Man Convicted of Hacking Despite Not Hacking | Threat Level | Wired.com

Culminating a two-week trial in which no hacking in the traditional sense occurred, a California man was convicted Wednesday under the same hacking statute internet sensation Aaron Swartz was accused of before he committed suicide in January.

Defendant David Nosal was convicted by a San Francisco federal jury on all six charges ranging from theft of trade secrets to hacking, despite him never breaking into a computer. Nosal remains free pending sentencing later this year, when he faces a potential lengthy prison term.

Nosal, a middle-aged man wearing a dark suit, sat stone faced as a clerk read “guilty” on all counts. Jurors deliberated for little more than two days.

After U.S. District Judge Edward Chen dismissed the 12-member jury, Nosal’s defense team demanded a hearing to urge the judge to set aside the verdict. A hearing was set for later this year.

“We think, legally, these counts can’t stand,” Steven Gruel, a Nosal lawyer, said outside the courtroom. Prosecutors declined comment.

Nosal’s prosecution was a novel application of the Computer Fraud and Abuse Act, the same statue Swartz was accused of violating when he allegedly breached security controls of an MIT database and downloaded millions of JSTOR academic articles. After Swartz’s death, the case set off calls across the nation to reform the 1984 hacking law and perhaps even reduce the 5-year terms each violation carries.

But unlike Swartz, Nosal never was accused of traditional hacking. Among other things, what the jury concluded was that he coaxed, sometimes through monetary payments, his former colleagues at Los Angeles-based executive search firm Korn/Ferry International to access the firm’s proprietary database and provide him with trade secrets to help him build a competing firm. Those associates cooperated with the government and were not charged.

The Computer Fraud and Abuse Act was passed in 1984 to enhance the government’s ability to prosecute hackers who accessed computers to steal information or to disrupt or destroy computer functionality.

The act makes it a federal offense if one “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.” Prison penalties are up to 5 years per violation.

Nosal’s case has had a lengthy history, with two trips to the San Francisco-based 9th U.S. Circuit Court of Appeals. A third trip is likely and perhaps the Supreme Court might weigh in to set boundaries around how far the government may go in prosecuting so-called hacking.

The 9th U.S. Circuit Court of Appeals, ruling in Nosal’s case for a second time last year, decided that employees may not be prosecuted under the anti-hacking statute for simply violating their employer’s computer use policy. The appeals court had tossed several charges against Nosal stemming from when he was a still a Korn/Ferry employee, in which he was accused of using his work credentials in 2005 to access his employer’s database to help build a competing business for himself.

To be sure, the government indeed levies charges under the anti-hacking statute targeting traditional hackers. Two California men, for example, were sentenced between two and four years Monday in an extortion scheme stemming from the hacking of e-mail accounts of professional poker players.

But clearly, you don’t have to be a hacker to be charged as one.

An online social media editor for the Reuters news agency, for example, was indicted last month for allegedly helping members of Anonymous hack another media organization’s network.

Matthew Keys, the now-fired 26-year-old deputy social media editor for Reuters in New York, allegedly provided log-in credentials for a server owned by the Tribune Company, his former employer. He encouraged members of Anonymous to use the credentials to “go fuck some shit up,” according to prosecutors.