What is illegal to do on a computer? When I teach technical computer science majors about cybersecurity policy, that is one of the first questions I tackle. But the answer changes from semester to semester as courts issue new rulings on what constitutes illegal hacking under the Computer Fraud and Abuse Act. Just last week, on July 5, the Ninth Circuit Court of Appeals issued a decision about shared passwords that highlighted, yet again, how much ambiguity and uncertainty there still is around the CFAA even though it was passed 30 years ago.
The ruling was widely reported as meaning it is illegal for people to share their account passwords with anyone else (sample headlines: “Federal court rules that sharing your Netflix password is a federal crime,” and “Federal Court Rules That Password Sharing Is Illegal Under Insane Ancient Law”). It’s true that the case hinged on the illegality of sharing a password (though not a Netflix password), and it’s true that—by a 2–1 majority—the court decided this particular instance of password sharing was a violation of the CFAA. But as is often the case when dealing with CFAA rulings, the implications of the decision are probably not as clear-cut (or as dramatic) as “all password sharing is illegal all the time.”
The ruling is the latest in U.S. v. Nosal which has been going on for several years now and has provided several important clarifications about the CFAA, even as it has complicated the legal landscape by contradicting other courts’ rulings. The case centers on David Nosal, who worked for an executive search firm called Korn/Ferry until 2004, when he resigned and decided to start a competing firm. To help him launch his new business, Nosal recruited three other Korn/Ferry employees to download proprietary information from his former employers’ computer systems. Two of them used their own login credentials to access information and then left Korn/Ferry. Later, the third employee provided the others with her username and password so they could continue to access Korn/Ferry’s database.
Did any of this constitute illegal hacking? Perhaps not in the traditional sense we might imagine or see in movies: Certainly none of it required any great (or even minor) technical expertise. However, the CFAA does not actually make “hacking” illegal. Instead, it deals with two (only slightly better defined) categories of behavior: accessing computers without authorization and accessing computers in excess of authorization. And no, the law doesn’t define what it means to “access” a computer or what it means to have authorization to do so.
So back to David Nosal, who undoubtedly behaved badly—but did he commit a computer crime? In a landmark 2012 ruling, the Ninth Circuit ruled that he did not violate the CFAA when he had two Korn/Ferry employees use their own credentials to download the firm’s information because those employees did not circumvent any technical controls to access it: They simply used their perfectly valid logins.
The most recent ruling, on July 5, deals with Nosal’s decision to ask the third employee to share her credentials so they could continue to access Korn/Ferry’s records after leaving the firm. This time, a panel of three judges ruled 2–1 that Nosaldid violate the CFAA by using the shared password—hence the woeful headlines proclaiming the end of shared Netflix accounts. But, in fact, this ruling states nothing nearly so clear or straightforward as “it is illegal to share Netflix passwords.” It’s frankly a little bit difficult to tell exactly what the ruling does mean in terms of when it is (or is not) illegal to share passwords. Making things more confusing, the majority opinion states outright: “This appeal is not about password sharing.” The dissenting judge, meanwhile, begins his opinion with the line: “This case is about password sharing.” Got that?
The two-judge majority seems to have no intention of making it illegal to share any passwords, ever; they explicitly dismiss such concerns as “hypotheticals about the dire consequences of criminalizing password sharing.” But the dissenting judge is clearly concerned the majority’s ruling will “make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.” In other words, the Ninth Circuit decision really seems to offer very little clarity about whether it’s legal for you to use your roommate’s Netflix password. All it clarifies is that if you resign from an executive search firm to start your own, competing executive search firm—and later ask your former executive assistant to provide her username and password so you can access proprietary information from your former employer—then that’s very probably illegal. (This lack of clarity and generalizable principles, by the way, is part of the reason that sorting out what the CFAA really means has taken us 30 years and counting …)
Writing for the Washington Post, law professor and CFAA expert Orin Kerr provides the best analysis of the decision and even proposes a test for when password sharing should, and should not, be illegal. (His test is far clearer and more thought-through than anything in the Ninth Circuit decision.) Kerr’s argument is essentially that when someone shares a password with you, it should be legal for you to use that password so long as you act as an agent—or in the best interests—of the person who initially shared it.
The CFAA’s ambiguity is only one of many criticisms of the law. Earlier this summer, a group of academics announced they were suing the government because the CFAAprevents them from conducting certain kinds of research. For instance, the researchers argue it could be a violation of CFAA if they open online accounts under pseudonyms and identities to test for algorithmic discrimination, because many sites’ terms of service require users to provide their real names. Whether violating terms of service agreements is actually illegal under the CFAA has been controversial for years. It requires no technical expertise to create an account under a fake name, but that didn’t stop prosecutors from charging Lori Drew in 2008 with violating the CFAA after she created a fake MySpace account to taunt a 13-year-old classmate of her daughter’s who then committed suicide.
In 2013, another suicide thrust the law into the spotlight: when 26-year-old programmer Aaron Swartz killed himself after being charged under the CFAA for using the Massachusetts Institute of Technology’s network to download millions of academic articles from JSTOR. The controversy that followed Swartz’s death even led to some lawmakers trying (so far unsuccessfully) to clarify and reform the CFAA so it would not apply to terms of service violations.
Most of my students want to become penetration testers, security engineers, and incident response specialists. So they are usually more interested in learning how to reverse engineer malware or implement encryption algorithms than they are in studying policy and law—but they are interested in staying out of jail. I try to get them excited about the topic by telling them that understanding laws like the CFAA is not merely an intellectual exercise, that they may well run up against these statutes in the course of their careers working for security firms and testing code and networks for vulnerabilities. Often, they’re startled by some of the CFAA rulings we read in class and the types of behavior that are considered criminal. Often, they have questions about what those rulings might mean in the context of their own lives and behavior—and all too often, those questions have no clear answers.