Appeals Court Says That Sharing Passwords Can Violate Criminal Anti-Hacking Laws
Remember David Nosal? He was the former Korn/Ferry executive looking to set up his own competing firm, but one that mainly relied on Korn/Ferry's big database of people. As part of that process, after he left the company to head out on his own, he had some former colleagues who were planning to join him log into their Korn/Ferry accounts to access information. Then after those employees left, they got another former colleague to share her password so they could continue to log in. He was charged with violating the criminal portion of the CFAA, under the theory that convincing his former colleagues to gather info for him was a terms of service violation -- and that meant he had "exceeded authorized access" under the statute. This became a key case in determining whether merely violating a terms of service could be considered criminal hacking under the CFAA. Thankfully, back in 2012, the 9th Circuit rejected such a broad ruling of the CFAA, pointing out that such an interpretation would "unintentionally turn ordinary citizens into criminals" and that couldn't be the intent from Congress. This was a huge win that helped limit some of the worst abuses of the CFAA.
However, the US government was not yet done with Nosal. It then filed new CFAA charges against him, not over the original information sharing, but rather for getting that last colleague to share her password with Nosal. The feds argued that this fell under the other prong of the CFAA, that it was a version of accessing a computer system "without authorization" (as opposed to exceeding authorization). Unfortunately, the 9th circuit appeals court has ruled that merely sharing a password can be a CFAA violation.
The underlying question was how can this be unauthorized access since an employee of Korn/Ferry chose to hand over her login info, and thus a fairly strong argument can be made that the access was now authorized -- i.e., it was authorized by an employee of Korn/Ferry. You could argue that that employee (who is referred to in the ruling as "FH") violated the terms of her work agreement, for which perhaps she should have been fired. But it's ridiculous to argue that merely receiving someone's password is a criminal act. And yet, that's what the court decided.
It tries to wave away the concerns about the everyday occurrence of password sharing by basically saying "but that's different." It also argues that if an employee handing over a password removes the CFAA, then the CFAA is never applicable to any situations where there's "an insider" helping to get scammers into a computer system:
There's a separate issue of why Nosal is the one facing criminal charges. After all, he's not the one who shared the password! He was just the recipient. The government argues that Nosal "knowingly and intentionally aided" this "crime" of sharing the password. But the court is not too concerned about that, saying that he was in charge and demanded that his other employees "get what I need" in the form of access to Korn/Ferry's database.
To me, the dissent argument makes much more sense. This is expanding areas for which law enforcement can throw the CFAA book at people for doing fairly common things such as password sharing:
That said, Kerr notes that much more attention should be focused on another case on a related topic -- Facebook's crazy lawsuit against Power.com, an online social network aggregator that used people's logins to collect and aggregate social media posts from a variety of platforms (including, obviously, Facebook). Kerr notes that the court can use this ruling to justify ruling either way in the Power case.
Permalink | Comments | Email This Story
However, the US government was not yet done with Nosal. It then filed new CFAA charges against him, not over the original information sharing, but rather for getting that last colleague to share her password with Nosal. The feds argued that this fell under the other prong of the CFAA, that it was a version of accessing a computer system "without authorization" (as opposed to exceeding authorization). Unfortunately, the 9th circuit appeals court has ruled that merely sharing a password can be a CFAA violation.
The underlying question was how can this be unauthorized access since an employee of Korn/Ferry chose to hand over her login info, and thus a fairly strong argument can be made that the access was now authorized -- i.e., it was authorized by an employee of Korn/Ferry. You could argue that that employee (who is referred to in the ruling as "FH") violated the terms of her work agreement, for which perhaps she should have been fired. But it's ridiculous to argue that merely receiving someone's password is a criminal act. And yet, that's what the court decided.
It tries to wave away the concerns about the everyday occurrence of password sharing by basically saying "but that's different." It also argues that if an employee handing over a password removes the CFAA, then the CFAA is never applicable to any situations where there's "an insider" helping to get scammers into a computer system:
FH had no authority from Korn/Ferry toprovide her password to former employees whose computeraccess had been revoked. Also, in collapsing the distinctionbetween FH's authorization and that of Christian andJacobson, the dissent would render meaningless the conceptof authorization. And, pertinent here, it would remove fromthe scope of the CFAA any hacking conspiracy with an insideperson. That surely was not Congress's intent.The court's majority ruling insists that this won't harm everyday password sharing... mainly because Nosal and his other colleagues had lost access to the database directly. The reasoning seems to be "well, they once had access, and now they don't, so now they know what they did was wrong."
Implicit in the definition of authorization is the notion thatsomeone, including an entity, can grant or revoke thatpermission. Here, that entity was Korn/Ferry and FH had nomantle or authority to give permission to former employeeswhose access had been categorically revoked by thecompany. There is no question that Korn/Ferry owned andcontrolled access to its computers, including the Searcherdatabase, and that it retained exclusive discretion to issue orrevoke access to the database. After Nosal's login credentialswere revoked on December 8, 2004, he became an "outsider"and was no longer authorized to access Korn/Ferrycomputers, including Searcher. Christian and Jacobson'scredentials were also revoked after they left, at which pointnone of the three former employees were "insiders" accessingcompany information. Rather, they were "outsiders" with noauthorization to access Korn/Ferry's computer system.The court later repeats that it's the combination of this password sharing with the fact that Nosal's own, earlier access, had been revoked that makes this a clear "without authorization" situation:
the circumstance here-former employees whose computeraccess was categorically revoked and who surreptitiouslyaccessed data owned by their former employer-bears littleresemblance to asking a spouse to log in to an email accountto print a boarding pass. The charges at issue in this appealdo not stem from the ambiguous language of Nosal I-"exceeds authorized access"-but instead relate to acommon, unambiguous term. The reality is that facts andcontext matter in applying the term "without authorization."That feels a bit like handwaving. It's the court basically saying, "Well, we'd never go after just everyday password sharing, but this is serious!"
There's a separate issue of why Nosal is the one facing criminal charges. After all, he's not the one who shared the password! He was just the recipient. The government argues that Nosal "knowingly and intentionally aided" this "crime" of sharing the password. But the court is not too concerned about that, saying that he was in charge and demanded that his other employees "get what I need" in the form of access to Korn/Ferry's database.
To me, the dissent argument makes much more sense. This is expanding areas for which law enforcement can throw the CFAA book at people for doing fairly common things such as password sharing:
This case is about password sharing. People frequentlyshare their passwords, notwithstanding the fact that websitesand employers have policies prohibiting it. In my view, theComputer Fraud and Abuse Act ("CFAA") does not make themillions of people who engage in this ubiquitous, useful, andgenerally harmless conduct into unwitting federal criminals.Whatever other liability, criminal or civil, Nosal may haveincurred in his improper attempt to compete with his formeremployer, he has not violated the CFAA.The dissent similarly argues that once an employee handed over the username and password, access was "authorized." It also makes a key point I've tried to raise in the past: if the CFAA is supposed to be about stopping "hacking," why is it always used for situations like this where there was no real "hacking"?
This narrower reading is more consistent with the purposeof the CFAA. The CFAA is essentially an anti-hackingstatute, and Congress intended it as such. Nosal I, 676 F.3dat 858. Under the preferable construction, the statute wouldcover only those whom we would colloquially think of ashackers: individuals who steal or guess passwords orotherwise force their way into computers without the consentof an authorized user, not persons who are given the right ofaccess by those who themselves possess that right. There isno doubt that a typical hacker accesses an account "withoutauthorization": the hacker gains access without permission -either from the system owner or a legitimate account holder.As the 1984 House Report on the CFAA explained, "it isnoteworthy that Section 1030 deals with an unauthorizedaccess concept of computer fraud rather than the mere use ofa computer. Thus, the conduct prohibited is analogous to thatof 'breaking and entering.'" ...We would not convict a man forbreaking and entering if he had been invited in by ahouseguest, even if the homeowner objected. Neither shouldwe convict a man under the CFAA for accessing a computeraccount with a shared password with the consent of thepassword holder.The dissent further notes that this ruling appears to conflict with the ruling in the first Nosal case:
Worse, however, the majority's construction would basecriminal liability on system owners' access policies. That isexactly what we rejected in Nosal I....Precisely because it is unacceptable in our legal system toimpose criminal liability on actions that are not proscribed"plainly and unmistakably," ... it isalso unacceptable to base "criminal liability on violations ofprivate computer use policies."It also calls out the hand waving by the majority:
It is impossible to discern from the majority opinion whatprinciple distinguishes authorization in Nosal's case from onein which a bank has clearly told customers that no one but thecustomer may access the customer's account, but a husbandnevertheless shares his password with his wife to allow her topay a bill. So long as the wife knows that the bank does notgive her permission to access its servers in any manner, sheis in the same position as Nosal and his associates.12 It is not"advisory" to ask why the majority's opinion does notcriminalize this under 1030(a)(2)(C); yet, the majoritysuggests no answer to why it does not.The dissent is littered with examples of perfectly reasonable password sharing that may now be criminal acts. Orin Kerr, who has been involved in a number of high profile CFAA cases and has been quite vocal on the law, doesn't like the majority's reasoning, though he agrees with the result. I'm not convinced. It still seems to me the issue should be between the company and the employee who handed over the access, not Nosal for receiving such info, from an employee, and then using it.
That said, Kerr notes that much more attention should be focused on another case on a related topic -- Facebook's crazy lawsuit against Power.com, an online social network aggregator that used people's logins to collect and aggregate social media posts from a variety of platforms (including, obviously, Facebook). Kerr notes that the court can use this ruling to justify ruling either way in the Power case.
First, imagine the panel is inclined to rule for Facebook. It could incorporate Nosal II by saying that Facebook is like Korn/Ferry, Power is like Christian and Jacobson, and Facebook's users are like FH. By that reasoning, Facebook revoked access rights by telling them to go away and by imposing an IP address block on Power. Power could not "sidestep the statute" by relying on permission of Facebook's users who wanted them to access Facebook on their behalf.Either way, after this ruling, there's at least a lot more legal uncertainty and liability in sharing passwords. And that's unfortunate.
On the other hand, if the panel is inclined to rule for Power, it could easily distinguish Nosal II. It could first say that telling Power to go away and blocking IP addresses is insufficient to revoke access rights because it does not actually cancel any authenticated accounts. If Facebook wants to revoke access, it has to revoke the accounts that have authenticated access - which it hasn't done - just like Korn/Ferry revoked the accounts of its employees when they left. At that point, Nosal II then offers no guidance because it is expressly limited to revocation. Accessing an account as the legitimate user's agent is then authorized, just as it would be in a physical trespass case.
Permalink | Comments | Email This Story