Thieving staff safe from US hacking laws

Insiders who have valid credentials to access confidential records cannot be charged under the nation's anti-hacking law

A ruling handed up this week in a US appeals court found staff who violate their organisation's user policies do not violate the federal Computer Fraud and Abuse Act (CFAA).

David Kosal, a former manager at executive search firm Korn/Ferry, beat charges that he convinced three of his former co-workers to use their valid login credentials to access and download customer lists and then transfer them to him so he could start a competing company.

While staff were prohibited from disclosing private information under their company policy, Kosal filed a motion to have five counts including "aiding and abetting" and "intent to defraud" dismissed.

Judge Kozinski agreed with Kosal that the law addressed hackers, not staff authorised to access a computer, affirming a lower court's decision to throw out the counts.

Kosal remains charged with mail fraud, trade secret theft and conspiracy, for which he has yet to face trial, according to a Reuters report.

The decision determined that hacking involves "the circumvention of technological access barriers," but not the "misappropriation of trade secrets."

In other words, only those individuals who find ways to access data that they are restricted to reach are liable under the law.

Without drawing this distinction, "millions of unsuspecting individuals would find that they are engaging in criminal conduct."

The ultimate precedent may be set if the US Supreme Court takes up the matter, a distinct possibility considering other federal appeals courts have disagreed with Kozinski's interpretation.

One high-profile case that may be impacted by such a ruling is that of Bradley Manning, the accused Army private-turned-whistleblower who used his permitted access to steal hundreds of thousands of U.S. diplomatic cables and then transfer them to WikiLeaks.

Among other laws, prosecutors have charged Manning under the CFAA.

"Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by chatting with friends, playing games, shopping or watching sports highlights," Kozinski wrote.

"Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes."

In summary, the ruling said: "[W]e hold that 'exceeds authorised access' in the CFAA is limited to violations of restrictions on access to information, and not on restrictions on its use."

"Let's say an employee is given full access to information, provided he logs in with his username and password," Kozinski wrote. "In an effort to cover his tracks, he uses another employee's login to copy information from the database. Once again, this would be an employee who is authorised to access the information, but does so in a manner he was not authorised."

Dan Conaway, a former assistant district attorney in Georgia who now represents accused cyber criminals, told SCMagazine.com on Wednesday that the ruling may draw the line between what is worthy of prosecution and what should be sorted out in civil court.

Conaway said Kosal's case may confirm that criminality under the CFAA should be confined to suspects who clearly have no legitimate reason to access a certain computer and who then harm the privacy or financial interests of individuals, such as in the case of a credit card breach.

For the last several years, prosecutors have shown an increased willingness to pursue alleged thefts that they may not have a generation ago, Conaway said. He attributed this to "established powers" being threatened by computers.

"There's this kind of fear out there of computers in general because the information is being gotten and disseminated in a much more powerful medium," he said. "There's the desire there on the part of governments and large corporations and other big interests to use the criminal justice system to intimidate and keep people from doing that."

This article originally appeared at scmagazineus.com