Slashdot Mirror
Password Sharing Is a Federal Crime, Appeals Court Rules (vice.com)
An anonymous reader writes from a report via Motherboard: An appeals court ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all "hacking" law that has been widely used to prosecute behavior that bears no resemblance to hacking. Motherboard reports: "In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal's use of a former coworker's password to access one of the firm's databases was an 'unauthorized' use of a computer system under the CFAA. In the majority opinion, Judge Margaret McKeown wrote that 'Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.' She then went on to describe a thoroughly run-of-the-mill password sharing scenario -- her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore, so he got a password from a friend -- that happens millions of times daily in the United States, leaving little doubt about the thrust of the case. The argument McKeown made is that the employee who shared the password with Nosal 'had no authority from Korn/Ferry to provide her password to former employees.' At issue is language in the CFAA that makes it illegal to access a computer system 'without authorization.' McKeown said that 'without authorization' is 'an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.' The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"
Considering he wasn't an employee anymore, it doesn't really matter.
Your hair look like poop, Bob! - Wanker.
Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided? I suppose that is a) too technical, and/or b) is a broad enough definition of "authorize" that any successful cracking of a password results in an authorized access.
"Si vis pacem para bellum" -Publius Flavius Vegetius Renatus
A password doesn't give you authorisation. You get authorisation from your boss, or from your company, to access a computer to do your job. A password is only a means to help keeping unauthorised people out.
If you lose your job, or your position where you need to access the computer, you lost the authorisation. If the company forgets to remove your password, or you find someone else's password, or a password is shared with you, that doesn't give you authorisation. In this case, everything is absolutely clear.
Where this law is abused in some cases is in situations where someone had the authority to access the computer, but abused the authority to commit a crime. Say a bank manager with authorisation to access computers moving money into his own bank account, or a police officer with access to a license plate database abusing his position by finding out the address of his ex's new boyfriend. That's when authorities try to add "computer hacking" to the list of crimes.
lawyers who only talk to lobbyists, who only talk to money, which is only held by high-up executives who don't know how to log in. that's how the law was crafted. so what did you expect?
if this is supposed to be a new economy, how come they still want my old fashioned money?
Every Intel employee computer used to boot up with the message "Unauthorized use of Intel computer equipment is prohibited." Always seemed kind of circular to me. Also seemed strange they felt they had to explicitly tell everybody that unauthorized use wasn't authorized. But I agree on your point: "authorization" means whatever the _owner_ of the data or equipment says it means!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
So, is it now a federal crime to access someone's social media accounts with passwords that you coerced them to share (schools, companies, CBP, etc.)?
... not only can they hold you indefinitely for *NOT* giving your device's password to them if they want to inspect it, they can even arrest you if you do!
File under 'M' for 'Manic ranting'
"Password Sharing Is a Federal Crime, Appeals Court Rules"
No, the appeals court ruled that borrowing a password to get access to a system you knew you weren't authorized to access is illegal. To use a real world analogy, if I lose my job, and the company takes away my key to the office, it's illegal for me to use a key borrowed from a colleague to get in. I don't have to pick the lock for the access to be illegal.
https://www.gnu.org/philosophy...
Dan resolved the dilemma by doing something even more unthinkableâ"he lent her the computer, and told her his password. This way, if Lissa read his books, Central Licensing would think he was reading them. It was still a crime, but the SPA would not automatically find out about it. They would only find out if Lissa reported him.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
Given the volume of comments from that user, I'm convinced more than one person is using the account!
Real headline: Having a coworker's password doesn't mean having the boss's permission.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Sharing a password is a federal crime for you or I. But a Secretary of State who willfully and wantonly shares state secrets, repeatedly... for money... that, that right there is just an Oopsie Booboo!. No "harm," no foul. No one goes to jail.
I know...the whole thing is a shameful fucking farce. No jail time, no fines, no censuring, no reprimand. What a sweet deal.
David Comey said she had no "bad intent" when she did it. I'll see how far that excuse gets me the next time I get caught speeding or shoplifting or robbing a mini-market. "But officer, I had no bad intent, so just tell me not to do it again."
Just cruising through this digital world at 33 1/3 rpm...
Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?
If that were the case then social engineering attacks where hackers get a company employee to divulge their password would be entirely legal. Knowing a username and password is no different than having a key and simply having a key does not automatically make it legal for you to access everything it unlocks.
What is a "password" is an oil change light reset code an password and one that the car manufacturers can use to shut down 3rd party shops?
The case as given is clear: someone used social engineering to break into a database of a former employer. This is clearly unauthorized access.
What I worry about with laws like this is where they end. It's fairly common to password-share between employees to get some damn work done, and it's not unheard of to share social site passwords, and I don't think we want these cases to be against the CFAA.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
There isn't much we can do about it without breaking a number of laws ourselves.
https://twitter.com/HillaryCli...
Sharing a password is a federal crime for you or I.
As the court made clear, no, if by sharing you mean "handing over your password to an unauthorised outsider". It may get you fired, but it is not a crime.
Being given a shared password doesn't give you authorisation. Not when the person giving you the password didn't want to give you authorisation, or didn't have the authority to give you authorisation. Using a shared password to gain unauthorised access can of course be a federal crime. Any means to gain unauthorised access can be a federal crime.
The number of employees that share passwords (and usernames) is huge, the jails would be overflowing... Oh wait, they are with drug related crimes already.
From the article:
"Notably, Reinhardt appears to have a commanding knowledge of what constitutes “hacking,” something that comes up over and over again both in the media and in the courts. He said that the decision “loses sight of the anti-hacking purpose of the CFAA.”
“There is no doubt that a typical hacker accesses an account ‘without authorization’: the hacker gains access without permission—either from the system owner or a legitimate account holder,” he wrote. Using someone else’s password with their permission but not the system’s owner isn’t “hacking,” but that’s what the court is treating it as."
Using another person's password with their permission but not with the system owner's permission is definitely a form of hacking. It's called social engineering. Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Just because someone easily provided their account information doesn't mean that it was done so legitimately. It is ultimately the system owner who gets to decide who has authorization to their systems and what constitutes authorized access. At the same time, it is the system owner's responsibility to educate it's users as to what is allowed.
I would also take issue with the sentence where the writer claims that the judge has a "commanding knowledge" of "hacking".
"A plan fiendishly clever in its intricacies"- Homer Simpson
I rail against password sharing on the regular. It's right up there with with the crafty old hidden under the keyboard bullshit. I have taken the time to setup your user, I have granted all the permissions needed for you to do your job. Use the GD tools I have provided, else request more.
When the surveillance guy sees you using somebody's creds, he is not going smile and ignore it. He is going to come to me with a reprimand, and to many of those means his businessmen stop coming and I don't get a raise next year. Then, if for some reason your system leaves the GD building (like I know its going to) and I lose physical control of it, I bet your going to spill all those (other peoples) passwords all over the net cuz your GD eyes gloss over when I explain to you what scary VPN shortcut on your fucking desktop is for, and I will find myself answering for it.
You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
Many websites have in their EULA somewhere that using someone else's account is prohibited, or that signing up for a second account, or new account if you've been banned, are prohibited. Doing any of these prohibited things could be legally considered 'unauthorized access', even for a normally public website that anyone is welcome to use (Facebook etc.)
Conflating EULA violations on a public website, with accessing private computer systems containing confidential data, is one of the reasons the CFAA needs to be updated to reflect the realities of the current internet.
Instead of 'unauthorized access', the standard should be 'harm intentionally caused by access'. If you make it strict liability, then people will be legally liable for being part of a botnet, which is absurd considering the millions of machines currently part of botnets, and the penalties of the CFAA; it'd also make Tor exit nodes liable for hacking. A security researcher who finds a security hole in a system, causes no harm, and leaves, would also not be punishable. Harm would have to be significantly above the standard set by normal usage of the computer system; so, say, someone making a new account on a forum where they'd been banned wouldn't be punishable simply because they consumed bandwidth and server CPU time typical of other forum users, or because they took up space in the forum with posts. The CFAA only needs to exist in order to discourage crimes that civil law penalties can't: intentional sabotage of competitors' computer systems, or of infrastructure by domestic terrorists.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
If it is a leased car, then it depends on the terms of the lease.
If the car is owned by the driver, then they are the source of authorization. It would only be a crime if the 3rd party shop didn't have the customer's permission.
You know how I know you didn't RTFA?
Clinton didn't violate security willfully, and shared state secrets with those authorized to see them, not wantonly.
Neither of these things are true.
Setting up the server itself was the act that violated security. The server was set up because Clinton ordered it to be set up. Ergo, Clinton ordered the security violation. (The individual emails themselves also show evidence of Clinton specifically ordering subordinates to send classified info through unclassified channels.)
Among those who had access to classified information on the Clinton Email server was Sydney Blumenthal, who has been a Clinton lackey for years. He's so untrustworthy that higher-ups in the Obama administration (to their credit) EXPLICITLY ordered Clinton not to hire him at the State Department. Since Blumenthan had no official position in the government or other need to know classified information, he wasn't authorized to have it. Blumenthal used the classified information he received in his Clinton email to run a secretive intelligence service that interfered with the CIA in the Middle East.
The FBI found no criminal intent, and could not come up with leaks. Are you saying that I'm in my private fantasy world, and nobody else believes in the FBI or the space unicorns?
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
She mishandled classified information, which is a felony (no intent required). The FBI said as much, and said that they'd go after the next person who did this, just not Hillary. Seriously.
The rule of law means the same low applies to the powerful as to the common man. That's been fading in America, and it's not a good thing (drug laws haven't applied equally to celebrities for quite some time, this is just another brick in the wall).
Socialism: a lie told by totalitarians and believed by fools.
Does this mean that checking "remember me" is now a crime too?
Clinton didn't violate security willfully, and shared state secrets with those authorized to see them, not wantonly.
Well, let's see. According to Comey's statement, she had emails containing information that in some cases bore classified markings, and in come cases were of a nature that "a reasonable person would understand that the information was classified." These emails were stored on her personal server. The person who set up and administered the server, and who had unlimited access to the information on the server, was not cleared for classified information, nor did he have a need to know. This is commonly known as "sharing classified information with those not authorized to see them."
As for "wantonly", the dictionary definition appears to include "extremely careless."
Not necessarily the data owner. Authorization from one of the owners of the computers/data/account/something or that entity's duly designated representative. Authorization from -somebody- who might reasonably have the right to grant authorization.
The folks involved in this scheme clearly understood that they lacked valid authorization to access those computers in the manner they did. It wasn't even subtle or gray-area.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
No, because you're not sharing your password.
I'll see your Constitution and raise you a Queen.
One of the oddities of our current climate is this: How do you know when you're authorized?
Much of the time it's common sense, but if we're talking about DMCA instead of CFAA, it gets very murky, very fast.
You buy a DVD. You pay for a Netflix account every month. Are you authorized to decrypt the content? If you're authorized, then it's ok to watch it. If you're not authorized, then decrypting is circumvention of the DRM.
According to the MPAA-vs-2600 case, you're either not authorized at all, or you're not authorized to do what DeCSS does. You're seemingly violating DMCA every time you watch anything, but of course nobody really believes that. (MPAA hasn't sued all their paying customers yet, and they've had ample time.)
So just what is the mechanism for authorization, and how do you know when it's there, in non-obvious situations? It seems that authorization can be totally implicit, without a single word communicated to tell you whether or not you have it. Indeed, it seems like there might be unspoken and unexpressed conditions. (e.g. We think the conditions are that you're authorized to bypass a DVD's DRM if it's inserted a licensed player, but not if it's an unlicensed player. But is this written anywhere? can you look at a player and even figure out whether its manufacturer got a license or not?)
If authorization is murky for DMCA, then why couldn't it be murky for CFAA too? Let's say you need access to something, to do something that your boss commands. The boss says "clean the dunsel" and you just happen to know that the key to the dunsel bracket's lock is stored in a certain drawer. Authorized? Maybe. Probably. Right?
The truth is, you're going to assume you're authorized and take your chances since it's highly unlikely that the government is coming for you. Or perhaps you're constantly unknowingly committing crimes all day, year after year, where the feds are licking their lips, waiting for the day when you're on some "bad guy" list and they can suddenly throw the book at you. Then 6 years later, you literally don't even remember if the boss said, "Oh, the dunsel bracket key is in that drawer. You may use it." You've just been using it every month for 72 months.
but what if BMW never give permission for that 3rd party shop to use the reset code? and says that is a dealer only code and the shops / websites don't have the permission to have it?
Stop using passwords. It really doesn't protect any of your personal devices, and if you can't trust the people you work with, they should be fired.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Effectively the court has rules that "authorization" for the purpose of computer hacking is mens rea, not actus reus. If you obviously knew you lacked authority (mens rea = mental state) then the element is satisfied regardless of any technicalities about the access control systems (actus reus = actual activity). Crimes require both mens rea (knew you lacked authority) and actus reus (used the computer anyway).
That's why it's OK for the wife to log in and pay the husband's credit card bill: she has a _reasonable_ belief that it's OK to do so, thus the mens rea element of the crime is not proven.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
They said there were no cases where failing to follow handling rules for a small amount of classified information (without additional intent to pass it on to spies or similar) had been considered worthy of criminal prosecution as opposed to administrative sanction / employee disciplinary action.
Blatantly untrue - last year a sailor (Machinist Mate 1st Class Kristian Saucier) was recently prosecuted for taking a picture of his buddies on his submarine. Storing classified information (pictures showing interior of the sub) on an insecure device (the camera). They also prosecuted him for obstruction for the same sort of destruction of information (plus some pile-on charges). He took a plea bargain just 2 weeks ago.
Happens all the time - the laws about handling of classified information do have teeth, unless you're a Clinton with dirt on half the Congress and heir presumptive for determining the FBI budget.
Socialism: a lie told by totalitarians and believed by fools.
It's sort of like signs saying "POSTED: NO TRESPASSING". They're not technically mandatory in a lot of places, but if you have them up every X meters, nobody can deny in court that they were trespassing when they walked over your fence.
No. This means that if you get someone else's password and use that to access a computer system, you have committed unauthorized access. If that isn't a crime, then anyone who can grab your keystrokes and get your password has a free pass to do whatever they want, with no penalty.
a former employee of Korn/Ferry International research firm,
This person was not an employee of the company. Any reasonable person would conclude that using another employee's password to access a database to a company that you no longer work for is not authorized. Authorization would be acquiring your own password from the company's IT staff, or a direct statement from management that you could use the employee's credentials to access said database.
Trying to equate this with sharing my Netflix account is wrong. The Netflix account belongs to me, so I can give authorization for another person to use it. I paid for access to Netflix.
In i would bet more that one State /Country the law is written so that unless you have highly visible signs every X yards/meters you can't have a person charged with Trespassing.
a 20 second google says basically all 50 states have requirements
It could be construed that you are sharing your password with the organisation behind your browser or behind your password "wallet" app.
Like many posters above, I'm a little dismayed this made news. The title of the article is clickbait. We share passwords all the time at work -- heck, we have a password sharing application to make it easy to do so. But we only share passwords with people authorized to use them. If someone who wasn't authorized to use them is given one to access services, and is caught, then both that person and the person who gave the password to an unauthorized user broke the rules.
Dumbest quote: The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"
The question is asked as if it's a mystery fit for Sherlock Holmes. To pretty much everyone involved in every scenario...ever...they know who authorizes access. My house? Me. My company's financial records? CFO. My company's file server at work? Probably a bunch of people for different pieces of it (depending on the groups who are accessing: HR, Finance, Accounting, etc) and not the IT guys. Sure, the IT guys HAVE access (usually to the whole thing), and you could even say they hand out the keys. But someone authorizes them to do so.
So this is dumb. Guy is not authorized to access his old company's servers. Some friend who IS authorized gives him his password. Both should be penalized. And both are technically hackers as they are allowing unauthorized access to data.
Quick tip: Next time you want to steal your employers trade secrets, remember to have the admin print out the records and give them to you in paper. Then you're only violating the EEA and don't have to worry about these pesky, overly-broad interpretations of the CFAA causing you to be convicted as a hacker instead of just a thief.
The dystopian world depicted by Richard Stallman in his short tale "The right to read" (https://www.gnu.org/philosophy/right-to-read.html) is slowly coming. We already have DRM - Digital Restriction Management - now, sharing password has been turned into a crime. This has to be stopped. Now.
It's yet another case where the headline says something different than the article, as is unfortunately often the case here. Reading comprehension is in general getting worse everywhere and we see that happen a lot at Slashdot.
Does this mean that checking "remember me" is now a crime too?
No, because you have authorized its use.
You know, a major property of the security of a password is the fact that it's something you know. If you write it down, it's something you have.
Based on this ruling, it sounds like Microsoft has been violating the CFAA with Wi-Fi Sense in Windows 10.
Did you ask for permission to visit Slashdot? I posit that you don't have authorization to be here, and since Slashdot is owned by a for profit company (BIZX media) and since you are using a false identity (an alias), I accuse you of committing wire fraud under the Computer Fraud and Abuse Act.
I'm not trying to get you indicted (I'm committing the same crime), just saying the CFAA is a terribly written law that used another terrible law as a template (the Espionage Act of 1917). The Authorization section was specifically included to protect ATMs at a time when networking was alien to congresspeople. I think WarGames the movie terrified them into action and they took one of the countries most loosely worded laws and applied it to computing..
Yeah, the Espionage Act of 1917 pretty much says that accessing classified data that you are not supposed to have is espionage, even if you are an ally. Kind of funny that sharing a password violates the CFAA, which used the Espionage Act as a template, and accessing that data likely violates the Espionage Act itself (for sure if any of it is classified).
You know, a major property of the security of a password is the fact that it's something you know. If you write it down, it's something you have.
Except for the fact that with the various rules for passwords that differ from site to site, I have over 100 passwords that often need to be changed every quarter. Am I supposed to memorize all of those? This is a key failure of the current paradigm.
Just another day in Paradise
Does this mean that checking "remember me" is now a crime too?
No, because you have authorized its use.
That depends if you're authorized to authorize them. Just because you have an account doesn't mean you can share access with those who don't.
Just another day in Paradise
I'm far more interested in the question "Authorization from whom?".
(If you can't be pointlessly prescriptive about usage from "legal scholars", when can you be?)
You know, a major property of the security of a password is the fact that it's something you know. If you write it down, it's something you have.
Except for the fact that with the various rules for passwords that differ from site to site, I have over 100 passwords that often need to be changed every quarter. Am I supposed to memorize all of those? This is a key failure of the current paradigm.
Why yes.. you are supposed to recall them all.
Any individual with over 100 passwords is in an interesting position.
The 100 passwords are likely enabling access to a long list of data and your employers need to have
a policy to sustain this data. One policy is "keys" need to be shared with management. But if sharing
is tacitly illegal management has a problem. N.B. Rightly so there are managers with no permission to access
data that their employees have access to. So these managers need to manage differently. They also need
to verify that the alternate access works.
Like backup procedures. Failure to test (backup procedures) is folly.
There are some solutions that when expressed as policy might work but the law and technology can
entangle things in ways that F. Kafka and Joseph Heller could not have imagined.
If you have 100 customers it gets interesting.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Don't be silly; laws don't apply to the police.
In the Netflix case, however, authorization is granted by Netflix, not you. You don't have the authority to give more people access to the service than Netflix would allow. As was said above, this is about access to systems and who is allowed to grant that access.
See my answer above. If you find an additional way to ask the question, see above, the answer will be the same.
If they sold the car, they gave up prerogatives regarding how it is used. If they didn't sell the car, then it depends on the contract who holds which prerogatives.
In the military, people's personal information has a security level assigned. It's the lowest level, but it is under the security laws. Just copying a database that has names and other personal info can be a Federal offense, just like stealing ship sailing schedules or troop movements.
Clinton had plenty of stuff like that, that they have not even mentioned.
It's funny how the first people on make an obvious mistake in taking the headline at face value, then others get on and explain the actual situation, then a bit further more get on and post the same mistaken words. And it sort of cycles back and forth, down the thread list... 8-P
If the password in question was "password" is it still a crime?
So, According to a court ruling, I'm not allowed to share my password with federal agents or the court because the law says I cannot share my password with anyone?
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.
Actually, AC is wrong for an entirely different reason. In the case AC mentions, you own the computer and are giving up the password which is granting access. In the story, it was an employee who was not someone who was allowed to authorize the access.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?