Can checking sports scores from the office, using your employer's computer, land you in the slammer? It could, warn computer privacy advocates. They believe a case pending in San Francisco before a group of 9th Circuit judges could be interpreted to mean that anyone who abrogates his employer's rules about computer use exposes himself to federal prosecution -- no matter how petty the rule.
At the center of the case, reported by Politico last week, is David Nosal, a San Francisco headhunter who once worked for search firm Korn/Ferry International.
After leaving Korn/Ferry — first to join a competing firm, then to start his own -- Nosal was indicted in 2008 for having tried to steal Korn/Ferry data to which he no longer had legitimate access. According to the indictment, he recruited three Korn/Ferry employees to help him. The indictment says the three gave Nosal "source lists, names and contact information" from Korn/Ferry's database, which was considered by K/F to be "one of the most comprehensive databases of executive candidates in the world."
The Department of Justice brought suit against Nosal, claiming he had violated the Computer Fraud and Abuse Act (CFAA), a federal statute that, under certain circumstances, makes misuse of an employer's computers not just a felony but one punishable by up to 20 years in prison and fines of $250,000 or higher.
Privacy advocates, including the Electronic Frontier Foundation, have argued that the danger exists that CFAA penalties could be applied to an employee's infraction of trivial office rules -- for example, ones that forbid personal shopping on the Internet or the sending and receiving of personal email.
"It's a very important issue," Nosal's attorney, Dennis Patrick Riordan of San Francisco's Riordan & Horgan, tells ABC News. "There is little doubt the Supreme Court will confront it."
Virtually every employer, he says, now has rules against use of office computers for anything but work-related purposes. "Checking baseball scores, surfing the Internet — it's one thing to say those are violations of employer policy leading to discharge. It's another to say they're a federal crime for which you could be put in prison." The question raised by the Nosal case, he says, is this: Is the CFAA limited to serious criminals — hackers, fraudsters, thieves — or is it more expansive, embracing any kind of computer use that violates company policy?
"Some will say," says Riordan, "that this is a tempest in a teapot. That the law applies only to persons intending to defraud. But people don't realize what 'intent to defraud' might mean." It could, he says, apply to an employee wasting serious amounts of his employer's time — someone, for example, goofing off by going on eBay a lot. Two hours of hanky-panky a day could run into real money, costing an employer $10,000 a year in unearned pay. That could be construed as fraud.
"Did Congress intend to turn 50 million Americans into federal criminals, when they passed this statute?" asks Riordan. He thinks not.
Nick Akerman, a partner with Dorsey & Whitney in New York who specializes in issues of computer fraud and abuse, says Nosal is indeed a teapot tempest.
It's "ridiculous," he says, and "absurd" to imagine the law being applied to rinky-dink infractions, such as people goofing off. The idea that somebody could be sent to jail for checking sports scores? He dismisses it as "crazy."