After a ruling by the Ninth Circuit Court of Appeals, a number of blogs and articles appeared with headlines announcing that it is now a federal crime if, for instance, your kid uses your Netflix password. While that kind of headline is good for traffic and buzz, it’s also typically exaggerated and misleading—at least insofar as this recent decision is concerned.
At the heart of the matter is the Computer Fraud and Abuse Act (CFAA), which has been sharply criticized for years by a number of civil liberties advocates who focus on digital-age issues. The CFAA may also be referred to generically as the anti-hacking law, and there is perhaps legitimate concern that the language in the statute is overly broad and may therefore be abused by a capricious prosecutor to indict people who commit minor offenses (or non-offenses) under a law written to address serious cyber crimes.
The appeals court decision that ignited the recent flurry of headlines, United States v Nosal, concerns David Nosal, a former employee of the executive search firm Korn/Ferry. After being dismissed from the firm, Nosal “convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business. The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company’s computer, and then transferred that information to Nosal.” This is a partial description of facts as stated in the Ninth Circuit’s en banc opinion issued April 2012 in the same case.
There appears to be no dispute in the matter of Nosal’s criminal liability under several other statutes regarding his unauthorized access of Korn/Ferry’s protected data, but the appeal pertaining to CFAA hinges on what critics—and at least some judges—feel is ambiguity over the meaning of “authority” to access a computer. Because one of Nosal’s former colleagues still had credentials to log into the firm’s computers and because she voluntarily shared those credentials, can Nosal then be charged with violation of CFAA? Does authority come from the credential holder or the computer owner? Right there is where civil libertarians and dissenting judges say the ambiguity in the language could jeopardize you and me and every other citizen who voluntarily shares a password with a friend or family member for innocuous access to our personal accounts. From the EFF …
“Nosal’s colleagues had the authority of an authorized user, the current employee who lent her credentials. Thus, if “authority” can come from the account holder—as with a wife who lends her bank credentials to her husband to pay a bill, a college student who uses a parent’s Hulu or Amazon password, or someone who checks Facebook for a sick friend—then Nosal and his colleagues did not violate the CFAA.”
I wouldn’t call the distinction irrelevant, but neither would I call this case a particularly good reason for everyone to overreact, which has no doubt already happened on social media threads everywhere. The employee with “authorized” access to Korn/Ferry’s database may well have given her permission to Nosal and others to use her login credentials, but that in itself was a criminal violation and a permission she had no “authority” to grant under any circumstances. The majority opinion from the court is extensive on this point and argues that its interpretation of “authority” is both clear and consistent with sister circuit court decisions in precedent cases.
Meanwhile, even a very narrow interpretation of “authority” in Nosal’s case is a far cry from comparing these circumstances to the fact that I have a Netflix account which enables up to four devices simultaneous access to the service and that one of these may be used by my college-student son. That’s what Netflix expects a family to do with an account that allows multi-device access. Moreover, unlike Nosal’s “inside woman” at Korn/Ferry, I do have authority to give permission to a friend or spouse to log into my Facebook account. Neither Facebook nor the federal government can mandate that the account holder has to be the individual who types in the credentials—to say nothing of ever proving such evidence—so it seems like gratuitous hyperbole for EFF and other critics to compare these everyday examples to Nosal. Still, the three-judge panel had one dissenting opinion, which the EFF describes as follows:
“While the majority opinion said that the facts of this case “bear little resemblance” to the kind of password sharing that people often do, Judge Reinhardt’s dissent notes that it fails to provide an explanation of why that is. Using an analogy in which a woman uses her husband’s user credentials to access his bank account to pay bills, Judge Reinhardt noted: “So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates.” As a result, although the majority says otherwise, the court turned anyone who has ever used someone else’s password without the approval of the computer owner into a potential felon.”
Indeed, we may now be a nation of felons, and if this is so, then Congress better get on that. But the fact that we are all guilty is the first reason we might want to calm down a bit before reacting to those scary headlines and getting in a big sweat about it. Also, while I lack the credentials to argue with an appeals court judge, I’m going to a little because the wife in Judge Reinhardt’s example does have her husband’s permission to access the bank account, and the husband has the authority to grant her that permission. Judge Reinhardt knows this, though, and his point is that the statute ought to reflect the distinction between this common, family banking example and the Nosal case in which the individual with the credentials did not have “authority” to grant access. Reinhardt writes the following in his dissenting opinion:
“The majority [opinion] does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.”
Perhaps Congress will need to review CFAA, but it seems simple enough to observe that “authority” to grant access will be predicated on the relationship between the login credential holder and the data being accessed. Korn/Ferry owns 100% of the data on its computer servers, its employees may only access that data under the conditions and permissions of the firm, and this access may be revoked at the sole discretion of the firm without question. In short, nothing in the database belongs to any of the employee/users, who therefore have no authority ever to share access with anyone. In such a scenario, only the computer owner can have the “authority” to grant access.
This is very different from the relationship between a bank and a customer vis-a-vis one’s own account information pertaining to one’s own money. The bank owns the servers and the systems just like the bank owns the vault, but the customer owns the account information and assets in the account and has full discretion to use the information or assets as he sees fit, while the bank has very restricted authority to access or exploit either the data or the assets under management. Reinhardt’s comparison might be more compelling if the wife in the scenario were cheating on her husband and so gave the login credentials to a dashing third party to drain the bank account so they could run off to the Caribbean together. In this soap opera, could said dashing third party (DTP) be indicted under CFAA in addition to other criminal charges? Arguably, the wife had more authority to grant access to the DTP than the Korn/Ferry employee had to grant access to Nosal, so I imagine CFAA would be an over-reach in this situation.
In the case of a Facebook account, the “ownership” question remains a bit vague. Many social media companies lay claim in their Terms of Service to “ownership” of every word and image we share on their platforms, but does that make these companies the “owners” of the data in the same way that Korn/Ferry owns its data? I would argue it does not, especially since none of our shared social media data can be called “private” or Facebook’s “trade secrets.” As with the banking example, a social media account involves a shared “authority” to access based on the relationship between the data and the account holder; and this would seem to void any assumed violation of CFAA. Regardless, it will likely be years before these questions are officially resolved, but I wouldn’t lose years of sleep in the meantime worrying about felony charges for common password sharing.