Password Sharing Is a Federal Crime, Appeals Court Rules

An anonymous reader writes from a report via Motherboard: An appeals court ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all "hacking" law that has been widely used to prosecute behavior that bears no resemblance to hacking. Motherboard reports: "In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal's use of a former coworker's password to access one of the firm's databases was an 'unauthorized' use of a computer system under the CFAA. In the majority opinion, Judge Margaret McKeown wrote that 'Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.' She then went on to describe a thoroughly run-of-the-mill password sharing scenario -- her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore, so he got a password from a friend -- that happens millions of times daily in the United States, leaving little doubt about the thrust of the case. The argument McKeown made is that the employee who shared the password with Nosal 'had no authority from Korn/Ferry to provide her password to former employees.' At issue is language in the CFAA that makes it illegal to access a computer system 'without authorization.' McKeown said that 'without authorization' is 'an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.' The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"

Those are the easy cases. Sometimes it's hard.

A password doesn't give you authorisation. You get authorisation from your boss, or from your company, to access a computer to do your job.

One of the oddities of our current climate is this: How do you know when you're authorized?

Much of the time it's common sense, but if we're talking about DMCA instead of CFAA, it gets very murky, very fast.

You buy a DVD. You pay for a Netflix account every month. Are you authorized to decrypt the content? If you're authorized, then it's ok to watch it. If you're not authorized, then decrypting is circumvention of the DRM.

According to the MPAA-vs-2600 case, you're either not authorized at all, or you're not authorized to do what DeCSS does. You're seemingly violating DMCA every time you watch anything, but of course nobody really believes that. (MPAA hasn't sued all their paying customers yet, and they've had ample time.)

So just what is the mechanism for authorization, and how do you know when it's there, in non-obvious situations? It seems that authorization can be totally implicit, without a single word communicated to tell you whether or not you have it. Indeed, it seems like there might be unspoken and unexpressed conditions. (e.g. We think the conditions are that you're authorized to bypass a DVD's DRM if it's inserted a licensed player, but not if it's an unlicensed player. But is this written anywhere? can you look at a player and even figure out whether its manufacturer got a license or not?)

If authorization is murky for DMCA, then why couldn't it be murky for CFAA too? Let's say you need access to something, to do something that your boss commands. The boss says "clean the dunsel" and you just happen to know that the key to the dunsel bracket's lock is stored in a certain drawer. Authorized? Maybe. Probably. Right?

The truth is, you're going to assume you're authorized and take your chances since it's highly unlikely that the government is coming for you. Or perhaps you're constantly unknowingly committing crimes all day, year after year, where the feds are licking their lips, waiting for the day when you're on some "bad guy" list and they can suddenly throw the book at you. Then 6 years later, you literally don't even remember if the boss said, "Oh, the dunsel bracket key is in that drawer. You may use it." You've just been using it every month for 72 months.