It can be a violation of the federal Computer Fraud and Abuse Act (“CFAA”) to “access a protected computer without authorization.” The CFAA clearly applies when criminals with no connection to a company try to force their way into information systems. But in a recent decision a divided panel of the Ninth Circuit found the CFAA can apply even when someone uses a password willingly shared by an authorized user.
In this criminal case, the defendant, David Nosal, had left his employment at Korn/Ferry. Nosal was seeking confidential information on the Korn/Ferry computer system to use at a venture he had started to compete with his previous employer. Nosal asked his former executive assistant to stay at Korn/Ferry so she could provide access to the systems, and other former employees he was working with borrowed her password to the system and used it to download trade secrets.
In a prior decision, the Ninth Circuit had affirmed dismissal of the CFAA claims against the defendant’s co-workers. The defendant’s co-workers’ actions in using their own passwords to download confidential information before they left the company did not constitute “exceeding authorized access” under the CFAA, since the Act did not cover violations of a company’s use restrictions. If it did, the CFAA, in conjunction with employer policies, could criminalize activities such as checking personal email at work.
In proceedings after remand, the trial court found Nosal himself guilty of accessing Korn/Ferry computers “without authorization” through his erstwhile co-workers. The majority of the Ninth Circuit panel affirmed, noting that Nosal’s own access to these systems had been unambiguously revoked.
“[O]nce authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party,” per Judge McKeown for the majority.
The dissenting judge argued that the court’s decision absurdly criminalized the very common practice of sharing passwords, and provided no workable distinction between criminal hacking and innocuous sharing of passwords.
“I would hold that consensual password sharing is not the kind of ‘hacking’ covered by CFAA,” Judge Reinhardt wrote in his dissent.
The CFAA’s requirement that there be an “intent to defraud” seems to distinguish mere password sharing from cases like Nosal’s, so ordinary users need not be afraid that they will be prosecuted for doing so. But the Ninth Circuit’s decision does raise the prospect of expansive interpretation of the CFAA, especially as companies face hybrid external-internal threats to system confidentiality.