A top US court has decided that the Computer Fraud and Abuse Act cannot be used to police company computer polices or tech company terms and conditions.
While it sounds obvious to us, apparently some companies have been demanding that their employees be tried as hackers if they try to get around company network policies.
A similar argument has been made by games companies whose users have a habit of hacking into their systems to get better magic swords.
The Ninth Circuit has just handed down its long-awaited en banc decision in United States v. Nosal.
Chief Judge Kozinski has looked at the law and told courts to adopt a narrow construction of the Computer Fraud and Abuse Act.
He said that the phrase “exceeds authorised access” in the law has to be interpreted narrowly to avoid turning the CFAA into the statute that inadvertently criminalises harmless activity.
Basically you could be jailed if you work out a way of seeing Facebook on your work computer.
Chief Judge Kozinski said he did not believe that Congress, when it drafted the law, wanted to turn most people in the United States into criminals.
He said that a law whose general purpose is to punish hacking could not include the circumvention of technological access barriers. People should not use the law to stop misappropriation of trade secrets because Congress has dealt with elsewhere. So, “exceeds authorised access” in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.
According to Volokh.com, which has been looking at the changing laws for a while, Kozinski’s opinion is against decisions made in other regions of the US and it will probably have to be sorted out by the Supreme Court.