April 11, 2012 at 12:36 PM ET
Updating your Facebook status from your work computer — even if it violates your company's policy — isn't a federal crime, according to a ruling by a San Francisco federal appeals court.
Sure it sounds extreme that such a question was even pondered by a federal court. But Facebooking and similar computer-based goldbricking could've been considered a violation of the the Computer Fraud and Abuse Act (CFAA) if the San Francisco's Ninth Circuit didn't dismiss "charges that would have criminalized any employee's use of a company's computers in violation of corporate policy," notes the Electronic Frontier Foundation:
In (U.S. v. Nosal), the government prosecuted an ex-employee of an executive recruiting firm on the theory that he induced current company employees to use their legitimate credentials to access a proprietary database and provide him with information in violation of corporate computer-use policy. The government claimed that the violation of policy constituted a violation of the CFAA, a law with criminal penalties.
While the case isn't specifically focused on Facebook, the ruling is another example of how the government is increasingly sucked into the conflict between how we earn a living and how we use the world's largest social network. Earlier this week, Maryland became the first state to pass a bill prohibiting employers from demanding employee user names and passwords to Facebook and other social networks. In March, two U.S. senators asked federal agencies to look into whether employers and colleges that are asking for access to individual Facebook profiles are breaking the law.
In U.S. v. Nosal, accessing Facebook through work computers — if against company policy — could've been deemed a federal crime as well.
In its role as a digital rights advocate, EFF filed an amicus brief — an opinion volunteered by a party not involved in a legal case. In it, EFF argued that "turning mere violations of company policies into computer crimes could potentially create a massive expansion of the law — making millions of law-abiding workers criminals for innocent activities like sending a personal email or checking sports scores from a work computer, and leaving them vulnerable to prosecution at the government's whim."
Many employers have adopted policies prohibiting the use of work computers for nonbusiness purposes. Does an employee who violates such a policy commit a federal crime? How about someone who violates the terms of service of a social networking website? This depends on how broadly we read the Computer Fraud and Abuse Act.
The court's findings overturn last year's ruling by a previous court which found that employees who violate their employer's computer policy could be accused of breaking the CFAA. The new opinion points out that broad interpretation of the CFAA could criminialize typical human behavior:
Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by gchatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.
"EFF has been fighting these aggressive government hacking arguments for years," EFF Staff Attorney Hanni Fakhoury said in a statement. "We're happy to see the court recognize that the government overreached here, and it issued a thoughtful decision that protects the rights of users."