Norma Rae, Union Activity and Computer Hacking – Skywest Sues Pilots for Using its Directory of Employees to Unionize
好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内,而且不需要特定的开头。首先,我得仔细阅读这篇文章,理解它的主要观点。 文章一开始用电影《诺玛·蕾》中的场景引入,讨论工会组织的问题。接着转向现代计算机法律,特别是CFAA(计算机欺诈和滥用法案)。文章提到SkyWest航空公司起诉员工使用公司电脑组织工会的情况,指出这可能被解释为“未经授权访问”,但最高法院在Van Buren案中已经明确CFAA不是用来惩罚误用信息的,而是针对非法入侵。 作者担心如果雇主利用CFAA来压制工会活动,可能会扩大该法案的适用范围,影响到记者、吹哨人等群体。最后强调了Van Buren案的重要性,并指出SkyWest案可能成为测试CFAA边界的案例。 现在我要把这些要点浓缩到100字以内。重点包括:CFAA被滥用的可能性、SkyWest案的情况、最高法院的裁决、以及对集体活动的影响。 确保语言简洁明了,不使用复杂的术语。同时要保持逻辑连贯,让读者一目了然。 </think> 文章探讨了《计算机欺诈与滥用法案》(CFAA)被滥用的可能性。雇主试图通过指控员工“超出授权访问”来压制工会组织等集体活动。最高法院在Van Buren案中明确CFAA针对的是非法入侵而非信息误用。SkyWest航空公司起诉员工使用内部系统组织工会的案件引发了对CFAA滥用的担忧,可能影响劳动权益和言论自由。 2026-4-1 08:9:11 Author: securityboulevard.com(查看原文) 阅读量:4 收藏

Avatar photo

In the iconic scene from Norma Rae, Sally Field’s character climbs onto a factory worktable, raises a sign reading “UNION,” and silently compels the entire factory to confront what is happening. It is an act of defiance—but not trespass. She is where she is allowed to be. She is using what she has access to. The employer objects not to her presence, but to her purpose.

Now ask the question modern computer law increasingly forces us to confront: If Norma Rae had done the same thing using a company computer—communicating with coworkers, organizing, sharing information—would that be “hacking”?

That is not rhetorical anymore.

The complaint in SkyWest Airlines, Inc. v. Moussaron et al., No. 4:26-cv-00015 (D. Utah Jan. 30, 2026), reflects a growing trend: Using the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, as a weapon not against intrusion, but against disfavored use of information.

According to the complaint, two pilots accessed SkyWest’s internal portal using their own credentials and obtained contact information for fellow pilots. They allegedly used that information to facilitate union organizing. There is no claim of password cracking, privilege escalation, or bypassing technical barriers. The claim is simpler—and more troubling: that they “exceeded authorized access” because their use of the information violated company policy and nondisclosure agreements.

That is precisely the theory the Supreme Court rejected in Van Buren v. United States, 593 U.S. 374 (2021). The Court held that the CFAA is not a “misuse” statute. It does not criminalize accessing information for the wrong reason. It criminalizes accessing information one is not entitled to obtain. The distinction is not semantic—it is structural. The statute is grounded in a trespass model: whether the “gates” are open or closed, not whether the user’s intentions are pure.

The government in Van Buren argued that violating use restrictions—policies, agreements, expectations—should be enough. The Court rejected that approach, warning that it would transform the CFAA into a sweeping mechanism for criminalizing ordinary behavior, from violating workplace policies to breaching website terms of service. Id. at 386–87.

The SkyWest complaint attempts to revive that discredited theory in civil form. But because the CFAA is both a civil and criminal statute, see 18 U.S.C. § 1030(g), these civil theories do not remain confined to private disputes. They become test cases—prototypes—for future criminal prosecutions.

And this is not the first time employers have attempted to use the CFAA to police union-related or concerted activity.

In Register.com, Inc. v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004),  although not a union case per se, the court entertained a theory that repeated access to publicly available data in violation of stated use restrictions could trigger liability. That theory later became a template for attempts to use the CFAA to enforce behavioral restrictions rather than technological ones.

More directly, in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the government advanced a theory that employees who accessed company databases for competitive or disloyal purposes exceeded authorized access. The Ninth Circuit rejected that interpretation, emphasizing that the CFAA is not intended to enforce employer use restrictions or loyalty obligations.

Similarly, in LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009), the court held that an employee with valid credentials does not violate the CFAA by accessing information for an improper purpose, even if that purpose is adverse to the employer.

And in EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001), the court allowed CFAA claims where former employees used insider knowledge to scrape data, a decision that has often been cited by employers seeking to stretch the statute into the realm of competitive or disloyal conduct—including, by analogy, organizing activity.

While there are relatively few reported decisions squarely addressing union organizing framed as CFAA violations, the doctrinal pattern is clear: employers repeatedly attempt to recast workplace disputes—including disloyalty, competition, and now organizing—as “unauthorized access,” and courts, particularly after Nosal and Van Buren, have increasingly rejected those efforts.

The SkyWest case pushes that boundary further by placing protected labor activity at the center of the dispute. Under the Railway Labor Act, 45 U.S.C. § 151 et seq., employees have the right to organize and communicate with one another regarding unionization. If accessing coworker contact information through authorized systems becomes a CFAA violation because of how that information is used, then the statute is being deployed not to protect computers, but to suppress collective activity.

That is where the Norma Rae analogy becomes more than rhetorical.

She stood on a table that she was allowed to be near. She spoke to people she was allowed to speak to. The employer objected to the message. Translating that into the digital world, the SkyWest theory suggests that using a company system for organizing—despite having access to that system—can be recast as a form of trespass.

But trespass does not work that way. And after Van Buren, neither does the CFAA.

The deeper problem is structural. Because the CFAA includes a civil cause of action, private litigants can advance expansive interpretations of a criminal statute without the constraints that typically accompany criminal enforcement—constitutional scrutiny, prosecutorial discretion, and internal DOJ limitations. If those interpretations gain traction, they become available to prosecutors in future cases.

In effect, civil litigation becomes a laboratory for expanding criminal law.

That has profound implications. If “exceeding authorized access” can be defined by reference to internal policies, nondisclosure agreements, or employer expectations, then the scope of criminal liability is no longer defined by Congress or the courts. It is defined by private actors. Employers, website operators, and data owners become the architects of criminal exposure.

And the consequences extend far beyond labor disputes. Journalists, whistleblowers, and security researchers all operate in spaces where access is authorized but use is contested. If misuse becomes the touchstone of liability, then any act of disclosure, investigation, or reporting can be reframed as a federal offense.

That is exactly what the Supreme Court rejected in Van Buren. The Court drew a bright line to prevent the CFAA from becoming a general-purpose “misuse” statute. The SkyWest complaint tests whether that line will hold.

Because if it does not, the next Norma Rae will not just be told to get off the table. She may be told she hacked it.

Recent Articles By Author

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 249 posts and counting.See all posts by mark


文章来源: https://securityboulevard.com/2026/04/norma-rae-union-activity-and-computer-hacking-skywest-sues-pilots-for-using-its-directory-of-employees-to-unionize/
如有侵权请联系:admin#unsafe.sh