Earlier this week, the Ninth Circuit Court of Appeals upheld the conviction of David Nosal, a man who used a colleague’s log-in credentials to access the databases of research firm Korn Ferry. Nosal’s conviction falls under the archaic Computer Fraud and Abuse Act, which makes “unauthorized” access of computers a federal crime.
If the idea of unauthorized access sounds vague to you, that’s because it is. Prosecutors love the CFAA, written three decades ago, because they can classify a broad range of computer activity we now consider normal as criminal — activity like sharing passwords. Services like Netflix and HBO Go have taken a hands-off approach to account sharing, but every one of these court cases makes what is now normalized computer usage a more precarious concern.
Punishment under the CFAA can be severe. Threatened with the prospect of years in jail for downloading millions of articles from JSTOR, the nonprofit digital library, cyberactivist Aaron Swartz committed suicide in 2013. This past spring, journalist Matthew Keys was sentenced to two years in prison for providing his Tribune Media log-in credentials to vandals who changed a Los Angeles Times headline for less than an hour.
The thing about the CFAA vagueness is that, as Motherboard emphasizes, it doesn’t specify who gets to decide what is and is not unauthorized. In Nosal’s case, his employer had not authorized his access, but the person who provided their own password instead did so willingly. An imperfect analogy: Your landlord says you can’t list your apartment on Airbnb, but you do so anyway. Is your guest authorized to stay in your place?
In a dissenting opinion, Judge Stephen Reinhardt wrote that the possible precedent is a dangerous one, given how people use computers today.
Take the case of an office worker asking a friend to log onto his email in order to print a boarding pass, in violation of the system owner’s access policy; or the case of one spouse asking the other to log into a bank website to pay a bill, in violation of the bank’s password sharing prohibition. There are other examples that readily come to mind, such as logging onto a computer on behalf of a colleague who is out of the office, in violation of a corporate computer access policy, to send him a document he needs right away.
He later added:
In the everyday situation that should concern us all, a friend or colleague accessing an account with a shared password would most certainly believe—and with good reason—that his access had been “authorized” by the account holder who shared his password with him.
It comes down to a question of who can grant access, the platform holder or the individual user? The answer is still up in the air. One thing that’s definitely clear, however, is that courts shouldn’t be making the decision using a law older than the World Wide Web itself.