How many times have you logged into a computer or website with someone else’s name and password—maybe to retrieve information for a spouse or a friend—completely with their permission? Can you imagine spending a year in prison for that? It sounds ridiculous. That’s why EFF filed a “friend of the court” brief in United States v. Nosal this week urging the Ninth Circuit to overturn a troubling conviction under the Computer Fraud and Abuse Act (CFAA).
David Nosal worked for Korn/Ferry, an executive recruiting company. Korn/Ferry had a proprietary database of information that, under corporate policy, employees could only use for official Korn/Ferry business. After Nosal left to start his own recruiting company, the government claimed he violated the CFAA when he allegedly convinced other ex-employees of Korn/Ferry to access the database by using a current Korn/Ferry employee’s access credentials, with that employee’s knowledge and permission. The district court refused to dismiss the charges, ruling that the act of using someone else’s computer login credentials, even with their knowledge and permission, is a federal crime. Nosal was convicted by a jury, sentenced to one year in prison, and ordered to pay a $60,000 fine and nearly $830,000 to Korn/Ferry in restitution.
Nosal appealed his conviction to the Ninth Circuit Court of Appeals, and we’ve filed an amicus brief in support, explaining why the government’s CFAA theory here is dangerous. First, CFAA prosecutions should be focused on hacking: keeping unwanted and unauthorized people from intruding into computer space. But the district court believed the CFAA did not require the government prove there was any “hacking” or the circumvention of a technological barrier to access. That mistake made it easier for the government to prove its case and keeps the CFAA dangerously broad and vague. Second, using an authorized user’s credentials with their permission is not circumventing a technological access barrier. Instead, when a person uses another individual’s password, they effectively act as the authorized user’s agent. To the extent that the authorized Korn/Ferry user was not allowed to share her password, that is simply a violation of Korn/Ferry’s computer use policy—not a violation of criminal law.
If that last part about terms of service sounds familiar, that’s because this is the third amicus brief EFF has filed in this long-running case. We filed two amicus briefs (here and here) in connection with Nosal’s first trip to the Ninth Circuit, which resulted in an extremely important 2012 opinion, with the Ninth Circuit, en banc, ruling that disloyal employees who access workplace computers in violation of corporate policy or use restrictions are not violating the CFAA. Crucial to that 2012 decision was the court’s valid fear of expanding the CFAA far beyond the anti-hacking purpose intended by Congress. We should not make criminals out of millions of law-abiding workers for innocent activities like sending a personal e-mail or checking sports scores from a work computer.
But in some ways the court is now back where it started. Once again, the Ninth Circuit is confronted with an expansive interpretation of the CFAA that criminalizes common, innocuous behavior, like logging in to a spouse’s Facebook account with their permission. While using someone else’s password without their knowledge and permission is certainly bypassing a technological barrier to access, using login credentials with someone’s permission is not inherently illegal. The government’s theory ultimately turns on the fact that Korn/Ferry prohibits employees from sharing their login credentials with others, but as the Ninth Circuit previously held in this very case, violations of corporate policy cannot be the basis for CFAA liability.