After more than a year of bouncing between appeals courts, the hacking case involving David Nosal has ended with a conviction. Wired reports that Nosal was yesterday found guilty of conspiracy, stealing trade secrets, and violating the Computer Fraud and Abuse Act (CFAA) in the US — despite the fact he hadn't personally accessed anyone else's computer. While Nosal will seek to appeal the decision ahead of sentencing later this year, it's a high-profile win for the US Attorney's Office.
The case began when FBI agents raided Nosal's home in 2005. Attempting to start a business to compete with the company he'd previously worked for, Nosal was able to convince former coworkers to use their credentials to access company computers and copy client information. Although the coworkers were the ones that physically accessed the database, the federal government charged Nosal with violating the CFAA, which was put in place to prosecute people who access computers "without authorization." In April 2012, Nosal's legal team took the case to the US Ninth Circuit Court of Appeals, where they were able to strike off some of the hacking charges levied against him.
Nosal didn't illegally access the computers, he paid other people to do it for him
In August, the US Department of Justice decided it would not ask the Supreme Court to take Nosal's case due to fears that prosecuting the former executive under the CFAA would turn into a catch-all for prosecuting people who used work computers inappropriately. Although Nosal's lawyer is confident the ruling will be overturned, yesterday's verdict still raises questions over how an anti-hacking law was applied to a case where the defendant didn't physically access the computers he was accused of hacking. The same statute was also used to pursue Aaron Swartz over accusations that he breached the security controls of an MIT database to download millions of JSTOR's academic articles. Since Swartz's death, there have been increased calls for the law to be reformed and sentences lowered.