Court narrows prosecutors' use of anti-hacking law

Appeals court rejects government's interpretation of a nearly 30-year-old act, ruling it was intended to prosecute computer hacking, not misappropriation of trade secrets.

Warning that checking sports scores or updating Facebook could be considered a crime, a U.S. appeals court rejected the government's broad interpretation of a nearly 30-year-old anti-hacking law in trying to prosecute a man for misappropriation of trade secrets.

In a 9-2 decision (PDF), the 9th U.S. Circuit Court of Appeals in San Francisco rejected the broad reading of the 1984 federal Computer Fraud and Abuse Act, warning that millions of Americans could be subjected to prosecution for harmless Web surfing at work.

The case centers on David Nosal, a former executive at recruiting agency Korn/Ferry International, who is accused of violating the act by persuading some of his former co-workers to send him confidential client information to help him start a competing business. Nosal was also indicted for theft of trade secrets, mail fraud, and conspiracy.

However, the court ruled that the law was intended to prosecute computer hacking, not misappropriation of trade secrets.

"The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer," according to Chief Judge Alex Kozinski, who wrote the lead opinion. "This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime."

"Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping, or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes," he wrote.

Judge Barry Silverman wrote the dissenting opinion, saying the "case has nothing to do with playing sudoku, checking e-mail, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer's valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants' employment contracts."

Dennis Riordan, an attorney representing Nosal, told Reuters he welcomed the decision. "It leaves in place all the purposes of the anti-hacking statute, but it frees people from fearing they could be prosecuted for violating arcane provisions of employer policies," he said.

The U.S. Department of Justice did not respond to a request for comment.