This guest post was contributed by a blog alumna, and a newly graduated Southwestern juris doctor, who notes that she would have weighed in on this topic sooner, except she was studying and sitting for the most recent California Bar exam.
The Internet went into a tizzy early last month when United States v. Nosal came down from the U.S. Ninth Circuit Court of Appeals. Blog after blog (after blog) proclaimed that this opinion made it illegal to use another person’s Netflix account. Earlier this year, this blog posted on this topic so how did the situation change?
Bottom line: the court found that defendant David Nosal violated the Computer Fraud and Abuse Act (CFAA) when he used a former co-worker’s password to access trade-secret information belonging to Korn Ferry, an executive recruiting and human relations company that also was his former employer. He then took this information and used it to set up his own firm in direct competition to Korn Ferry. This would lend credence to the idea that mere password-sharing is illegal.
But it is important to remember that the court made a distinction, differentiating according to the situation. “The circumstance here – former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer – bears little resemblance to asking a spouse to log into an email account to print a boarding pass,” the appellate judges said.
An appellate cop-out
The final rule, seems to be, that password-sharing on the facts presented in the case was illegal. But the appellate court did not want the government to prosecute everyone who uses someone else’s password. The distinction is vague, and, to be honest, a bit of a cop out.
Here’s why: The bulk of the opinion that deals with the CFAA focuses on the statute’s two key phrases “exceeds authorization” and “without authorization.”
The statute reads “whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value shall be punished.” 18 USC 1030(a)(4).
What does it mean when one exceeds authorized access? The court settled on the meaning that it is the employer who determines the extent of the privilege to use that information. And when the employer revokes that privilege, the user who still accesses the information is in violation. Snopes wrote an article saying that the court limited the scope to authorization in an employee-employer context. The judges never make this limitation explicit; it seems to be implicit, because the judges attempt, badly, to draw a line between Nosal’s conduct, and that of the average person.
A dissent over information control
The dissent, written by U.S. District Judge Stephen Reinhardt, calls out this idea. He claims that the majority’s interpretation allows the entity that controls this information, in this case the employer but potentially the system owner, to set the boundaries for access. And because the CFAA is a criminal statute, he argues that this allows a powerful private company, which is not accountable to the public, to make certain actions illegal.
That’s a powerful, and scary, argument, he argued. I tend to agree with him. It appears, from a plain reading of the statute, and from interpretations of this statute, that the CFAA makes systems access illegal when a user violates the Terms of Service, particularly when they when set the boundaries of who may access the information.
These interpretations seem to contradict the hard-to-understand notion the majority puts forth−that their reading does not jeopardize the banal aspects of password sharing. My only explanation is that the appellate court sees the bad-faith behavior of Nosal as inherently different than other types of password sharing. It’s a quasi-scienter requirement, which is not in the original statute. Because there is no real articulation of this requirement, by the court or the statute, there is far too much room for discretion by federal prosecutors, which the dissent also points out.
Get rid of a dated statute
Nosal could have been the nail in the coffin of the CFAA, a statute written 30 years ago in response to the imagined menace of computer hackers in the classic film War Games. The statute allows: private companies to criminalize acts that are commonplace; private companies far too much power; and federal prosecutors to issue indictments may be arbitrary.
The dissent leaves open an interesting, alternative pathway, arguing that “authorization” should be read to allow permission from either the system owner or the password user. Under this interpretation, when an individual, perhaps a Netflix user, gives her password to another, that person has not “exceeded authorization,” as it was granted by the account holder. This would make the CFAA compatible with modern behaviors but still protect the public from hackers, as was the statute’s original intent. If hackers get your password, without permission, then they have exceeded access. This a good approach, consistent with a plain reading of the statute, and fair to all parties involved. It’s a shame the majority did not agree.