Imagine being convicted for logging into your spouse’s bank account to pay a bill, a roommate’s broadband account after service has gone down, or a sick friend’s Facebook page. In these cases, if you happen to receive an individualized message or popup banner stating that only legitimate account holders are permitted to access the relevant computer systems, the Ninth Circuit has just refused to draw a clear line to remove you from risk. We’re worried about these decisions; password sharing is so common that popular password managers have sharing functions. But we hope that future courts will take to heart the Ninth Circuit’s attempt to limit these cases to their “stark” facts.
Background
Earlier this year, the Ninth Circuit Court of Appeals issued two decisions—in two different cases, by two different 3-judge panels—with reasoning that threatened to turn password sharing into a violation of the federal Computer Fraud and Abuse Act (CFAA). EFF called for both decisions, one called U.S. v. Nosal and the other called Facebook v. Power, to be re-heard en banc, by 11 judges, not just 3. We asked the court to clarify the rights of individuals to share their legitimate credentials with the people and services they chose. Instead, both panels simply amended their opinions. But they did so without fixing their troubling interpretations of the law. While each seems to have recognized the danger of their decisions—clarifying that they really, really did not mean to criminalize password sharing outright—both panels failed to actually modify the problematic reasoning underlying their opinions. The CFAA mess created by these two cases remains, and users remain at the mercy of both overzealous prosecutors and powerful civil litigants.
CFAA Background and Credential Sharing
The CFAA is a 1986 law intended to target malicious actors who break into computer systems to access or alter information, inspired in part out of fears generated by the 1983 techno-thriller WarGames. The law’s language has long been criticized for not merely criminalizing malicious break-ins, but instead vaguely reaching any “unauthorized access” to a computer connected to the Internet. The statute doesn’t actually define what “authorization” or “without authorization” means, and in a networked world where we all regularly use computers owned by others, this can cause great problems.
Both of the recent Ninth Circuit password sharing decisions turn on what it means to have “authorized access” to a computer system—specifically, whether authorization to access a computer must come from the person or entity that owns the computer or whether authorization can come from an authorized account holder or computer user. As we’ve noted before, these questions are critical for anyone who shares online account passwords with a friend, loved one, or a third party service that assists them in some way, because they impact the analysis of whether a serious federal criminal law was violated.
Unfortunately, the two Ninth Circuit panels originally came to different conclusions about when this kind of consensual sharing can violate the law, and neither clarified—as they could have—that the law doesn’t reach users who share their right to access a computer system with others. So while both panels added some general language aimed at keeping these decisions from being misused, the amended decisions don’t rectify the underlying problems in either case.
Criminal Case: U.S. v. Nosal
The first case, United States v. Nosal—a criminal case—addresses whether David Nosal, a former employee of executive recruiting firm Korn/Ferry, violated the CFAA when other Korn/Ferry ex-employees, on Nosal’s behalf, used the password of a current employee, with her permission, to access an internal company database. This occurred after the company had expressly revoked Nosal’s own login credentials. The Ninth Circuit’s original decision was so broad that it seemed to make it a federal crime to use someone else’s password, even with their knowledge and permission. The panel majority held that the CFAA is clear that “authorization” can only come from a computer owner (such as an employer or website owner), not a computer user or account holder. According to the panel, Nosal was guilty of violating the CFAA because the authorization he had from the current employee—who had the authority to access the system—simply didn’t count.
The amended opinion doesn’t change this. It instead adds a few sentences stressing that its decision was limited to the particular facts of the case—where Nosal had “particularized notice” that Korn/Ferry had “affirmatively revoked” his login credentials—and that “a less stark revocation . . . followed by more sympathetic access through an authorized third party” could lead to a different result. The new opinion also emphasizes that the particular CFAA section at issue in the case—18 U.S.C. § 1030(a)(4)—criminalizes unauthorized access only if such access is “knowingly and with intent to defraud.” According to the court, the “knowingly and with intent to defraud” requirement “means that the statute will not sweep in innocent conduct, such as family password sharing.”
We appreciate the attempt by the panel to fix the problems it created, but its new reasoning doesn’t hold up. First, it’s not clear what “more sympathetic access” means, and the court gives no explanation. By definition, any access that results in a CFAA claim is making someone unhappy. Second, it’s also not clear what “particularized notice” means, which leads to our concerns about individual messages or banners (which could be triggered by access from a new Internet Protocol address, MAC Address, or otherwise) being viewed as sufficient to revoke access from otherwise legitimate credentials. Third, while the “intent to defraud” language exists in certain sections of the CFAA, other potentially applicable sections criminalize unauthorized access without any intent to defraud—i.e., simply intentionally accessing a computer “without authorization.” See 18 U.S.C. § 1030(a)(2). Finally, even if the “defrauding” requirement applies, someone using another person’s password could be easily found to be acting with “intent to defraud” since the person gaining access is not the password holder. Without limits, this language can be read to simply replicate the “without authorization” language and therefore provides no protection against sweeping in innocuous conduct. Overall, the Ninth Circuit’s amendments don’t seem to differentiate ordinary password sharing—e.g., logging into someone’s account when they are ill, to help them get a boarding pass or for any other mundane purpose—in a way that anyone can safely rely upon. Once you’ve received some form of “individualized” notice that the computer owner doesn’t approve, you are at risk.
Civil Case: Facebook v. Power
The second case, Facebook v. Power Ventures—a civil case—involved Facebook users who sought out the services of Power Ventures, a social media aggregator that offered the users a way to view all their social media information in one place. This service, had it not been stifled in the cradle, could have been a great boon to those who often switch between services like Facebook, LinkedIn, and Twitter, or who struggle to remember who’s a friend, who’s a contact, and who’s a follower. To enable Power Ventures to provide its services, the Facebook users shared with the company their Facebook usernames and passwords. Power Ventures then asked for and received permission from the users to send invitations to use Power to the users’ Facebook contacts. Facebook objected to this and sent Power Ventures a cease and desist letter. It also blocked one of Power Venture’s IP addresses, although the block wasn’t effective. The company continued to offer its social media aggregating services to Facebook users, and Facebook sued.
The original opinion, by a separate 3-judge Ninth Circuit panel, acknowledged that a computer user can provide a third party, such as a social medial aggregator, with valid authorization to use their username and password, even if doing so was in violation of company policy. But according to the panel, if the third party is somehow put on notice that the computer owner has revoked its authorization, then it’s a CFAA violation. So, according to the court, even though Power Ventures always had valid authorization from the Facebook users—and even though Facebook never revoked these users’ credentials—the company violated the CFAA when it accessed Facebook’s data by using those same, legitimate credentials after receiving the cease and desist letter from Facebook.
A key problem here is that the panel failed to define what adequate notice of revocation looks like, creating a host of unanswered questions regarding what would give rise to serious federal criminal liability. And its failure to address the fact that the Facebook users’ credentials were never revoked (which would have removed all doubt) creates confusion about when users can and cannot allow others to access their accounts.
The amended opinion doesn’t fix this. As in Nosal, the panel added a few sentences stressing that its decision was limited to “the stark facts before us” and that the individualized cease-and-desist letter at issue in the case was “a far cry from the permission skirmishes that ordinary Internet users may face” (whatever that means). But this doesn’t give Internet users or lower courts any insight on how this decision should apply in future cases. Indeed, we’re already seeing companies send cease and desist letters to enforce terms of service violations and citing this case as authority—even though the Ninth Circuit earlier ruled that terms of service violations are not supposed to be enough for CFAA liability. And at a time when federal prosecution guidelines still recommend charging CFAA cases based on terms of service violations, it’s naïve to think prosecutors won’t try to use this case to expand the scope of the CFAA in the Ninth Circuit—despite the fact that their overbroad reading of the statute has chilled important security research, to the detriment of all of us.
Missed Opportunity and Increased Risk
Sadly, while we do appreciate that both panels were worried enough about the concerns EFF and others raised to amend their decisions somewhat, the cosmetic changes they made just don’t rectify the problematic reasoning underlying both decisions. Both panels had the opportunity to shore up good, clear Ninth Circuit law holding that terms of service violations cannot give rise to liability under a law meant to target computer break-ins. They also could have ensured that users who have authority to access networked systems can assign that authority to third parties, and that the standard for “unauthorized access” when using passwords to access a system cannot be met when those passwords have not been revoked and are being used with the permission of the account holder. Instead, these opinions stretched the CFAA to cover two situations it was never meant to cover, involving activities that anger network owners, rather than limiting liability under this serious criminal law to those who actually break into computer systems.
But if the Ninth Circuit means that, despite the worrisome language, these two cases are just outliers that should be confined to their specific, “stark” facts, then that’s good. We’ll see if prosecutors and private companies take that guidance, and we hope that courts across the nation, who often look to the Ninth Circuit for guidance in computer-related cases, heed those words of limitation. If they do, we’ll be happy to say that our worries were groundless.
But if they don’t, we’ll be there to push back.