The United States Court of Appeals for the Ninth Circuit recently ruled that a provision in the federal Computer Fraud and Abuse Act, which prohibits anyone from accessing “a protected computer without authorization” pretty much means what it says. So an employee who accesses a computer using a password that’s been revoked may be in violation of the statute. And if that ruling sounds intuitive, it was not unanimous.
The CFAA imposes criminal penalties on whoever "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value." David Nosal worked at the executive search firm Korn/Ferry International when he decided to launch a competitor along with a group of co-workers. When Nosal left Korn/Ferry, the company revoked his computer access credentials, even though he remained for a time as a contractor. Nonetheless, Nosal continued to access the database using the credentials of Nosal's former executive assistant, who remained at Korn/Ferry.
At trial, a jury convicted Nosal of violating the CFAA’s prohibition against “unauthorized access.” On appeal, the question was whether the jury properly convicted Nosal of conspiracy to violate the "without authorization" provision of the CFAA for unauthorized access to his former employer's database. As the appellate court noted, “[p]ut simply, we are asked to decide whether the ‘without authorization’ prohibition of the CFAA extends to a former employee whose computer access credentials have been rescinded but who, disregarding the revocation, accesses the computer by other means.”
In the majority’s view, it was an easy question, with a clear answer: "[A] person uses a computer 'without authorization' under [the CFAA] . . . when the employer has rescinded permission to access the computer and the defendant uses the computer anyway. This straightforward principle embodies the common sense, ordinary meaning of the 'without authorization' prohibition.”
The court displayed little patience with Nosal’s arguments, noting: “Nosal spin[s] hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing. Nor is it about violating a company's internal computer-use policies. . . . Nosal is charged with conspiring with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed. . . . This access falls squarely within the CFAA's prohibition on access ‘without authorization,’ and thus we affirm Nosal's conviction for violations of § 1030(a)(4) of the CFAA.”
The dissent saw it a little differently. Here’s it’s view: “[t]he majority is wrong to conclude that a person necessarily accesses a computer account ‘without authorization’ if he does so without the permission of the system owner. Take the case of an office worker asking a friend to log onto his email in order to print a boarding pass, in violation of the system owner's access policy; or the case of one spouse asking the other to log into a bank website to pay a bill, in violation of the bank's password sharing prohibition. . . . Was access in these examples authorized? Most people would say ‘yes.’ Although the system owners' policies prohibit password sharing, a legitimate account holder ‘authorized’ the access.”
The dissent echoes the concern of many commenters who have considered this question. If an employer (or a service provider) can set the terms of access, and unauthorized access is anything that doesn’t conform with those terms, doesn’t that mean that the private employer or service provider is kind of writing the criminal code? And while it might be nice to have that kind of authority, it certainly could lead to some rather arbitrary results. Not to mention the fact that, based on the dissent’s examples, it’s likely that 99% of us have committed a crime at some point in the last decade.
The dueling opinions here seem to suggest that the statutory definition of “authorized” is not crystal clear. The solution may be for congress to clear this up. Otherwise, people’s liability under the CFAA may depend on the judicial circuit where they reside. And that in itself seems a little arbitrary.