Strict Hacking Definition Doesn't Touch IT Misuse


     SAN JOSE, Calif. (CN) - Accessing a firm's proprietary information with customer login credentials does not qualify as hacking under state and federal computer fraud laws, a federal magistrate ruled.
     Enki Corp. - a purveyor of cloud computing and other IT services - sued its former co-owner, Keith Freedman, for abuses of the federal Computer Fraud and Abuse Act (CFAA) and California's Computer Data Access and Fraud Act (CDAFA). The company accused Freedman of swiping proprietary technology by using the login provided to its customer, Zuora Inc., while Freedman was doing work for both companies.
     U.S. Magistrate Judge Paul Grewal nevertheless dismissed Enki's state and federal hacking claims against Freedman and Zuora on Thursday, citing the 9th Circuit's definition of what hacking is and - in this case - is not.
     "The CFAA imposes liability where the defendant commits certain acts on a 'protected computer' either 'without authorization' or in 'excess of his authorization,'" Grewal wrote. "The 9th Circuit has held that to access a protected computer 'without authorization' is to do so 'without any permission at all,' and to 'exceed authorized access' is to 'access information on the computer that the person is not entitled to access.' It has further held that an individual does not 'exceed authorized access' simply by misusing information that he or she was entitled to view for some other purpose; the CFAA regulates access to data, not its use by those entitled to access it."
     Although Enki argued that it never gave Freedman and Zuora permission to access Nimsoft scripts, Grewal noted that the contract between the parties said otherwise.
     "Enki hangs its hat on its repeated refusals to grant Zuora or Freedman the authority to write or edit those scripts," Grewal wrote. "That argument, however, speaks to misuse of the scripts, not unauthorized access, which under United States v. Nosal does not run afoul of the CFAA. Because Enki's complaint fails to allege that defendants had no access rights to Enki's scripts, and indeed the documents upon which it relies reveal that Defendants had certain access rights, their CFAA claim must be dismissed for failure to state a claim."
     California's hacking laws add an additional condition to impose liability: an alleged hacker must defeat a technical code or barrier. And since Enki gave Freedman and Zuora login credentials to access its programsm, no violation of the CDAFA occurred, according to the ruling.
     The magistrate nevertheless did give Enki another opportunity to plead its federal hacking claims, and he retained jurisdiction over the state-law contract claims.
     "Although the remaining claims are all grounded in state law, the parties are already eight months into litigation in this forum and it would hardly serve the interests of economy or convenience to require the parties to begin anew in state court," Grewal wrote.