A ruling by the 9th US Circuit Court of Appeals in San Francisco has narrowed the reach of a computer fraud law that the government had been using to prosecute workers who steal from company computers, according to Reuters. The decision found that interpreting the Computer Fraud and Abuse Act (CFAA) as the government had been could “expose millions of Americans to prosecution for harmless activities at work.” It also could play a role in the court martial of Pfc. Bradley Manning, the soldier accused of releasing classified information to WikiLeaks.
The decision came in the case of David Nosal, former manager at the executive recruiting business, Korn/Ferry International. Nosal was indicted in 2008 for trying to steal Korn/Ferry data that he no longer was supposed to access so that he could start a “competing firm.” He had three Korn/Ferry employees help him and they gave Nosal “source lists, names and contact information” from a company database.
The government had been using the CFAA to prosecute individuals who violate computer use policies. This decision directly challenged that interpretation of the anti-hacking law:
…[T]he broadest provision is subsection 1030(a)(2)(C), which makes it a crime to exceed authorized access of a computer connected to the Internet without any culpable intent. Were we to adopt the government’s posed interpretation, millions of unsuspecting individuals would find that they are engaging in criminal conduct.
Minds have wandered since the beginning of time and thecomputer gives employees new ways to procrastinate, by gchatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes.While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employerswanting to rid themselves of troublesome employees withoutfollowing proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.
It held that the CFAA’s purpose was to “punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets—a subject Congress has dealt with elsewhere.” So, the CFAA is “limited to violations of restrictions on access to information, and not restrictions on its use.”
The employees that helped Nosal had “permission to access the company database and obtain the information contained within.” Therefore, there weren’t grounds to prosecute Nosal on charges under the CFAA because “authorized access” had not been exceeded.
Keeping in mind that the ruling conflicts with at least three other circuit court rulings (which the 9th Circuit acknowledged) and a case like this is likely to be heard before the Supreme Court before all is said and done, why might this affect the case against Manning?
Two of the charges against Manning are for knowingly “exceeding authorized access” to obtain US State Embassy cables for transfer to WikiLeaks:
SPECIFICATION 13: In that Private First Class Bradley E. Manning, US Army, did at or near Contingency Operating Station Hammer, Iraq, between on or about 28 March 2010 and on or about 27 May 2010, having knowingly exceeded authorized access on a Secret Internet Protocol Router Network computer, and by means of such conduct having obtained information that has been determined by the United States government pursuant to an Executive Order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, to wit: more than seventy-five classified United States Department of State cables, willfully communicate, deliver, transmit, or cause to be communicated, delivered, or transmitted, the said information, to a person not entitled to receive it, in violation of 18 U.S. Code Section 1030(a)(1), such conduct being prejudicial to good order and discipline in the armed forces and being of a nature to bring discredit upon the armed forces.
SPECIFICATION 14: In that Private First Class Bradley E. Manning, US Army, did at or near Contingency Operating Station Hammer, Iraq, between on or about 15 February 2010 and on or about 18 February 2010, having knowingly exceeded authorized access on a Secret Internet Protocol Router Network computer, and by means of such conduct having obtained information that has been determined by the United States government pursuant to an Executive Order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, to wit: a classified Department of State cable titled “Reykjavik-13”, willfully communicated, delivered, or transmitted, the said information, to a person not entitled to receive it, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation, in violation of 18 U.S. Code Section 1030(a)(1), such conduct being prejudicial to good order and discipline in the armed forces and being of a nature to bring discredit upon the armed forces. [emphasis added]
This is what Manning’s defense attorney, David Coombs, was trying to address on March 15 when a bill of particulars motion that specifically asked the government, “How did Pfc. Manning knowingly exceed access on a SIPRNet computer?” was heard in court. He wanted to know if the government thought Manning had “hacked into the Net Centric diplomacy database. He wanted to know if they thought he had obtained a password for the database illegally. At the bare minimum, he wanted the government to say whether they thought, even though he had access to SIPRNet, he was not authorized to search the Net Centric diplomacy database.
The government would not provide this information. They would not share details on the legal theory they were using to prosecute Manning on these charges. Coombs argued the defense should know how they think he exceeded access so the defense could properly address the charge in court. But, Judge Col. Denise Lind ruled in favor of the government and would not force the government to disclose information that would explain the charges.
The ruling today is why Coombs was requesting this information. As an intelligence analyst, Manning was permitted to access the database that contained US diplomatic cables. There has been no evidence presented that Manning engaged in hacking to get to the cables. And now, there is more case law to argue charges, which essentially accuse Manning of hacking, should be thrown out especially if they are being brought under the CFAA.
The anti-hacking law should not be a mechanism the government is allowed to use to punish Manning. Coombs should challenge the charges in open court. However, until a Supreme Court hands down a decision on interpreting the law, the broader interpretation is likely to be acceptable in military court. Manning is unlikely to have the charges tossed.
On a more general note, the ruling is probably one that should be considered very good for future whistleblowers. It could make it harder to go after people who expose crimes, fraud, misconduct, waste, etc, by charging them under the CFFA when they did not engage in any hacking at all.
Kevin Gosztola is the co-author of the new book, “Truth and Consequences: The US vs. Bradley Manning.” He will be doing an FDL Book Salon on April 28 on the recently published book.