) that employees face jail time when they access work computers for purposes that violate company policy.
In United States v. Nosal, the former employee of an executive recruiting firm convinced current employees to access the company's proprietary database and pass along information that he could use for competitive advantage. The company's computer-use policy, however, said that employees were only allowed to access the database to further the company's business interests. The government prosecuted the former employee under the federal Computer Fraud and Abuse Act (CFAA), arguing that his accomplices had authority to access the database for some purposes, but exceeded that authority when they accessed it for a purpose that violated corporate policy. Unfortunately, the Ninth Circuit agreed.
This is a dangerous precedent because it gives employers the power to make behavior illegal just by saying in a written policy that it's not allowed. For example, a worker could be sued or prosecuted for reading personal email or checking the score of a baseball game if her employer's policy says that company computers may be used only for work.
That might sound far-fetched, but it's not. Earlier this year, a company sued (pdf) a former employee under the CFAA for making too much personal use of the Internet at work in violation of company policy—apparently in retaliation for a wrongful termination lawsuit that she filed first. The court dismissed (pdf) the company's claim, but Nosal gives a solid foothold to those who would make similar arguments in the future.
The decision also offers ammunition for the argument that people run afoul of the CFAA when they violate web sites' terms of use—a theory that has been rightfully rejected by other courts in cases like United States v. Drew.
We hope the Ninth Circuit will reconsider its approach in this case. The CFAA is broad enough already—it shouldn't be interpreted to criminalize the everyday behavior of millions of employees and (potentially) Internet users.