Skip to main content

DEEPLINKS BLOG

Do Over, Please: EFF and ACLU Ask Ninth Circuit to Revisit Two Dangerous CFAA Rulings

August 29, 2016

Imagine being convicted of a crime for logging into a friend's social media account with their permission? Or for logging into your spouse’s bank account to pay a bill, even though a pop-up banner appeared stating that only account holders were permitted to access the system? The Ninth Circuit Court of Appeals last month issued two decisions—by two different 3-judge panels in two separate cases—which seem to turn such actions into federal crimes. We teamed up with the ACLU and ACLU of Northern California to ask the court to review both decisions en banc—with 11 judges, not just 3—and issue a ruling that will ensure innocent Internet users are not transformed into criminals on the basis of innocuous password sharing. We want the court to come up with a clear and limited interpretation of the notoriously vague statute at the heart of both cases, the Computer Fraud and Abuse Act (CFAA).

The CFAA makes it illegal to engage in “unauthorized access” to a computer connected to the Internet. But the statute doesn’t actually define what “authorization” or “without authorization” means. Both cases turn on what “authorized access” means, including whether authorization must come from the person or entity that owns the computer or whether authorization can come from an authorized account holder or computer user. These questions are key for anyone who shares online account passwords with their spouse or friends, because they impact the analysis of whether the CFAA was violated. Unfortunately, the two Ninth Circuit panels came to dramatically different conclusions. And in both cases, the panels completely lost sight of the original goal of the CFAA—targeting individuals who break into computer systems to access or alter information—and are thus inconsistent with prior Ninth Circuit decisions holding that the CFAA must be limited to the purpose intended by Congress. 

The first decision, in a criminal case called United States v. Nosalwas so broad that it seemed to make it a federal crime to use someone else’s password, even with their knowledge and permission. The case addressed whether David Nosal, a former employee of executive recruiting firm Korn/Ferry, violated the CFAA when other Korn/Ferry ex-employees, on Nosal’s behalf, used the password of a current employee, with her permission, to access an internal company database. This occurred after the company had expressly revoked Nosal’s own login credentials to prevent him from accessing the database. The 3-judge Ninth Circuit panel held that the CFAA is clear that “authorization” can only come from a computer owner (such as an employer or website owner), not a computer user or account holder. According to the panel, Nosal was guilty of violating the CFAA because the authorization he had from the current employee simply didn’t count. (Note: We call this case Nosal II to differentiate it from an earlier ruling in this long-running case.)

In the second decision, in a civil case called Facebook v. Power Ventures, a separate 3-judge Ninth Circuit panel acknowledged that a computer user can provide a third party—here, it was a social medial aggregator—with valid authorization to use their username and password, even if doing so was in violation of company policy. But, according to the panel, if the third party is somehow put on notice that the computer owner has revoked its authorization, then it’s a CFAA violation.

The case involved Facebook users who sought out the services of Power Ventures, a social media aggregator that offered the users a way to view all their social media information in one place. To enable Power Ventures to provide its services, the Facebook users shared with the company their Facebook usernames and passwords. Power Ventures then asked for and received permission from the users to send invitations to use Power to the users’ Facebook contacts. Facebook objected to this and sent Power Ventures a cease and desist letter. It also blocked one of Power Venture’s IP addresses, although the block wasn’t effective because Power Ventures had many IP addresses. The company continued to offer its social media aggregating services to Facebook users for a month or so, until Facebook blacklisted the phrase “Power.com.” Facebook also sued.

The Ninth Circuit found that Power Ventures initially had valid authorization from the Facebook users, but that Power Ventures violated the CFAA when it accessed Facebook’s data after receiving the cease and desist letter. The court reasoned that the letter had provided the company with notice that Facebook had “revoked its authorization” to access the users’ accounts. The problem is that the panel completely fails to define what adequate notice of revocation looks like, leaving us with a host of unanswered questions regarding what would give rise to serious federal criminal liability. The panel seems to be drawing a line between access revocations contained within a subsequent notice and restrictions contained within terms of use or other up-front agreements—and in our view, that’s a distinction without a difference.

We've asked the court to review both cases en banc and fix the mess created by these two decisions. In our amicus briefs, we explain how the two panel decisions conflict with not only each other, but also with prior Ninth Circuit decisions holding that the CFAA must be limited to the purpose intended by Congress: targeting those who break into computers to access or alter information. We explain how both panels failed to apply the important rule requiring vague criminal statutes to be interpreted narrowly, called the Rule of Lenity. And we explain how the decisions will turn millions of innocent Internet users into criminals on the basis of routine online behavior—i.e., password sharing.

We hope the court takes both important cases en banc.

Thanks to the ACLU and ACLU of Northern California for joining our brief.

JavaScript license information