CFAA anti-hacking law applies to using shared password, appeals court said

Millions of Americans willingly share passwords with family or friends to access devices or accounts, but the Ninth Circuit Court of Appeals said using a willingly shared password is covered under the anti-hacking Computer Fraud and Abuse Act (CFAA).

After previously being found guilty of violating the CFAA, David Nosal appealed because he doesn’t believe he actually hacked his former employer, Korn/Ferry. Instead, he gained access through passwords that other employees voluntarily shared with him after he left the company and his credentials were revoked.

But in a 2-1 decision, the federal appeals court may have set a dangerous precedent that could ultimately affect millions of Americans who use a willingly shared password. Password sharing was not allowed by Korn/Ferry, so Circuit Judge Margaret McKeowin wrote (pdf) that Nosal had acted “without authorization” and, therefore, falls under the CFAA.

The majority ruled that access “without authorization is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: Once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.”

Even though Nosal may have been out to harm his former employer, the case is not about hacking and the decision is a worrisome one. Personally, it was easier to agree with Judge Stephen Reinhardt’s dissenting opinion, since the case is about password sharing and many people do it despite sites’ terms of service or even employers’ policies. To Reinhardt, the majority opinion “loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”

Reinhardt wrote, “In my view, the CFAA does not make the millions of people who engage in this ubiquitous, useful and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA.”

Although the majority claimed the case does not apply to everyday password sharing, that it “bears little resemblance to asking a spouse to log in to an email account to print a boarding pass,” Reinhardt disagreed. He was concerned the majority opinion did not provide “a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.”

Reinhardt had numerous examples of how people innocently run afoul of access or password sharing policies, such as by asking a friend to log into email and print a boarding pass, sharing the password for banking so a spouse can pay a bill, logging onto a colleague’s computer to send a document needed right away, or even letting another person log into your Facebook account.

But Judge McKeown wasn’t buying into password sharing being harmless conduct. She wrote, “An employee could willy-nilly give out passwords to anyone outside the company—former employees whose access had been revoked, competitors, industrious hackers or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery.”

In the end, the court upheld Nosal’s conviction of violating the CFAA and of trade secret theft under the Economic Espionage Act. The majority ruled that CFAA doesn’t have to be hacking—it also applies to gaining access without authorization. The majority doesn’t believe the antiquated CFAA will now be misued to punish people for sharing passwords.

The EFF disagrees. EFF attorney Jamie Williams told Reuters, “The court is criminalizing conduct that ordinary Americans do every day online.”

Nosal’s attorney Dennis Riordan added, “Because cloud computing depends on password sharing, the panel’s opinion threatens to upend the entire cloud computing industry. For that reason, the position taken by the majority was opposed by BSA/The Software Alliance, whose members include Apple, Microsoft, Oracle and IBM.”