SAN FRANCISCO (CN) – The government pressed an 11-judge panel of the 9th Circuit on Thursday to reinstate computer fraud charges against a recruiter accused of illegally accessing his former employer’s computers to support his own competing business.
Prosecutors say that after David Nosal left the executive recruiting firm Korn/Ferry International, his work password still worked and he logged into work computers to obtain proprietary company information. Then he and his accomplices allegedly used that data to start a competing business.
The government indicted Nosal on June 28, 2010 for fraud, theft of trade secrets and violations of the Computer Fraud and Abuse Act. Though a federal judge dismissed some of the CFAA counts, a three-judge panel of the 9th Circuit reinstated the dismissed counts. In October, the court vacated its decision to conduct a rehearing before the full court.
“We’re trying to crystallize what exceeding authorized access means,” Judge Margaret McKeown said at that rehearing Thursday.
Federal prosecutor Jenny Ellickson said Nosal violated the CFAA by accessing Korn/Ferry’s computer with authorization, and then using that access to “obtain or alter information on the computer that the accessor is not entitled so to obtain or alter.”
The judges spent most of Ellickson’s time arguing over whether Ellickson’s definition would make it a CFAA crime to violate the terms of a social networking site like Facebook to alter one’s profile information.
“You have a violation when you access Facebook or Google, a violation of their terms of service,” Chief Judge Alex Kozinski said. “People lie about their age or email address or whatever.”
Ellickson argued that most people will not have read the terms of service and would not have the requisite intent. “I can’t imagine the department would prosecute a case like that,”she said.
“We don’t really want to allow everyone in the country to be at the mercy of their local-use attorney,” Kozinski replied. “That would be exceedingly bad policy to give the hands of the government the ability to prosecute everybody who has access to a computer and say ‘I can’t imagine they’d go after them.'”
Ellickson disagreed. “The fact that the statue may cover conduct in which many people engage does not mean that the statute is improper or broad,” she said.
Nosal’s defense attorney Ted Jones said the government’s interpretation of the CFAA statute is overbroad.
“The government’s interpretation would turn this hacking statute into a very broad computer misconduct statute,” Jones said. “It would criminalize the innocuous behavior of millions of employees and Internet users.”
“In this case, taking the allegations of the indictment as true, we know there was a written contract that set forth very express prohibitions on terms of access which your client signed and promised to abide by,” Judge Richard Tallman said. “We know your clients accessed this computer system for fraudulent purposes to set up a competing business and steal clients that otherwise would have gone to Korn/Ferry. So where on the allegations in this case did the government go wrong?”
The alleged accomplices couldn’t be held liable under Nosal’s confidentiality agreement with Korn/Ferry, Jones argued. “Fundamentally our position is written restrictions on use are insufficient,” he said.
“Nosal may be liable under other statutes, but not this one,” he added. “We’re not disputing that the government has sufficiently alleged intent to defraud, we’re disputing that is has sufficiently alleged exceeding authorized access.”
Tallman challenged Jones on this point. “Exceeding authorized access is clearly in breach of the contract your client signed,” he said.
Jones responded: “Not every bad thing that happens needs to be a crime under this statute. The statute criminalizes hacking. The prototypical hacker doesn’t use permission. The prototypical hacker steals the key.”
“When you leave your employer, you turn in your key,” McKeown said. “I don’t see how it doesn’t fall into what you call technological access.”