Amid global cybercrime, accidental hacks risk jail
By Reynolds Holding
The author is a Reuters Breakingviews columnist. The opinions expressed are his own.
Amid a global blitz of cybercrime, accidental hackers risk going to prison. A U.S. anti-hacking law is so broad that it may make any breach of an employer’s computer policy a crime. Recent attacks against Citigroup, Sony, the International Monetary Fund and others understandably feed demand for stiffer penalties. But prosecutors should avoid overkill with fat-fingered users of PCs and Macs.
Take the case against David Nosal. The executive recruiter is accused of getting information from his former employer’s computer system through an ex-colleague and using it to help his competing business. If that’s how it happened, the move violated the company’s policy and possibly amounted to the theft of trade secrets. But hacking?
That’s essentially the charge Nosal faces under the U.S. Computer Fraud and Abuse Act, or CFAA, an anti-hacking law that prohibits unauthorized use of computers. A California federal appeals court upheld the charge against Nosal in April, but was asked this week to reconsider. The panel said employers’ policies define what’s “authorized,” so prosecutors can argue that Nosal’s policy breach was criminal.
Saying it is criminal for a Social Security Administration employee to fish unauthorized through sensitive databases — as an Atlanta federal court ruled in January — sounds reasonable. But simply allowing what may be arbitrary or badly communicated corporate policies to define the law seems a lot less reasonable in Nosal’s case. Another use of CFAA involved a breach of social network MySpace’s policies. Lori Drew, a Missouri housewife, was initially convicted, though a judge overturned the decision in 2009.
But the problem with CFAA remains. If violating any company or website policy is potentially illegal, then even someone who checks personal email or a racy website at work could theoretically end up in prison. That’s surely not the intended result.
Rather than fix that problem, President Barack Obama’s administration and U.S. lawmakers want to toughen the law. Driven in part by costly recent cyber-attacks, the House of Representatives on May 25 considered a proposal to make all violations of CFAA felonies and increase maximum sentences from five to 20 years. But if Congress wants to get serious about hacking, it should first define the crime sensibly.