This week the Ninth Circuit made two controversial rulings relating to the Computer Fraud and Abuse Act. This anti-hacking statute makes it a crime to access a computer without authorization or exceeding authorization, with the intent to commit fraud or to obtain protected information. The first ruling has raised concerns that it is now a criminal act for someone to share a password to their bank account or even a social media account. The second ruling has some claiming it is now a crime to visit a site after being told not to.
The first case concerns David Nosal, a former employee at the executive recruiting firm Korn/Ferry. Nosal and other former employees accessed the company’s database after a current employee shared her login credentials. The fact that Nosal acted with intent to defraud was not in dispute, the appeals court only considered whether Nosal acted without authorization or exceeding authorization.
In the dissenting opinion by Judge Reinhardt, he argues that a legitimate account holder can grant authorization as understood by the statute. In this case, Nosal and his colleagues would have received it from the current employee when she shared her login credentials. However, the majority opinion finds that only Korn/Ferry itself has can grant or revoke authorization to access the system. Individual employees, even legitimate account holders, cannot grant such authorization. The court found that Korn/Ferry unambiguously revoked Nosal’s access to the system when he was fired and his own login credentials were disabled.
Reinhardt is concerned that this ruling will outlaw password sharing in general. He gives the example of someone sharing credentials with a spouse to log into a bank account in order to pay a bill. If the bank itself does no approve, it would be unauthorized access. He also notes that many social media platforms also have terms of service which order users not to let anyone else use their account. However, the issue of terms of service will come up again in the second ruling.
It should be noted that lacking authorization isn’t enough to violate the statute. The person doing it either needs the intent to defraud or the access results in a loss. The statute is also violated if a person accesses specific types of information. One section of the CFAA prohibits accessing information which is protected for reasons of national security, however another section covers financial records. It seems like logging into a bank account without authorization would violate the CFAA. On the other hand, the types of information normally found in a social media account don’t appear to be covered by the CFAA, so accessing such an account even without authorization shouldn’t violate the CFAA unless it was done with intent to defraud or if it results in a loss.
The second case is a dispute between the now defunct Power Ventures and Facebook. Power Ventures had a site Power.com which acted as a social media aggregator. Facebook users could authorize Power.com to access their accounts and obtain information. Facebook believed Power Ventures violated its terms of service and sent a cease and desist. Facebook also IP blocked Power Ventures to prevent further access, but Power Ventures circumvented this measure by changing its IP address.
The court found that Facebook had suffered a loss as a result of Power Ventures’ activity. Facebook spent thousands of dollars paying employees to analyze what Power Ventures was doing, and to implement technological counter measures. With that issue decided, the court had to determine if Power Ventures acted without authorization, or exceeding authorization.
Because Power users gave permission to access their accounts, Power Ventures had implied authorization to access information on Facebook’s servers, at least initially. The court considered whether violating the terms of service was enough to violate the CFAA, and determined that it was not because terms of service are often hidden and subject to changes without warning. A user can’t reasonably be expected to know what’s in the terms of service. However, the court ruled that the situation changed one Facebook sent a cease and desist. From that point on, Power Ventures knew it was unauthorized to access information on Facebook’s servers, and continuing to do so would violate to CFAA.
One interpretation of this ruling is that it is illegal for a person to visit a site if the person receives a clear order not to do so. This is the interpretation the Washington Post comes to, but some time is also spent on a narrower interpretation of the ruling. Under the alternative interpretation, it is only a crime to access a private account when ordered not to do so, but visiting the public face of website is still allowed. However, there doesn’t seem to be anything in the ruling that would differentiate between accessing account data and accessing site data viewable to the general public. All of it is located on Facebook’s servers, which Power Ventures was not authorized to access.
Do you agree or disagree with these rulings by the Ninth Circuit? What implications do you think they will have? Leave your comments below.