Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Sharing Is a Federal Crime, Appeals Court Rules (vice.com)

Posted by BeauHD on from the bad-precedent dept.

An anonymous reader writes from a report via Motherboard: An appeals court ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all "hacking" law that has been widely used to prosecute behavior that bears no resemblance to hacking. Motherboard reports: "In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal's use of a former coworker's password to access one of the firm's databases was an 'unauthorized' use of a computer system under the CFAA. In the majority opinion, Judge Margaret McKeown wrote that 'Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.' She then went on to describe a thoroughly run-of-the-mill password sharing scenario -- her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore, so he got a password from a friend -- that happens millions of times daily in the United States, leaving little doubt about the thrust of the case. The argument McKeown made is that the employee who shared the password with Nosal 'had no authority from Korn/Ferry to provide her password to former employees.' At issue is language in the CFAA that makes it illegal to access a computer system 'without authorization.' McKeown said that 'without authorization' is 'an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.' The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"

28 of 165 comments (clear)

  1. A question of definitions? by oldwindways · · Score: 2

    Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided? I suppose that is a) too technical, and/or b) is a broad enough definition of "authorize" that any successful cracking of a password results in an authorized access.

    --
    "Si vis pacem para bellum" -Publius Flavius Vegetius Renatus
    1. Re:A question of definitions? by OverlordQ · · Score: 5, Insightful

      Authorization != Authentication

      --
      Your hair look like poop, Bob! - Wanker.
    2. Re:A question of definitions? by JaredOfEuropa · · Score: 5, Insightful

      No. If 1) your company IT policy strictly prohibits sharing your password with anyone, including IT support staff (like many policies do), and 2) you access a database using a co-worker's credentials, then it should be crystal clear to you that this access is unauthorized. And that goes double if you are no longer an employee at that company.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    3. Re:A question of definitions? by bored_lurker · · Score: 5, Insightful

      Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?

      No, if I come to your house and I find a key under your flowerpot, open the door and enter am I authorized because the key gave me access? Clearly not. If simply having a password was authorization then not only every hacker (e.g. brute force) but every stolen ID would be "authorized". Just no.

      --
      --- Tolerance is the axiomatic "virtue" of those without convictions ---
    4. Re:A question of definitions? by acoustix · · Score: 2

      I wish I had mod points for this. It's pretty black and white here. Common sense tells you that there is one owner to the account john.smith and that only that specific person is authorized to use it while they are employed.

      --
      "A plan fiendishly clever in its intricacies"- Homer Simpson
    5. Re:A question of definitions? by Anonymous Coward · · Score: 2, Insightful

      Your analogy is flawed. Let's amend it to more closely model the specific situation at hand. If you go to an office building, phone a friend who is a current employee at the business housed within said building, ask for and receive an electronic door lock PIN to gain facilities access, and stroll around inside taking pictures of the interior, can your activities be held as criminal trespass? -PCP

    6. Re:A question of definitions? by Aighearach · · Score: 5, Insightful

      I dated a sysadmin and we didn't even share passwords to our home computers, or ask to/let each other use work laptops. Not even "just for a minute."

      Password security shows respect, trust.

      Which is deeper trust: "I trust you not to hurt me" or "I trust you not to put me in a position where I have to trust you not to hurt me?"

      I'll go with the latter one.

      Or as my mother taught me regarding financial risk, "Trust is knowing you won't be left out on a limb without the proper paperwork in the first place."

      But none of that even matters in this case, because it was the employer who held the prerogative to grant a password permission, or not. The person who "shared" the password was not the owner of the system, there is no actual legit "sharing" there. It is just using a false credential, after having received it from "a person on the inside."

    7. Re:A question of definitions? by Aighearach · · Score: 3, Insightful

      If you go to an office building, phone a friend who is a current employee at the business housed within said building, ask for and receive an electronic door lock PIN to gain facilities access, and stroll around inside taking pictures of the interior, can your activities be held as criminal trespass? -PCP

      Yes.

    8. Re:A question of definitions? by david_thornley · · Score: 3, Insightful

      Now, for the purposes of the CFAA, exactly what counts as authorization? Traditionally, putting an anonymous FTP server up has been considered to authorize access, but is this so according to the CFAA? As long as "authorization" is vague here, the CFAA will have a chilling effect on what people do.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    9. Re:A question of definitions? by gnasher719 · · Score: 4, Insightful

      Uh.. you'd have a pretty hard time arguing I wasn't authorized to enter your home if you gave me a key. By virtue of giving me the key you've authorized me to enter your home.

      Absolutely not. I can give my neighbours my house keys when I go on holiday, so they can enter if there is an emergency. That doesn't give them authority to enter without reason. I had my neighbour's key with authorisation to enter the kitchen to feed the cats while she was on holiday; that didn't give me authorisation to enter her living room or bedroom.

      If you are renting, the landlord may have a key, the caretaker may have a key, they both have no authority to enter your home in most situations.

    10. Re:A question of definitions? by JustAnotherOldGuy · · Score: 4, Insightful

      Oh.. you'd have a pretty hard time arguing I wasn't authorized to enter your home if you gave me a key. By virtue of giving me the key you've authorized me to enter your home.

      First of all, no I wouldn't. Who said I "gave" you a key? Maybe you found it, maybe you stole it. Maybe someone I gave it to turned around and gave it to you. None of those scenarios gives you "authorization" to unlock my front door and enter my home.

      Second, just having the key doesn't automatically grant you authorization, either. Maybe I gave it to you for use only in case of emergency (fire, flood, vacation emergencies, etc).

      None of those give you carte blanche to necessarily be in my home either, unless the circumstances warrant. If it's for emergency access, for example, that doesn't give you the right to come over, watch TV and raid my refrigerator.

      So no, just having a key doesn't mean you're automatically authorized to use it, even if I gave it to you.
       

      --
      Just cruising through this digital world at 33 1/3 rpm...
  2. Obvious to most people by gnasher719 · · Score: 4, Insightful

    A password doesn't give you authorisation. You get authorisation from your boss, or from your company, to access a computer to do your job. A password is only a means to help keeping unauthorised people out.

    If you lose your job, or your position where you need to access the computer, you lost the authorisation. If the company forgets to remove your password, or you find someone else's password, or a password is shared with you, that doesn't give you authorisation. In this case, everything is absolutely clear.

    Where this law is abused in some cases is in situations where someone had the authority to access the computer, but abused the authority to commit a crime. Say a bank manager with authorisation to access computers moving money into his own bank account, or a police officer with access to a license plate database abusing his position by finding out the address of his ex's new boyfriend. That's when authorities try to add "computer hacking" to the list of crimes.

  3. Sharing with your boss/company by Art+Challenor · · Score: 4, Insightful

    So, is it now a federal crime to access someone's social media accounts with passwords that you coerced them to share (schools, companies, CBP, etc.)?

  4. So now..... by mark-t · · Score: 5, Insightful

    ... not only can they hold you indefinitely for *NOT* giving your device's password to them if they want to inspect it, they can even arrest you if you do!

    --
    File under 'M' for 'Manic ranting'
  5. Terrible headline by jratcliffe · · Score: 5, Insightful

    "Password Sharing Is a Federal Crime, Appeals Court Rules"

    No, the appeals court ruled that borrowing a password to get access to a system you knew you weren't authorized to access is illegal. To use a real world analogy, if I lose my job, and the company takes away my key to the office, it's illegal for me to use a key borrowed from a colleague to get in. I don't have to pick the lock for the access to be illegal.

  6. Prophecy foretold by denis-The-menace · · Score: 2

    https://www.gnu.org/philosophy...

    Dan resolved the dilemma by doing something even more unthinkableâ"he lent her the computer, and told her his password. This way, if Lissa read his books, Central Licensing would think he was reading them. It was still a crime, but the SPA would not automatically find out about it. They would only find out if Lissa reported him.

    --
    Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
  7. Start by Prosecuting Anonymous Coward by Stormy+Dragon · · Score: 4, Funny

    Given the volume of comments from that user, I'm convinced more than one person is using the account!

  8. No shit. by penguinoid · · Score: 4, Informative

    Real headline: Having a coworker's password doesn't mean having the boss's permission.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  9. Re:So... by gnasher719 · · Score: 2

    Sharing a password is a federal crime for you or I.

    As the court made clear, no, if by sharing you mean "handing over your password to an unauthorised outsider". It may get you fired, but it is not a crime.

    Being given a shared password doesn't give you authorisation. Not when the person giving you the password didn't want to give you authorisation, or didn't have the authority to give you authorisation. Using a shared password to gain unauthorised access can of course be a federal crime. Any means to gain unauthorised access can be a federal crime.

  10. Dissenting judge is wrong by acoustix · · Score: 4, Insightful

    From the article:

    "Notably, Reinhardt appears to have a commanding knowledge of what constitutes “hacking,” something that comes up over and over again both in the media and in the courts. He said that the decision “loses sight of the anti-hacking purpose of the CFAA.”

    “There is no doubt that a typical hacker accesses an account ‘without authorization’: the hacker gains access without permission—either from the system owner or a legitimate account holder,” he wrote. Using someone else’s password with their permission but not the system’s owner isn’t “hacking,” but that’s what the court is treating it as."

    Using another person's password with their permission but not with the system owner's permission is definitely a form of hacking. It's called social engineering. Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Just because someone easily provided their account information doesn't mean that it was done so legitimately. It is ultimately the system owner who gets to decide who has authorization to their systems and what constitutes authorized access. At the same time, it is the system owner's responsibility to educate it's users as to what is allowed.

    I would also take issue with the sentence where the writer claims that the judge has a "commanding knowledge" of "hacking".

    --
    "A plan fiendishly clever in its intricacies"- Homer Simpson
  11. Re:'Unauthorized Access' Is Too Broad by gnasher719 · · Score: 2

    Many websites have in their EULA somewhere that using someone else's account is prohibited, or that signing up for a second account, or new account if you've been banned, are prohibited. Doing any of these prohibited things could be legally considered 'unauthorized access', even for a normally public website that anyone is welcome to use (Facebook etc.)

    Read the court decision. These things could be considered "unauthorised access" by the company, but not legally by the court.

  12. Re:No one by gnasher719 · · Score: 2

    Considering he wasn't an employee anymore, it doesn't really matter.

    Of course it matters. We know the person in question committed crimes (stealing trade secrets), the question is whether charges of "computer hacking" aka unauthorized access to a computer with the intent blah blah blah can be added to the charges.

    The same thing with authorized access would have still been "stealing trade secrets" but without the additional charge.

  13. Those are the easy cases. Sometimes it's hard. by Anonymous Coward · · Score: 4, Interesting

    A password doesn't give you authorisation. You get authorisation from your boss, or from your company, to access a computer to do your job.

    One of the oddities of our current climate is this: How do you know when you're authorized?

    Much of the time it's common sense, but if we're talking about DMCA instead of CFAA, it gets very murky, very fast.

    You buy a DVD. You pay for a Netflix account every month. Are you authorized to decrypt the content? If you're authorized, then it's ok to watch it. If you're not authorized, then decrypting is circumvention of the DRM.

    According to the MPAA-vs-2600 case, you're either not authorized at all, or you're not authorized to do what DeCSS does. You're seemingly violating DMCA every time you watch anything, but of course nobody really believes that. (MPAA hasn't sued all their paying customers yet, and they've had ample time.)

    So just what is the mechanism for authorization, and how do you know when it's there, in non-obvious situations? It seems that authorization can be totally implicit, without a single word communicated to tell you whether or not you have it. Indeed, it seems like there might be unspoken and unexpressed conditions. (e.g. We think the conditions are that you're authorized to bypass a DVD's DRM if it's inserted a licensed player, but not if it's an unlicensed player. But is this written anywhere? can you look at a player and even figure out whether its manufacturer got a license or not?)

    If authorization is murky for DMCA, then why couldn't it be murky for CFAA too? Let's say you need access to something, to do something that your boss commands. The boss says "clean the dunsel" and you just happen to know that the key to the dunsel bracket's lock is stored in a certain drawer. Authorized? Maybe. Probably. Right?

    The truth is, you're going to assume you're authorized and take your chances since it's highly unlikely that the government is coming for you. Or perhaps you're constantly unknowingly committing crimes all day, year after year, where the feds are licking their lips, waiting for the day when you're on some "bad guy" list and they can suddenly throw the book at you. Then 6 years later, you literally don't even remember if the boss said, "Oh, the dunsel bracket key is in that drawer. You may use it." You've just been using it every month for 72 months.

  14. mens rea by Spazmania · · Score: 2

    Effectively the court has rules that "authorization" for the purpose of computer hacking is mens rea, not actus reus. If you obviously knew you lacked authority (mens rea = mental state) then the element is satisfied regardless of any technicalities about the access control systems (actus reus = actual activity). Crimes require both mens rea (knew you lacked authority) and actus reus (used the computer anyway).

    That's why it's OK for the wife to log in and pay the husband's credit card bill: she has a _reasonable_ belief that it's OK to do so, thus the mens rea element of the crime is not proven.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  15. Re:So... by lgw · · Score: 2

    They said there were no cases where failing to follow handling rules for a small amount of classified information (without additional intent to pass it on to spies or similar) had been considered worthy of criminal prosecution as opposed to administrative sanction / employee disciplinary action.

    Blatantly untrue - last year a sailor (Machinist Mate 1st Class Kristian Saucier) was recently prosecuted for taking a picture of his buddies on his submarine. Storing classified information (pictures showing interior of the sub) on an insecure device (the camera). They also prosecuted him for obstruction for the same sort of destruction of information (plus some pile-on charges). He took a plea bargain just 2 weeks ago.

    Happens all the time - the laws about handling of classified information do have teeth, unless you're a Clinton with dirt on half the Congress and heir presumptive for determining the FBI budget.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  16. Re: fp by murdocj · · Score: 4, Insightful

    No. This means that if you get someone else's password and use that to access a computer system, you have committed unauthorized access. If that isn't a crime, then anyone who can grab your keystrokes and get your password has a free pass to do whatever they want, with no penalty.

  17. Re: fp by dcw3 · · Score: 2

    You know, a major property of the security of a password is the fact that it's something you know. If you write it down, it's something you have.

    Except for the fact that with the various rules for passwords that differ from site to site, I have over 100 passwords that often need to be changed every quarter. Am I supposed to memorize all of those? This is a key failure of the current paradigm.

    --
    Just another day in Paradise
  18. Re:Now every police will be a criminal. by Wulfson · · Score: 2

    Don't be silly; laws don't apply to the police.