Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Sharing Is a Federal Crime, Appeals Court Rules (vice.com)

Posted by BeauHD on from the bad-precedent dept.

An anonymous reader writes from a report via Motherboard: An appeals court ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all "hacking" law that has been widely used to prosecute behavior that bears no resemblance to hacking. Motherboard reports: "In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal's use of a former coworker's password to access one of the firm's databases was an 'unauthorized' use of a computer system under the CFAA. In the majority opinion, Judge Margaret McKeown wrote that 'Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.' She then went on to describe a thoroughly run-of-the-mill password sharing scenario -- her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore, so he got a password from a friend -- that happens millions of times daily in the United States, leaving little doubt about the thrust of the case. The argument McKeown made is that the employee who shared the password with Nosal 'had no authority from Korn/Ferry to provide her password to former employees.' At issue is language in the CFAA that makes it illegal to access a computer system 'without authorization.' McKeown said that 'without authorization' is 'an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.' The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"

6 of 165 comments (clear)

  1. Re:A question of definitions? by OverlordQ · · Score: 5, Insightful

    Authorization != Authentication

    --
    Your hair look like poop, Bob! - Wanker.
  2. Re:A question of definitions? by JaredOfEuropa · · Score: 5, Insightful

    No. If 1) your company IT policy strictly prohibits sharing your password with anyone, including IT support staff (like many policies do), and 2) you access a database using a co-worker's credentials, then it should be crystal clear to you that this access is unauthorized. And that goes double if you are no longer an employee at that company.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  3. So now..... by mark-t · · Score: 5, Insightful

    ... not only can they hold you indefinitely for *NOT* giving your device's password to them if they want to inspect it, they can even arrest you if you do!

    --
    File under 'M' for 'Manic ranting'
  4. Terrible headline by jratcliffe · · Score: 5, Insightful

    "Password Sharing Is a Federal Crime, Appeals Court Rules"

    No, the appeals court ruled that borrowing a password to get access to a system you knew you weren't authorized to access is illegal. To use a real world analogy, if I lose my job, and the company takes away my key to the office, it's illegal for me to use a key borrowed from a colleague to get in. I don't have to pick the lock for the access to be illegal.

  5. Re:A question of definitions? by bored_lurker · · Score: 5, Insightful

    Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?

    No, if I come to your house and I find a key under your flowerpot, open the door and enter am I authorized because the key gave me access? Clearly not. If simply having a password was authorization then not only every hacker (e.g. brute force) but every stolen ID would be "authorized". Just no.

    --
    --- Tolerance is the axiomatic "virtue" of those without convictions ---
  6. Re:A question of definitions? by Aighearach · · Score: 5, Insightful

    I dated a sysadmin and we didn't even share passwords to our home computers, or ask to/let each other use work laptops. Not even "just for a minute."

    Password security shows respect, trust.

    Which is deeper trust: "I trust you not to hurt me" or "I trust you not to put me in a position where I have to trust you not to hurt me?"

    I'll go with the latter one.

    Or as my mother taught me regarding financial risk, "Trust is knowing you won't be left out on a limb without the proper paperwork in the first place."

    But none of that even matters in this case, because it was the employer who held the prerogative to grant a password permission, or not. The person who "shared" the password was not the owner of the system, there is no actual legit "sharing" there. It is just using a false credential, after having received it from "a person on the inside."