A petition for rehearing was recently filed in United States v. Nosal, the Ninth Circuit decision holding that an employee who violates his employer’s computer use policy is guilty of “exceeding authorized access” to the employer’s computer. I have posted a copy here. I hope the Ninth Circuit grants rehearing, as I think the Nosal case is both wrong on the law and deeply troubling for civil liberties in the Internet age.
Overstatement? I don’t think so. It seems to me that if the federal government can arrest you and throw you in jail for violating a computer use policy — any computer use policy — then the government can arrest pretty much anyone who uses a computer. Most people who use computers routinely violate computer use policies: While we understand that such policies may have force from the standpoint of breach of contract, no one thinks that breaching a computer use policy is the same as hacking into the computer. The Nosal case would change that. Under its reasoning, breaching a written policy is treated the same way as hacking. And as computers become more and more ubiquitous, the power to arrest anyone who routinely uses a computer is the power to arrest anyone.
It’s true that the Nosal appeal happens to involve a prosecution under 18 U.S.C. 1030(a)(4), which requires more than just unauthorized access to a computer. But as the petition for rehearing notes, the unauthorized access “trigger” is common to several crimes in Section 1030(a), and other sections of 1030(a) don’t require much if anything beyond unauthorized access. The most obvious concern is 1030(a)(2), which makes it a crime to have any unauthorized access to anything on the planet with a microchip so long as some information is either seen or collected. For now it’s usually just a misdemeanor crime, so each breach of a policy would only mean you spend up to a year of your life in federal prison, but note that (1) Congress may make that crime a felony soon and (2) even the misdemeanors can be sentenced conseccutively (remember that DOJ wanted Lori Drew to be sentenced to a three year prison term for her three misdemeanor convictions of violating three MySpace terms of service).
You might think that as long as you avoid the Ninth Circuit, you’re probably okay. But that won’t help much: Lots of Internet communications go through the Ninth Circuit, meaning that the Ninth Circuit has venue over much of the rest of the country to prosecute computer use policy breaches elsewhere. Again, remember the Lori Drew case. Everything in the case happened in Missouri, and the Missouri state and federal authorities declined to prosecute because they thought no crime was committed, but the case was charged in Los Angeles because that’s where MySpace’s servers (and some extremely aggressive prosecutors) were located. It probably won’t help to move to Canada, either: Section 1030 covers all computers in the world that can be reached under the Constitution, even computers outside the United States, so the computer use policy breach doesn’t even need to be in the US for the feds to prosecute.
Given the stakes, I hope the Ninth Circuit will grant rehearing, revisit the panel decision, and come out the other way. Stay tuned.