Congress Needs To Clarify That Password Sharing Is Not a Federal Crime
The Internet has been on fire in recent months over two court decisions that threaten to criminalize password sharing. The law at the heart of the cases is the Computer Fraud and Abuse Act (CFAA), a 1986 statute meant to outlaw computer break-ins. Congress passed the CFAA after "War Games"—a techno-thriller film about a teen whose computer shenanigans nearly sparked World War III—put the fear of God into lawmakers about the vulnerability of our computer networks. The law—passed years before the advent of the modern Internet—is seriously showing its age.
How the CFAA, which was originally intended to target criminals for havoc-wreaking computer break-ins and data theft, came to be used to convict people for using someone else's password is a study in prosecutorial overreach and shows how the law has failed to keep up with technology. Congress needs to step up and overhaul this flawed and outdated law.
The CFAA makes it illegal to intentionally access a "protected computer"—which includes any computer connected to the Internet—"without authorization" or in excess of authorization. But the law fails to define "without authorization."
This has caused a lot of confusion, with real consequences for computer users. In a world where we may spend nearly as much time using other people’s computers as we do our own, the wrong definition can turn innocuous computer uses into serious federal offenses. The CFAA has disproportionately harsh penalties: First time offenses are currently punishable by up to 5 years in prison—10 years if the prosecution alleges more than one CFAA offense, which is common—plus fines. Other violations are punishable by 10 or 20 years, or even life in prison.
This summer, the U.S. Court of Appeals for the Ninth Circuit issued two confusing rulings in two separate cases that could allow prosecutors to charge users with CFAA violations for seemingly innocuous conduct—specifically, sharing a password.
In the first case, the government alleged that David Nosal, a former Korn/Ferry executive, violated the CFAA when other Korn/Ferry ex-employees, on Nosal’s behalf, used the password of a current employee, with her permission, to access the company’s private database. The court didn’t address whether Nosal broke into any computer system. It simply held that “authorization” under the CFAA must come directly from the computer owner—here, Korn/Ferry—and any authorization Nosal received from a current employee who voluntarily shared her password didn’t count.
Under this reasoning, anyone who has ever used someone else’s password with the approval of an account holder but without the approval of the computer owner is at risk of criminal prosecution.
In the second case, Facebook sued a social media aggregator, Power Ventures, under the CFAA for accessing its computers via the accounts of Facebook users. The Facebook users had voluntarily provided Power with their credentials, but Facebook felt that Power was violating its terms of service, so it sent Power a cease and desist letter. Power, however, continued to offer its services and access Facebook accounts.
In this case, the court's judges held that account holders (here, the Facebook users) could initially provide third parties like Power with valid authorization under the CFAA to access their accounts. But it ruled that after the computer owner (here, Facebook) revokes the third party’s authorization—here, via a cease and desist letter—any further access is no longer authorized. It failed, however, to define the terms under which users will know for certain that if they access a computer system they are in violation of the CFAA. It also, like the judges in the Nosal case, failed to assess whether there was any computer break in.
Now, only one thing is clear: it’s time for Congress to fix this mess.
Thirty years after the CFAA’s enactment, we need a law that recognizes that we often access someone else’s computer—specifically, our Internet service providers’ servers—when we pull data from the cloud, check our Gmail or Facebook account, book a plane ticket, or watch a movie on Netflix—and that we often share with friends or loved ones our passwords for these very accounts. We need Congress to finally reassess this notoriously vague statute and craft a law that makes sense given how we use computers today.
This op-ed was originally published by The Hill on October 17, 2016 and is reprinted here with permission.