If you’ve ever let your kids sign into your Netflix or HBO Go account, or given your marketing department access to your Twitter feed, you may be committing a federal crime, depending on how the Ninth Circuit rules on a case argued before it just last month.
The case, United States v. Nosal, is the latest chapter in a series of cases in which federal prosecutors have used a thirty-year-old anti-hacking statute to turn seemingly routine business disputes into federal felony cases. The statute, known as the Computer Fraud and Abuse Act (CFAA), contains broad prohibitions on accessing a computer system “without authorization” or in a way that “exceeds authorized access.” Though intended to prevent malicious hacking and espionage, those prohibitions have repeatedly been applied to disgruntled former employees who logged back into company databases to access proprietary information after their termination and when their authorization to access those files had been revoked.
However, the Nosal case goes a step further, and a ruling in favor of the United States threatens to criminalize password sharing of all kinds. Nosal was an executive at the recruiting firm Korn Ferry International (KFI). After he left the firm, he obtained the help of several former colleagues to obtain protected KFI data to start a competing business. Although several of the charges against Nosal were thrown out in an earlier case, he was still prosecuted for accessing KFI files using his former assistant’s login information, which she had given him willingly.
According to prosecutors, Nosal’s former assistant was not authorized to give him access to KFI’s systems under the company’s computer usage policy, and so his use of that password was “without authorization” by the proper authorities. Upholding that argument could have a broad reach because so many password-protected services have prohibitions against password sharing in their user agreements, including Netflix, LinkedIn, Facebook, and HBO Go, to name a few. For that reason, a ruling that the CFAA prohibits password sharing when not authorized by these agreements could turn us all into criminals.
Following argument, this case is difficult to handicap. Although Judge McKeown seemed particularly concerned with the fact that Nosal clearly had engaged in wrongful conduct when he knew his authorization had been revoked, Chief Judge Thomas and Judge Reinhardt clearly recognized the scope of the issue at stake, and all three panel members were concerned by the government’s apparent lack of a limiting principle.
A ruling can be expected in the next few months. Until then, all we can do is hold our breath, and hope that the court ensures that the next time we share an account with the others in our household, we won’t end up living an episode ofOrange is the New Black instead of just watching it.
LinkedIn has filed a suit against John Does in response to a spate of “data scraping” perpetrated by unknown individuals, in violation of the website’s terms and conditions.This is the latest federal case in the Northern District of California in which a tech company seeks to enforce its contractual provisions through the criminal statute Computer Fraud and Abuse Act (CFAA).
Starting in May 2013, unidentified individuals unleashed automated software programs which bypassed LinkedIn’s security measures in order to create thousands of new member accounts. Once established, these new accounts could be used to view millions of LinkedIn member profiles. The software bots copied personal information off of those viewable pages, which contain extensive personal information. Although we can’t know exactly what the information was used for until the perpetrators are identified, these individuals could potentially use this personal information to steal members’ identities or conduct phishing or other scams.
LinkedIn has since disabled the bot-created accounts and implemented additional security measures to prevent a similar incident. The company instituted the “John Does” lawsuit in order to use the legal discovery process to serve subpoenas which may help identify the attackers. LinkedIn based its legal complaint, in part, on violations of the CFAA. But is the CFAA a sound legal basis on which LinkedIn can bring its claims?
The CFAA states that whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer” violates the CFAA and commits a crime. In this case, the bots created LinkedIn member accounts in order to view other LinkedIn member accounts and gather information. According to LinkedIn, the use of bots violates the terms and conditions that each user must agree to when opening an account. Did the drafters of the CFAA intend to reach this type of conduct? If LinkedIn is right, what appears to be conduct supporting a traditional breach of contract may become fodder for a potential criminal violation.
The Ninth Circuit addressed a somewhat similar issue in United States v. Nosal, a case in which a former employee, David Nosal, convinced some of his former colleagues to help him start a business by downloading customer lists from the former employer’s computer network. Although the employees had unrestricted access to the lists, their use of the lists violated the employer’s policy prohibiting the use of work computers for non-business purposes. The Department of Justice indicted Nosal under the CFAA for aiding and abetting this action. Nosal filed a motion to dismiss, which the district court granted. On appeal to the Ninth Circuit, the government argued that the CFAA applied to the employees’ use of the customer listseven though their access to the lists was permitted.
The Ninth Circuit rejected the government’s argument, stating that “[t]he government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.”