From the source 'rayiner provided:

    Evidence at trial showed that Nosal, 55, of Danville, entered into an
    agreement with other Korn/Ferry employees in 2004 to take confidential
    and proprietary materials from Korn/Ferry’s computer system to be used
    in a new business that Nosal intended to establish with those
    individuals after he left Korn/Ferry’s employment in late 2004. The
    evidence showed that two of those employees downloaded large numbers
    of “source lists” (essentially, targeted lists of candidates developed
    by Korn/Ferry for the purpose of filling particular positions at
    particular client-companies) prior to their own departures from
    Korn/Ferry. Thereafter, those two employees used the Korn/Ferry login
    credentials of another conspirator who was still employed at
    Korn/Ferry to download additional source lists and other information
    from Korn/Ferry’s computer system in April and July 2005 for use in
    Nosal’s new business. The trial in this case occurred after remand
    from the Ninth Circuit Court of Appeals, which had affirmed
    then-District Court Judge Marilyn H Patel’s pre-trial dismissal of
    several computer intrusion counts.

The fact that said lists are now stored in a computer rather than in a rolodex or filing system should not suddenly increase the potential penalties manyfold.

I also don't see why the federal government is prosecuting what I see as a civil dispute between two private parties.

But I reiterate. The fact that the information was stored on a computer shouldn't trigger massively bigger penalties. Everything is stored on computers these days!

I think there are probably cases that do a better job showcasing the need for computer-specific crime laws, and crimes that do a worse job at that. Basic wire fraud cases don't really need CFAA from what I can tell, and CFAA serves primarily as a sentence accelerant in them. But in other cases, particularly where people cause damage but don't reap profits, the need for specific laws is clearer.

Sure, these are bullshit arguments, but the point is that our legal system works on a rough mix of common sense and code. If I can find an exploitable ambiguity in statute or precedent and apply it to a defendant's case, then it's like an exploit in which throwing an exception is equivalent to a trial resulting in an acquittal. we have laws defining what a computer system is and what constitutes access to one etc. precisely because the virtualized nature of digital information makes it tricky to apply laws that were drafted to deal with theft of physical property.

This is a very gnarly question, with good arguments on both sides - but in addition, there's a lot of unstated political baggage tied to both sides of the argument, so that what is on the surface a question of legal philosophy is on closer examination rooted in quite different philosophies of governance.

Now myself, I like the common-law approach and I would prefer a general class of crimes and that the details of individual cases be taken up by wise jurists. On the other hand, it's not a foregone conclusion that all judges are wise or selfless, and of course there might be judges who are both but who would come to quite different conclusions from me because they operate on a different moral calculus. So for the sake of consistency and predictability, there's a strong argument to have laws debated and promulgated by legislators rather than judges, so that anyone can do and look them up for guidance about what is and is not legal. Of course that involves some idealistic assumptions about legislators...

If you like high-density reading material, I strongly recommend How Judges Think by Judge Richard Posner.

CFAA is not a good computer-specific crime law. Two gigantic problems with it: sentences that scale linearly with damages despite the fact that criminal intent and diligence does not scale the same way, and the CFAA's "sentencing accelerant" property, where it bonds covalently with other criminal charges to increase penalties.

I am also opposed to the idea that we need specific crime laws for things like this. What about vehicular manslaughter while listening to an iPod, and why would that not be covered as distraction equivalent to listening to radio, which I assume and also hope that it would be. There should be some respect for the intent of existing law in addition to the letter, because we do have laws for theft and I am certain that the intent of those laws covers these cases.

1. The exact definition varies by state - in some places only residences can be burgled (but you can have criminal trespass on commercial premises) and now that I think of it burglary is usually defined as taking place during the night, whereas in the daytime the same crime would be breaking & entering, and so on.

The jury concluded based on the evidence that he knew that his friend intended to use it to commit a crime. Knowledge and concious disregard for the fact that your work is being used to commit a crime is indeed malicious intent.

> Really, I am not seeing what your issue is with the comparison between the three cases. In all three cases, men faced charges of CFAA violations that were completely inappropriate.

In two of the cases, the men were directly involved in the commission of a computer-related crime and acted maliciously. If you're trying to show the injustices of a law, it's generally a good idea to find sympathetic defendants rather than criminals or their accomplices.

Cryptographers beware...

"computer-related crime"

Except that "computer-related crime" has come to mean "any crime in which a computer is used." As more and more things become computerized, more and more crimes will be "computer-related." Eventually everyone who is accused of a crime will also be accused of a CFAA violation, which will weaken everyone's defense.

"If you're trying to show the injustices of a law, it's generally a good idea to find sympathetic defendants rather than criminals or their accomplices"

Henry Louis Mencken addressed this more eloquently than I can:

"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all."

Your point about computer crimes becoming more prevalent is certainly justification to alter legislation dealing with computer crimes so that minor infractions have minor penalties, but I never saw rayiner arguing to the contrary.

So what do you do if you're trying to show that the law has excessive and disproportionate penalties?

The trade secret charge has the harshest penalty, and is independent of computer use.

The conspiracy charge has the same maximum as the unauthorized network access charge.

Someone who is an expert at the Federal Sentencing Guidelines will have to chime in with what that means for an eventual sentence, but I suspect that even if the computer violation were considered extremely minor that it would have nearly the same marginal effect on the eventual sentence, once the trade secret and conspiracy sentences are thrown into the mix.

Even if the prosecutors had never mentioned the term "computer" this guy would be in some deep shit...

I was responding to the general point.

But as for finding a better case, the problem is that you don't get to pick which cases get prosecuted. If the parties have decided to appeal then a precedent is going to be set here one way or the other. So let him go to jail for what he actually did -- there is no reason to allow the CFAA charge to be piled on top of that and set a terrible precedent for next time when the defendant is sympathetic but the question has already been settled.

I would understand arguing that CFAA in particular is overbroad but it's hard to claim it's being used in this case in a way that's inconsistent with the rest of the U.S. Code. In fact even the CFAA is more narrowly-focused than the aforementioned mail fraud law.

And that's what I mean by "finding a better case". This is simply not a suitable demonstration of stupendous overreach. Prosecutors pile charges on, that's what they do. They only get one trial to sort everything out and entire swaths of their case can be thrown out in one fell swoop so yes, they'll stick everything they feel they can prove on there.

Even with some theoretical replacement for CFAA that is more fair I would think that at least the authorized access using a co-conspirator's credentials would end up being a chargeable offense, so the difference here is with the remaining accesses that were made. And even those are hard to claim would be "authorized" access with a straight face, as why would any company authorize access to their networks for the purpose of industrial espionage?

I don't understand what your question has to do with what we were discussing. Who said we should "have no law at all regarding computer crimes"? There may be a need for specific regulation regarding some unique aspect of what computers do, or for carving out specific provisions in existing laws when some distinctive feature of computers changes the analysis, but that isn't what the CFAA is. We have laws against theft of trade secrets, what cause is there for them to work differently or have different penalties just because a computer is involved? And if there is such a cause, why must it be addressed with a law having such breadth and penalties as the CFAA rather than something more narrowly targeted at the actual evil?

>In fact even the CFAA is more narrowly-focused than the aforementioned mail fraud law.

The mail fraud law may be similarly problematic, though it at least is mitigated by the fact that it requires you to use the mail, which is becoming less and less common and even in its heyday was never involved in so much of the everyday activities of normal citizens as the internet is today.

>Prosecutors pile charges on, that's what they do. They only get one trial to sort everything out and entire swaths of their case can be thrown out in one fell swoop so yes, they'll stick everything they feel they can prove on there.

Which is kind of the point: They're willing to abuse whatever you give them, so we shouldn't be giving them anything so easy to abuse.

>Even with some theoretical replacement for CFAA that is more fair I would think that at least the authorized access using a co-conspirator's credentials would end up being a chargeable offense, so the difference here is with the remaining accesses that were made.

I think there is a case to be made that authenticating with someone else's credentials (and nothing more) does not need to be a federal offense. Imagine the same scenario (you log on to a friend's work computer using their credentials) but you do so for some totally innocuous purpose like reading The New Yorker online while your friend is finishing up some work. How do you suppose that behavior justifies a federal prosecution? That's the thing the law prohibits, not the actually malicious thing that may or may not follow it.

And all of this is ignoring the original point, which is that even if unauthorized access without any distinct malicious act is to be illegal, the existing penalties remain unjustifiable.

>And even those are hard to claim would be "authorized" access with a straight face, as why would any company authorize access to their networks for the purpose of industrial espionage?

I think you're just proving the point that "unauthorized access to a computer" is a preposterous basis for legislation. If the way you know that access is unauthorized is that breaking some other law implies unauthorized access, what good is the law against unauthorized access? Just attach the penalties you would have attached to unauthorized access to the actually malicious thing the doing of which implies that access was unauthorized and be done with it.

The CFAA charges have a maximum penalty of five years in prison per charge. So with all six charges, the maximum penalty was thirty five years.

All charges carried a maximum $250000 fine. Again, the CFAA charges more than doubled the maximum penalty.

Really though, what is your point in asking? This is laid out in rayiner's link, anyone can read it. Yes, the judge has leeway in deciding the penalty, but that is not really the issue; the issue is that a defendant facing 35 years faces a much harder choice than a defendant facing 15 years. The CFAA violations are an example of a typical prosecutor strategy of pressuring defendants into making a guilty plea, and of trying to reduce the likelihood of an acquittal.

Really though, what is your point in asking?

Because you keep making these assertions about how awful the CFAA but handwaving away critiques of your argument and any charges you don't like. So, you say that conspiracy and trade secrets charges are plenty, but from the point of view of interest of the public, why should we abstain from charging the guy with everything we can pin on him? Because he's a white-collar criminal as opposed to some kid with a bunch of drugs or a gun? Or because the deterrent 'yield' on marginal charges diminishes?

I get that you hate the CFAA, but you always spluttera bout how unfair it is and how much it's used for leverage against defendants. You need to show that prosecutors could not bring as many charges for an equivalent crime of stealing something from a safe or locked filing cabinet, and you need to show why the breach of trust involved in compromising a private computer system doesn't or shouldn't matter. As it is, all your arguments seem to revolve around 'it's just a computer, it's not that bad.'

I had the same problem with the Aaron Swatz case with people saying it was no big deal that he plugged his laptop into the wiring closet. Just because an act is trivially easy to commit doesn't mean that you have a right to do it. My neighbor tends to leave his window open, but I don't think it entitles me to enter his apartment even though I could do so very easily.

What about them? My issue is not with whether or not the guy is a criminal, but with whether or not it makes sense for "involves a computer" to mean "doubles the penalty."

"why should we abstain from charging the guy with everything we can pin on him?"

What if we had a law that criminalized crime itself, so that nobody could ever claim to have broken only one law? How would you feel about prosecutors using such a law to double the number of charges against every defendant?

I do not want to live in a society where anyone who is accused of a crime faces decades in prison, especially not when we already have the largest prison population on the planet. Computers are already ubiquitous, and will be even more ubiquitous in the future. If any crime that involves a computer is really two, three, or more crimes, then as time goes on the penalties for crimes will become increasingly severe regardless of whether or not the harm to society increases.

"you always splutter about how unfair it is and how much it's used for leverage against defendants"

Most defendants never have a jury trial, because they are pressured into taking a plea bargain. That is a problem, especially when defendants already have to wait years before they get a trial. Anything that gives prosecutors more power over defendants exacerbates this situation and clears the way for even more people to be imprisoned.

"You need to show that prosecutors could not bring as many charges for an equivalent crime of stealing something from a safe or locked filing cabinet"

That is not equivalent. The equivalent crime would be having a friend in the office hold a door open so that you can enter and make a copy of some documents. There are two crimes there: conspiracy, and theft of trade secrets.

"you need to show why the breach of trust involved in compromising a private computer system doesn't or shouldn't matter"

It does matter, but what matters is that there was a breach of trust. The fact that a computer is involved is irrelevant.

This is an empty argument. You haven't shown that merely doing things with a computer makes it worse.

"You need to show that prosecutors could not bring as many charges for an equivalent crime of stealing something from a safe or locked filing cabinet" That is not equivalent. The equivalent crime would be having a friend in the office hold a door open so that you can enter and make a copy of some documents. There are two crimes there: conspiracy, and theft of trade secrets.

You're committing criminal trespass in that example, why don't you include that? And why do you equate accessing the system to simply holding a door open, as if there were no login security? I mentioned the example of documents being held in a safe as a proxy for the fact that you need to log into a system before copying documents from it, it's not like you just SSH in and get automatic access to the shell prompt for the asking. The reason that we have a crime of unauthorized access to a computer system is precisely because it's easier to get into a computer without damaging it than it is to get through a window without breaking it.

You're rewriting the facts to make your argument stand up. that's what's wrong with it. You do not get to just walk into someone else' place of business and start using the copier, and then only be charged for the copies you made, for the same reason that if you break into my house at night and take some money you're guilty of burglary as well as theft. Just because the unauthorized access/ criminal trespass/ burglary is a necessary prerequisite to the theft of trade secrets/ cash does not mean it's incorporaated into it.

They were using a valid login; one of the coconspirators had given his credentials to them.

"the example of documents being held in a safe as a proxy for the fact that you need to log into"

No, that is what the door in my example is. The door was held open by a coconspirator.

To put it another way, nothing had to be broken; they accessed the computer in the normal fashion and downloaded the files in the normal fashion. They did not sneak in, they were allowed in by someone with legitimate, authorized access.

I don't know why, but there is this persistent misconception that just because you can do something easily it shouldn't be illegal.

It matters with what intent deeds are performed. If you come into my office at my invitation for a social chat, and while I'm visiting the restroom you notice a trade secret lying on my desk and copy it, you've stolen the trade secret but you were entitled to be there. But if you know I have a trade secret and you go into my office without permission, or trick me into admitting you under false pretenses, then you're guilty of criminal trespass as well.

The defendant knew that Korn/Ferry wouldn't want him copying client lists. Just because he used someone else as his man on the inside does not sanitize the unauthorized access. You're essentially applying the principles of money laundering to information and saying it's cool. This is total bullshit. I think you know better and that you would howl like a lonely coyote if anyone pulled the same trick on you.

Has his cause and actions just sort of belly flopped and gone no where or have we seen something meaningful come from the tragic loss?

Unauthorized access to a computer network was made to help complete the crime, which is itself criminal, just like there is a charge "mail fraud" that makes use of the postal system to further any criminal act illegal.

Conspiracy is always illegal itself as well.