Ninth Circuit ruling upholds password-sharing risk
Using another's password, even with their consent, is a federal criminal offense, a court found.
Vague language in the Computer Fraud and Abuse Act (CFAA) has given rise to the possibility of prosecution for password sharing even with relatives or friends, according to the Electronic Frontier Foundation (EFF).
"The court turned anyone who has ever used someone else's password without the approval of the computer owner into a potential felon," the EFF wrote.
The law must be corrected or millions of computer users could suddenly find themselves at risk for arrest, the nonprofit said.
The Ninth Circuit Court of Appeals earlier this week found that using another's password, even with their consent, is a federal criminal offense. The case revolved around language in the law after the password of an employee of executive recruiting firm Korn/Ferry was used – with her permission – to access the company's database. Previously, the Ninth Circuit found culpability for trade secret theft under the Economic Espionage Act as someone other than the password holder accessed the database.
This week's ruling in U.S. v. Nosal said that only a computer owner may “authorize” another party to access a computer, not a user or account holder.
The EFF said language around "authorization" or "ownership" in the ruling opens the possibility that even spouses who use their partner's credentials to access a bank account, or a child using a parent's password to login to Hulu or Amazon, could be swept up by an over-reaching prosecutor.
The digital rights organization said it will be filing another amicus brief so the Ninth Circuit may rehear this case.
In a statement issued on July 15, the EFF reiterated its problem with the vague language in the CFAA on which subsequent court decisions have been based. Whereas the language in U.S. v. Nosal was so interpretable to make it a federal crime to use another's password, even with their knowledge and permission, in a new decision, Facebook v. Power Ventures, a different Ninth Circuit panel acknowledged "that a computer user can provide another person with valid authorization to use their username and password."
That's the good news, the EFF wrote. However, it added that the ruling still leaves many situations unclear, and leaves too many questions unresolved about the interpretation of law. What precisely does “authorized access” mean, it asked, or from where does authorization come from? The court, the EFF stated, appears to be losing sight of the original intent of CFAA – going after individuals who break into computer systems.
It expects further prosecutions under the CFAA.
UPDATE: This story was updated on July 15 to insert the EFF's statement regarding Facebook v. Power Ventures.