On Tuesday, the Supreme Court let stand the novel hacking conviction of a man who did not hack a computer to gain unauthorized access.
The justices, without comment, turned away the appeal of David Nosal, who was convicted of three counts under the Computer Fraud and Abuse Act (CFAA) hacking statute.
Nosal's conviction was based on a hacking conspiracy of sorts.
According to court documents, Nosal used to work at an executive search firm called Korn/Ferry. After quitting Korn/Ferry, Nosal urged a former colleague to give up her credentials to two other Korn/Ferry employees who were cooperating with Nosal. At Nosal's urging, they downloaded proprietary Korn/Ferry information to help the trio start a competing firm. As his punishment for the conspiracy, Nosal was sentenced to a year in prison. He appealed and said the hacking statute did not apply to him.
In seeking the high court's intervention, Nosal's attorneys said (PDF) the San Francisco-based 9th US Circuit Court of Appeals' approval of the conviction was problematic.
The 9th Circuit's decision exposes a broad range of innocuous, day-to-day activity to criminal prosecution. If a computer's owner has exclusive discretion to grant or revoke authorization, a person could violate the statute any time he logged in to a computer in violation of the owner’s policies or terms of service. Take, for example, a person who uses his spouse's password to log into the family's online banking account to pay a bill. Or an assistant who logs into an executive's email account to print out a presentation. If the banking and email services prohibit password-sharing, the 9th Circuit's reasoning would transform these quotidian acts into violations of the CFAA, punishable by a fine and up to a year in prison, even if the users had no criminal intent.
The hacking section at issue here is the one that punishes whoever "knowingly, and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access."