Last week, the Ninth Circuit Court of Appeals, in a case called United States v. Nosal, held 2-1 that using someone else’s password, even with their knowledge and permission, is a federal criminal offense. This dangerous ruling threatens to upend a good decision that the Ninth Circuit sitting en banc—i.e., with 11 judges, not just 3—made in 2012 in the same case. EFF filed an amicus brief in the case and our arguments were echoed by the strong dissent, authored by Judge Stephen Reinhardt. We’re pleased that a further appeal is planned and will be supporting it as well.
This decision turns on the notorious Computer Fraud and Abuse Act (CFAA) and supports one of the most troubling applications of the law—prosecutions based on password sharing. As EFF has long warned, read broadly, the CFAA can be used to turn millions of ordinary computer users into criminals. This leaves innocent people to only hope that a prosecutor will not decide to throw a book at them, as they’ve been know to do in CFAA cases. Carmen Ortiz, a federal prosecutor, did exactly that to our friend Aaron Swartz. This threat underscores both the need for courts to course correct—to narrowly interpret the statute’s overbroad language—or, alternatively, for Congress to step in and clarify the vague terms. For instance, what does “authority” mean in the context of our increasingly interconnected world, where we use someone else’s computer every single day for our email, our entertainment, our social networks, our banking, our health care, and more?
This appeal involves whether David Nosal, a former employee of executive recruiting firm Korn/Ferry, violated the CFAA when other Korn/Ferry ex-employees, on Nosal’s behalf, used the password of a current employee, with her permission, to access an internal company database. This occurred after the company had expressly revoked Nosal’s own login credentials to prevent him from accessing the database.
Like most companies, Korn/Ferry’s corporate policy prohibited its employees from sharing passwords. This same restriction is also found in the EULAs and Terms of Service of many online services—everything from banks to social network. And things were looking good on this in the Ninth Circuit. As noted above, in the earlier version of this same case the Ninth Circuit, sitting en banc, ruled that violations of use restrictions by current employees themselves cannot give rise to CFAA liability. Regardless, a jury then convicted Nosal under three CFAA counts involving password sharing, along with trade secret theft under the Economic Espionage Act, because the access was done not by a current employee directly but by someone else using her username and password.
The CFAA makes it illegal to engage in “unauthorized access” to a computer connected to the Internet. In this appeal, the central question turned on what the undefined term “authorized access” means for purposes of the statute. More directly, since the people who did the access were not the original users (as in Nosal I), it turned on whether a user of a computer with legitimate login credentials can grant “authority” to a third party to access the computer, or if authority must be granted by the owner of the computer.
Nosal’s colleagues had the authority of an authorized user, the current employee who lent her credentials. Thus, if “authority” can come from the account holder—as with a wife who lends her bank credentials to her husband to pay a bill, a college student who uses a parent’s Hulu or Amazon password, or someone who checks Facebook for a sick friend—then Nosal and his colleagues did not violate the CFAA. And removing CFAA liability would not let Nosal off scot-free: the jury also found Nosal guilty of violating federal trade secret laws.
But the Ninth Circuit ruled that only the computer owner can “authorize” someone to access a computer, not a user or account holder. It said that “authorize” means “permission” and that Nosal didn’t have permission from Korn/Ferry. Worse, the court held that this interpretation of “authorize”—as meaning permission from only the computer owner and not an authorized computer user—was completely clear from the text of the statute. As a result, it said that the important rule requiring vague criminal statutes to be interpreted narrowly, called the Rule of Lenity, didn’t apply.
Despite the court’s assertions, the fact that “authority” means “permission” doesn’t really clear things up. Nosal’s colleagues had permission—just from the authorized user, not the owner. Judge Reinhardt, writing in dissent in Nosal II, recognized this lack of clarity:
The majority’s (somewhat circular) dictionary definition of “authorization” – “permission conferred by an authority” – hardly clarifies the meaning of the text. While the majority reads the statute to criminalize access by those without “permission conferred by” the system owner, it is also proper (and in fact preferable) to read the text to criminalize access only by those without “permission conferred by” either a legitimate account holder or the system owner.”
While the majority opinion said that the facts of this case “bear little resemblance” to the kind of password sharing that people often do, Judge Reinhardt’s dissent notes that it fails to provide an explanation of why that is. Using an analogy in which a woman uses her husband’s user credentials to access his bank account to pay bills, Judge Reinhardt noted: “So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates.” As a result, although the majority says otherwise, the court turned anyone who has ever used someone else’s password without the approval of the computer owner into a potential felon.
As Judge Reinhardt recognized, the CFAA’s “without authorization” language is decidedly not clear-cut, and not just with regard to password sharing. We’ve been pushing hard for CFAA reform for years precisely because the law’s language is so vague, and its provisions so harsh, that it scares security researchers out of publishing important findings. It also gives prosecutors broad discretion to bring criminal charges for behavior that in no way qualifies as “hacking.” Judge Reinhardt correctly points out that the majority “loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”
Judge Reinhardt was also right to recognize the serious implications of the majority’s holding. With the onset of the Internet of Things, everything from refrigerators and toasters to toilets and toothbrushes will be—if they aren’t already—connected to the Internet. The CFAA’s scope is tied to “protected computers,” which is broadly defined to include anything that goes online, so the law will therefore soon apply to almost every household appliance and every use of the cloud. As a result, what started with the criminalization of password sharing in the context of a work computer will have even farther-reaching consequences. And such far-reaching consequences are precisely why we’ll be filing another amicus brief in support of the Ninth Circuit rehearing this case.