Have you ever been distracted at work, aimlessly looking through blogs, Facebook, or Twitter to help you make it to the end of a long Monday? Most people have found themselves in this situation at some point, although probably few have considered the possibility that their internet browsing could be deemed a federal crime. Yet, the U.S. Goverment claimed just that in a case before the Ninth Circuit.  Based on an expansive view of the Computer Fraud and Abuse Act (CFAA) intended to combat internet hacking, the government “argued that CFAA targeted both hackers and people who are authorized to use a computer, but do so for an unauthorized purpose.” Considering the fact that a 2009 study found that over half of the companies surveyed completely prohibited any social media use by their employees at work, things like checking your personal e-mail account while on the job could fall under the government’s inclusion of using a computer “for an unauthorized purpose” in its broad view of the CFAA.

Luckily for procrastinators everywhere (or at least those in states within the Ninth Circuit, like California, Nevada, and others), the court rejected the government’s proposed interpretation of the CFAA. Chief Judge Alex Kozinski held that adopting such a broad view would risk that interpretation being extended to make “such minor dalliances” as watching a sports game on ESPN.com or online shopping while at work into federal crimes. Although personal use of work computers is “routinely prohibited by many computer-use policies,” the Ninth Circuit was concerned with the  “millions of unsuspecting individuals [who] would find that they are engaging in criminal conduct” if the government’s view was accepted by the court. Judge Kozinski also noted that the government’s interpretation of the CFAA would have the potential to be enforced arbitrarily or in a discriminatory manner against employees. By finding that checking Facebook accounts at work is not a federal crime, the court’s opinion focused on the original intent of the CFAA to punish hackers and those who access a computer without authorization.

This opinion by the Ninth Circuit conflicts with previous decisions on the issue by the Fifth, Seventh, and Eleventh Circuits, which all took a broader view of the CFAA. The disagreement among the circuit courts may set the stage for a Supreme Court decision to settle the dispute on the proper interpretation of the act. Until then, bored employees should check what circuit court their state is in– those in the Ninth Circuit can rest assured that sending a tweet or ordering from Amazon on their work computer will not result in federal criminal charges. Being safe from such charges, however, does not mean that social media use at work will not result in discipline from employers for violating company policies on computer use… so procrastinate with care!

Megan DeLockery

Image Source

Tagged with:
 

8 Responses to Good News for People Who Get Bored at Work

  1. Andrew Farrell says:

    The broad interpretation of the CFAA championed by the government truly would lead to absurd results. Aside from people being punished for using Facebook, certain terms of service could result in employees being punished for merely browsing their employer’s files, even if they did not intend to improperly use any proprietary information!

    Section 1030(a)(2)(C) purports to punish anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.” The term “protected computer” is defined as any computer that is used in or affects interstate or foreign commerce or communication.

    The 9th Circuit, in a previous opinion concerning the same criminal suit, noted that under a broad interpretation of section 1030(a)(2)(C), anyone who obtains information from any computer connected to the internet could be considered a criminal if they obtained that information while exceeding the authority granted to them by the employer’s terms of use. In this instance, the employer’s terms of use allowed access to a database ONLY for legitimate business endeavors. Thus, under the government’s very broad interpretation, an employee who accessed the database for any reason unrelated to official business would be deemed to violate the CFAA. It would be a crime for an employee to casually browse and employer’s files.

  2. Andrew Farrell says:

    The broad interpretation of the CFAA championed by the government truly would lead to absurd results. Aside from people being punished for using Facebook, certain terms of service could result in employee’s being punished for merely browsing their employer’s files, even if they did not intend to improperly use any proprietary information!
    Section 1030(a)(2)(C) purports to punish anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer.” Protected computer is defined as any computer that is used in or affects interstate or foreign commerce or communication. As Judge Kozinksi pointed out, that means that anyone who obtains information from any computer connected to the internet could be considered a criminal if they obtained that information while exceeding the authority granted to them by the employer’s terms of use. In the 9th Circuit case, the employer’s terms of use allowed access to a database ONLY for legitimate business endeavors. Thus, under the governments very broad interpretation

    xample, Mr. Nosal’s employer, Korn/Ferry, prohibited use of its proprietary database except for legitimate Korn/Ferry business. Under the majority’s interpretation, had Mr. Nosal ever viewed any information in that database out of curiosity instead of for legitimate Korn/Ferry business, he would be guilty of a federal crime.

  3. Michael Dearington says:

    Great post, Megan! Really interesting that the federal government is seeking such an expansive view, as it will almost certainly lead to discriminatory enforcement by federal prosecutors because of the very fact that millions of people could theoretically be within the law’s ambit if it were construed so broadly. I agree with Judge Kozinski that this could cause a notice problem, as numerous people would be unaware they are committing a federal crime, if interpreted so broadly. It would surely be a malum prohibitum situation, where it is “evil just because it is prohibited,” as opposed to malum in se (an actual bad act).

  4. KM says:

    I can see unauthorized use of a computer being the basis for some sort of reprimand or perhaps even—in the case of excessive unauthorized use—termination…but a federal crime? That’s ridiculous. Have the policymakers who supported this reading of the law really never once used their work computers in an unauthorized way?

  5. Carolina Blanco says:

    The government’s expansive interpretation of the CFAA is just another example of our criminal justice system’s trend of overcriminalization. Overcriminalization has resulted in the classification of harmless activities as crimes. But the criminal law is only supposed to punish conduct that American society thinks deserves punishment. Yet, under the broad view of the CFAA, conduct that most Americans probably wouldn’t consider to merit punishment such as checking your personal e-mail account on a company computer, would constitute “unauthorized use” subject to criminal penalties.
    Just as disturbing, the broad interpretation would make it possible to convict a person who acted without criminal intent! This broad view of the CFAA also raises the issue of fair notice – persons in jurisdictions adopting the expansive interpretation of the CFAA may be subject to prosecution for engaging in conduct they don’t even know is illegal.
    So kudos to Chief Judge Kozinski in the Ninth Circuit for getting this one right. Let’s hope SCOTUS likewise rejects the government’s broad interpretation in favor of the more narrow view of the CFAA as adopted by the Ninth Circuit.

    • Mike says:

      I think the CFAA does contain a mens rea element. It requires knowledge or intent, depending on the provision.

      But you’re right — the government’s interpretation of CFAA is a perfect example of overcriminalization in the federal system. Such capacious statutes encourage arbitrary and discriminatory enforcement.

  6. Lauren Gregory says:

    This reminds me of Tennessee’s password-sharing ban, enacted to prevent people from sharing access to services such as Netflix without paying (http://www.mobiledia.com/news/92476.html). In both that context and this one, it’s definitely troublesome that the government would argue a general anti-fraud statute is so broad that it reaches harmless, private Internet usage on a small scale. However, I think that in both cases, it’s unlikely the government would actually ever prosecute the little guy. Perhaps if there were some large, cooperative fraud ring at issue, the government might actually be able to devote the resources toward prosecution; but even if the government chose to pursue such a case, we know from the music-sharing context that this wouldn’t do much to deter conduct in the long term. People will continue to use the Internet illicitly, gambling that the chances of actually getting caught — and prosecuted — are essentially nil. And that’s probably a pretty safe bet.

  7. Megan L says:

    Great post Megan and what an interesting circuit split now, too. I haven’t read opinions by the Fifth, Seventh, and Eleventh Circuits, but I can’t imagine the federal government prosecuting someone for surfing the internet at work – it seems ridiculous! Another way of getting at the issue would be to encourage companies to revise their policies, especially if they do not enforce them. If an employer knows that its employees occasionally use their work computers for personal use, then how can they later enforce their strict policies?