Court ruling could hurt millions who share passwords online

Getty Images

A federal appeals court issued a ruling Tuesday under an anti-hacking law that advocates warn could make it easier for the government to bring criminal charges against people who share online passwords. 

In a 2-1 decision, the Ninth Circuit Court of Appeals upheld the conviction of David Nosal for violating the Computer Fraud and Abuse Act (CFAA). Nosal was convicted of gaining unauthorized access to his former employers’ computer system by getting a then-employee to voluntarily share her password with him. 

{mosads}Throughout the case, digital-rights advocates warned about the implications of the decision for ordinary people. The Electronic Frontier Foundation said the ruling could open up criminal liability for a husband who, at his wife’s request, logs into her Facebook account to check or update something. 

The majority opinion tried to tamp speculation that the case would open up millions of people who share online passwords to criminal penalties under a law that is specifically meant to go after hackers. 

“Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing. Nor is it about violating a company’s internal computer-use policies,” Judge Margaret McKeown wrote.

The CFAA makes it a crime to access a protected computer “without authorization” in order to commit fraud. The central question in the case decided Tuesday was what kind of authorization is needed — the permission of the password owner, the system owner or both.

Nosal worked at Korn/Ferry International, which specialized in helping other companies recruit employment talent. 

When Nosal left the company and secretly set up a rival firm, his company revoked his access to the company’s database of potential recruits. To get around that, Nosal had an employee at Korn/Ferry share her password with him so he could continue to access the database on occasion. 

Judge McKeown said Nosal’s actions to gain access “through the back door when the front door had been firmly closed” is a clear violation of the CFAA. 

One judge disagreed. 

Judge Stephen Reinhardt dissented, saying the majority opinion lacks a “limiting principle” about what distinguishes lawful and unlawful password sharing. Reinhardt argued that whatever laws and company policies that Nosal might have violated, the Computer Fraud and Abuse Act is not one of them. 

“It loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens,” he said.  

Reinhardt said it should only be a violation of the CFAA if a person gains access to a computer without the permission of both the password owner and the system owner. That would prevent the questions about the legality of the Facebook password sharing scenario. 

See all Hill.TV See all Video