Slashdot Mirror

← Back to Stories (view on slashdot.org)

Appeals Court To Test How the Law Looks at Shared Accounts and Unauthorized Access (washingtonpost.com)

Posted by Soulskill on from the too-complicated-for-legislators dept.

schwit1 writes: On Monday, the Ninth Circuit will hear arguments in United States v. Nosal on an interesting legal question: If a person shares access to a computer account with somebody else, under what circumstances can the second person engage in unauthorized access under the Computer Fraud and Abuse Act? The case centers around the difference between having access to something and having permission to use it. In other words, if you give somebody a desktop password to your computer so they can watch Netflix, but they take advantage of that to read your email, how does the law look at it? What happens if they come back later and log in again without your explicit permission, but only watch Netflix? What happens if you give them your Netflix password to watch while at your house, but they go home and use it to watch Netflix at their house? Eugene Volokh has a forthcoming paper articulating the legal interpretations of computer trespass. It's a tricky set of rules, and one another court has already misapplied.

20 of 37 comments (clear)

  1. I would compare it to a house by ArmoredDragon · · Score: 3, Interesting

    If you let somebody in (say a babysitter to watch your kids) that doesn't give them permission to peruse through a diary hidden in a drawer in a night stand.

    1. Re:I would compare it to a house by tlhIngan · · Score: 1

      If you let somebody in (say a babysitter to watch your kids) that doesn't give them permission to peruse through a diary hidden in a drawer in a night stand.

      Besides that, I would also liken it to expected permission.

      The owner of the PC may give them access to the computer to view Netflix. That implies a single instance access to the computer to do one thing - view Netflix. It doesn't give permission to view the guy's email or other things, or even if he logs out permission to log in again.

      This permission can be extended implicitly - e.g., the person comes over regularly and the owner regularly gives them permission to log in and view Netflix. Still no permission to view email, though. But in this case, the person can reasonably assume that since he's been given permission to use Netflix while he's over, he can continue to do so.

      If an email alert pops up, he's allowed to read the alert, but not to dig deeper - while he didn't get permission to view the alert, he really couldn't NOT read it since it popped up on the screen while he was watching Netflix. However, reading just the preview alert doesn't give permission to read the rest of it, as he only had permission to use Netflix.

      I mean, just because you got the credentials, they were provided to you in trust to do one specific thing. Just because you can, doesn't mean you should.

    2. Re:I would compare it to a house by DRJlaw · · Score: 1

      If you let somebody in (say a babysitter to watch your kids) that doesn't give them permission to peruse through a diary hidden in a drawer in a night stand.

      If the babysitter peruses through a diary hidden in a drawer in a night stand, it's not a Federal felony. That in and of itself makes it a bad comparison. In some of these examples, you've authorized the babysitter to open a drawer, but not that drawer right next to it. Up to five years, federal prison, with no such thing as parole.

      So while you would, I would not.

    3. Re:I would compare it to a house by Tyrannosaur · · Score: 1

      It really depends on what you are protecting and how important it is to you, if it's that important don't grant physical access to a relative stranger.

      Yes, as a prevention to be a victim, I won't be STUPID, but even if I am stupid this doesn't give them the right to do whatever they want.

    4. Re:I would compare it to a house by Ol+Olsoc · · Score: 4, Insightful
      If only someone owuld think of putting a sort of limited access to a computer. You know, like something where they could log in, but not access your email?

      They could call it a "Guest Account". Yeah, someone should invent that.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  2. That 5th Netflix friend, man by Impy+the+Impiuos+Imp · · Score: 1

    Basically is it a DMCA violation AKA anti-hacking law crime, to use a password you legitimately know to use the computer system for things you weren't supposed to.

    This really stretches it too far if you ask me as there are other remedies before applying a hacking law. But they went too far long ago by allowing companies to use DMCA to hide copies of copyrighted things you bought from your own sight, like firmware. "Your car's computer can read your copy you own, but you can't."

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  3. Sharing Netflix password by whoever57 · · Score: 1

    In limited circumstances, I think that sharing a Netflix password is clearly OK. I base that statement on the fact that Netflix has a concept of users different users within one account.

    The question is perhaps: what does "limited" mean in this context? Family member who lives with me? Family member who lives elsewhere? Friend?

    --
    The real "Libtards" are the Libertarians!
    1. Re:Sharing Netflix password by AF_Cheddar_Head · · Score: 1

      "Should" implies a suggestion, "May not or will not" implies a directive. Lawyers drafted this if they meant a prohibition they would have used the later terms.

      You can legally have four users on a Netflix account, how are these users supposed to access the account in your absence without the password?

    2. Re: Sharing Netflix password by mjm1231 · · Score: 1

      That ties it to the device. Not the person. I am the Account Owner on a Netflix account. I watch on at least 3 different devices. The three people I share it with watch it on more than one device as well.

      --
      Ideology: A tool used primarily to avoid the bother of thinking.
    3. Re: Sharing Netflix password by Aristos+Mazer · · Score: 1

      Just because you think you should be able to do that under the EULA does not mean you can do that under the EULA. One clause gives permission to three other people to use the account -- but only if you can fulfill the other clauses. Just because there's no technological way to do that doesn't mean you get to break the EULA, legally speaking.

    4. Re: Sharing Netflix password by mjm1231 · · Score: 1

      If there is something in the EULA that prevents me from using the service on multiple devices, then I reject the EULA and they can keep the service. It's barely worth what I pay for it in the first place.

      --
      Ideology: A tool used primarily to avoid the bother of thinking.
  4. what about new email pop ups? by Joe_Dragon · · Score: 2

    what about new email pop ups? that you can read at least some info from?

    Open wifi where you can see, shared files/folders, shared printers, etc.

    Files on the desktops

    Have permission to use the printer and see other documents on it / next to it.

    post it nodes with info on them on the display / desk

    Wait by now you are looking at 20 to life need I go on?

    1. Re:what about new email pop ups? by ArmoredDragon · · Score: 1

      There's quite a difference between plain site and digging. That concept is actually pretty well established in case law as well.

    2. Re:what about new email pop ups? by ArmoredDragon · · Score: 1

      It means that sometimes swype inputs the wrong word and I didn't properly proofread.

    3. Re:what about new email pop ups? by HornWumpus · · Score: 1

      Default Apache home page. Duh.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    4. Re:what about new email pop ups? by Kjella · · Score: 1

      Why would you need to make new law here? Obviously if you let a babysitter in, they can see things in plain sight. If they're looking for a glass and you got illegal stuff hidden in your kitchen cabinet, too bad. It's only if they go snooping in places that they clearly have no business snooping in it might be an issue. Same applies for your computer, clearly some things are just there. Some you might run into. And other things you don't find unless you go snooping.

      --
      Live today, because you never know what tomorrow brings
  5. Re:a password is like a key by Aristos+Mazer · · Score: 1

    When I read your first sentence (slashdot collapsed section only presented that one line) I thought you were going to suggest bludgeoning them until the amnesia makes them forget the password... other stuff, too, but the password is the legally important bit.

  6. Re:Pay The Consequences by Aristos+Mazer · · Score: 1

    Problem may be solved, but the legal question remains: did the person who abused your password do something illegal? If I leave my house unlocked, someone who comes in and steals stuff is still guilty of a crime. If I share my password, they *can* use my stuff, but there's still a legal bar that says they *should not*, and if they do, there may be criminal charges. This case is critical for determining what happens in various fraud and phishing scams. That's why in needs to go to court.

  7. keys and locks by Solandri · · Score: 1

    Summary focused on legal ramifications for individuals on their personal computers. But this is actually a bigger issue for corporate use of cloud services. What if your company has an official Twitter feed or Facebook wall which needs to be updated by multiple people? Right now, the only way you can do that is to share the single password with all those people. Now what if one of those people gets fired and you're a little slow to change the password? People criticized Sony for making themselves easy to hack by keeping their passwords in a plain text file, but that's inevitably what happens when you need to share an account among multiple employees and the service providing the account only allows a single login. First the password gets posted on the refrigerator door. But one day an unauthorized employee uses it, and someone gets the "clever" idea of putting it in a text file on the file server in a directory where only the people who are authorized to use that account and password have read access. Right where hackers can get it.

    You can't create a guest account because those services don't yet support that. What needs to happen is for these services to either allow logins with multiple revocable keys/passwords; or allow multiple sub-accounts under a master account, with the sub-accounts able to post as if they were the master account. The same concept applies for collaborative virtual spaces.

    If every online service allowed this, then the issue in TFA becomes easy. If Netflix allows up to 4 family members to share the account, then each of those family members should have a separate login and password, with one being a master account which has the power to revoke login permissions for the sub-accounts. If you want to let a new "family member" temporarily use the account, you simply give them a sub-account. And when you no longer wish them to have access, you simply revoke the permissions of the sub-account. (And as you point out, for your home PC, you can simply log them into the guest account.)

    1. Re:keys and locks by Ol+Olsoc · · Score: 1

      But this is actually a bigger issue for corporate use of cloud services. What if your company has an official Twitter feed or Facebook wall which needs to be updated by multiple people?

      You lost me at Twitter and Facebook.

      Those two "services" are right up there with web advertising.

      I don't give a damn, and I have no sympathy for anything that goes wrong with that bit of douchbaggery.

      I mean, whatever could go wrong with multiple employees having the same password? If a business is so damn stupid as to do that, they don't have much to bitch about when the inevitable happens.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.