Password Sharing Remains Hazy Under CFAA

725 S. BROADWAY #10, DENVER, CO 80209 | 303–292–1212 | www.LAW WEEK ONLINE.com
VOL. 14 | NO. 32 | $6 | AUGUST 8, 2016
Password Sharing Remains
Hazy Under CFAA
Appeals court wrestles with ‘authorization’ concepts under anti-hacking law
BY DOUG CHARTIER
LAW WEEK COLORADO
nce the mainstream media got
a hold of the controversy surrounding United States v. Nosal,
everyone from Netflix users to coworkers
in various industries were made to wonder
if their password sharing, even when benign, could be illegal.
Last month, the U.S. Court of Appeals for the 9th Circuit weighed in on
two password-sharing-related cases dealing with the Computer Fraud and Abuse
Act. The opinions in United States v. Nosal and Facebook, Inc. v. Power Ventures,
Inc. underscored the murky issue regarding the anti-hacking act and under what
circumstances its criminal penalties could
be extended to more common civil situations. Companies looking for more clarity
on what “authorization” means under the
CFAA, and just how far the statute’s reach
might be over login credentials, might
have to wait longer in spite of the recent
appellate decisions.
Congress enacted the CFAA of 1986
to combat cyber espionage, as it makes
subject to criminal penalties anyone who
“knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access,
and by means of such conduct furthers
the intended fraud and obtains anything
of value.”
But the CFAA’s broad language has allowed its application in contexts outside of
espionage. Prior to the enactment of the
Defend Trade Secrets Act in May, plaintiffs used the CFAA to pursue trade secret
misappropriation cases in federal court
— perhaps its most common alternative
use. The CFAA creates a private right of
action in addition to being a criminal law,
and companies have brought suit against
individuals whom they claimed accessed
their company computers or networks
without authorization in order to steal
trade secrets or give them to a competitor.
Employers have argued that the act
covers employee violations of their acceptable use policies, such as when PMSI,
Inc. filed a CFAA complaint against a former employee alleging that her excessive
use of Facebook and personal email on a
company computer ran afoul of its company policy. But in 2011, a federal judge
in the Middle District of Florida rejected
this interpretation of the CFAA’s “exceeding authorization” prong in Lee v. PMSI,
Inc.
The 9th Circuit decided similarly when
O
it weighed in on United States v. Nosal for
the first time in 2012. Defendant David
Nosal was leaving his employer, executive
search company Korn/Ferry International, to start a competing firm. He and his
co-conspirators downloaded confidential
Korn/Ferry data, and prosecutors argued
that even though Nosal and his cohorts
had company-granted access to this data,
they exceeded their authorization with
intent to defraud the company under the
CFAA. The 9th Circuit held, however,
that the CFAA’s exceeding authorization
component doesn’t extend to a violation
of company computer policy.
But Nosal made a return to the 9th
Circuit under a different interpretation of the CFAA; the former Korn/
Ferry employees continued accessing the
company’s databases using a current employee’s borrowed credentials. The question in Nosal II was whether the “without
authorization” component of the CFAA
“extends to a former employee whose
computer access credentials have been
rescinded but who, disregarding the revocation, accesses the computer by other
means,” according to the opinion. The
majority held that it did.
But the 9th Circuit was split over the
meaning of “without authorization” and
whose authorization ultimately mattered
in the statute — the company that owned
the computer system or the authorized
user giving that access to someone else.
Judge Stephen Reinhardt argued in his
dissent that the majority opinion had
problematic breadth.
“The majority does not provide, nor
do I see, a workable line which separates
the consensual password sharing in this
case from the consensual password sharing of millions of legitimate account
holders, which may also be contrary to
the policies of system owners,” Reinhardt
wrote. “There simply is no limiting principle in the majority’s world of lawful and
unlawful password sharing.”
Judge M. Margaret McKeown, writing for the majority, said the case was not
about password sharing despite “Nosal
and various amici spin(ning) hypotheticals
about the dire consequences of criminalizing password sharing.”
John Chanin, a complex business litigator and partner at Lindquist & Vennum
in Denver, said the 9th Circuit didn’t draw
a clear distinction between improper password sharing and more innocuous cases.
“There’s a real line-drawing problem here that the majority didn’t address
THE 9TH CIRCUIT COURT OF APPEALS
DECIDED TWO CFAA PASSWORD-SHARING
CASES IN EIGHT DAYS.
PHOTO: FLICKR, KEN LUND
squarely,” Chanin said.
He added that the court did decide
Nosal II correctly, he thought, and that
the Netflix password implications bemoaned by critics are exaggerated. “On
the criminal front, I think (Nosal II) is
going to limited to its pretty egregious set
of facts,” Chanin said. “I don’t see any
realistic chance that this will criminalize
any routine password sharing.”
Chanin said that when he explains to
clients the concept of illegal password
sharing under the CFAA, he likes to use
more concrete analogies. For one, a restaurant owner might keep a secret recipe
locked in a safe and entrust a manager
with the safe code, or “authorization” to
access the recipe. But if the manager were
to give another employee the safe code,
no one would reasonably argue that the
manager was “authorized” to let that person into the safe, Chanin said.
On criminal password sharing, Chanin
said, “We all know it when we see it.”
What’s less clear is the CFAA’s civil component, he added. Chanin said that the
9th Circuit had two chances to clarify the
CFAA in Nosal II and Power Ventures,
but failed to capitalize on either of them.
In Facebook v. Power Ventures, the
court held July 12 that an entity violates
the CFAA when accessing a computer
once the owner has revoked the entity’s
authorization, much like in Nosal II. Likewise, consent from an authorized third
party to access the computer does not
constitute authorization. Further, violating the owner’s terms of use by itself does
not constitute a CFAA violation.
Power Ventures created a website that
aggregated a user’s social media accounts
into a single interface. In a promotional
campaign it began in 2008, Power Ventures solicited Facebook logins from
Facebook users and then used that access
to dispense messages across the social network that promoted its website. Facebook
issued Power Ventures a cease-and-desist
letter and blocked its IP address, but the
latter persisted in its campaign.
The 9th Circuit might have muddied
the CFAA waters by saying that Power
Ventures had “at least arguable permission to access Facebook’s computers”
since it was given that permission by authorized Facebook users. The defendant
wasn’t accessing the system “without
authorization” until Facebook explicitly
revoked that authorization with the cease
and desist, which then made Power Ventures liable under the CFAA, according to
the court.
And like Nosal II, the court provided
little guidance closing off the CFAA from
less criminal contexts of password sharing, Chanin said. “In the Power Ventures
case, the 9th Circuit missed another opportunity to clarify cyber law and draw a
bright line between innocuous password
sharing and the kind of computer trespass
prohibited by the CFAA.”
Chanin said that for the time being,
the main takeaway from these CFAA rulings is that every employer should have
a company policy prohibiting employees
from sharing their login credentials with
anyone within the company or without. •
— Doug Chartier, [email protected]