If you’ve ever let your kids sign into your Netflix or HBO Go account, or given your marketing department access to your Twitter feed, you may be committing a federal crime, depending on how the Ninth Circuit rules on a case argued before it just last month.
The case, United States v. Nosal, is the latest chapter in a series of cases in which federal prosecutors have used a thirty-year-old anti-hacking statute to turn seemingly routine business disputes into federal felony cases. The statute, known as the Computer Fraud and Abuse Act (CFAA), contains broad prohibitions on accessing a computer system “without authorization” or in a way that “exceeds authorized access.” Though intended to prevent malicious hacking and espionage, those prohibitions have repeatedly been applied to disgruntled former employees who logged back into company databases to access proprietary information after their termination and when their authorization to access those files had been revoked.
However, the Nosal case goes a step further, and a ruling in favor of the United States threatens to criminalize password sharing of all kinds. Nosal was an executive at the recruiting firm Korn Ferry International (KFI). After he left the firm, he obtained the help of several former colleagues to obtain protected KFI data to start a competing business. Although several of the charges against Nosal were thrown out in an earlier case, he was still prosecuted for accessing KFI files using his former assistant’s login information, which she had given him willingly.
According to prosecutors, Nosal’s former assistant was not authorized to give him access to KFI’s systems under the company’s computer usage policy, and so his use of that password was “without authorization” by the proper authorities. Upholding that argument could have a broad reach because so many password-protected services have prohibitions against password sharing in their user agreements, including Netflix, LinkedIn, Facebook, and HBO Go, to name a few. For that reason, a ruling that the CFAA prohibits password sharing when not authorized by these agreements could turn us all into criminals.
Following argument, this case is difficult to handicap. Although Judge McKeown seemed particularly concerned with the fact that Nosal clearly had engaged in wrongful conduct when he knew his authorization had been revoked, Chief Judge Thomas and Judge Reinhardt clearly recognized the scope of the issue at stake, and all three panel members were concerned by the government’s apparent lack of a limiting principle.
A ruling can be expected in the next few months. Until then, all we can do is hold our breath, and hope that the court ensures that the next time we share an account with the others in our household, we won’t end up living an episode ofOrange is the New Black instead of just watching it.
Last month, federal prosecutors in Nevada filed a motion to dismiss an indictment that shined a bright light on overly broad federal criminal statutes and the abuse of prosecutorial discretion in using them.
John Kane and Andre Nestor were each charged in an indictment in January 2011 with one count of conspiracy to commit wire fraud and one count of computer fraud in violation of the Computer Fraud and Abuse Act (CFAA), the same law that was used to prosecute Internet activist Aaron Swartz and Andrew Auernheimer.
The indictment alleged that Kane and Nestor used an exploit on video poker machines to defraud casinos and win money that they were not entitled to, which “exceeded their authorized access” on the machines in violation of the CFAA. Kane, who reportedly spent an extremely significant amount of time playing video poker, discovered a bug in the software of the video poker machine that allowed for him, and later his co-defendant Nestor, to achieve large payouts on certain slot machines through a series of moves where he switched games and made bets at different levels. There is absolutely nothing illegal about pressing buttons on slot machines to change the amount of money you are betting or to switch games you are playing, but the prosecution alleged that doing this exceeded lawful access. The court agreed with the defendants and ruled in favor of their motion to dismiss the CFAA count in the indictment.
The CFAA was enacted in 1986 to protect computers that there was a compelling federal interest in protecting, such as computers owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities and there has been recent discussion on Capitol Hill of amending it further. The CFAA prohibits accessing a computer without proper authorizationor it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to charge individuals who have violated a website’s terms of service.
In November, after filing nine stipulations to continue the trial date, the government filed a motion to dismiss the remaining conspiracy to commit wire fraud charges against both Kane and Nestor because “the government has evaluated the evidence and circumstances surrounding court one [wire fraud conspiracy] and determined that in the interest of justice it should not go forward with the case under the present circumstances.”
Although the charges were ultimately dismissed,the issue remains that these charges never should have been brought in the first place. Kane and Nestor had to deal with open criminal charges against them for nearly three years. There are proper uses for statutes such as the CFAA, but the people and the courts should demand that the government only use them for their intended purposes. Prosecutions taking broad and unjustified interpretations of these statutes are not justified.
Cybersecurity, Federal Criminal (Other), Federal Criminal Procedure, Fraud, White-collar crime