Password-Sharing May Be Criminal, 9th Circ. Rules

     (CN) — Millions of people innocently share passwords with each other, but a corporate headhunter who did so to steal trade secrets violated federal computer hacking law, a divided Ninth Circuit ruled on Thursday.
     The ruling inspired a blistering dissent warning that today’s decision could turn people who engage in a “ubiquitous, useful and generally harmless conduct into unwitting federal criminals.”
     David Nosal, whose 366-day sentence was upheld in Tuesday’s ruling, is one of the many defendants to challenge the breadth of Computer Fraud and Abuse Act (CFAA) from 1986.
     Passed before the advent of the internet, the CFAA prohibits access to another person’s computer “without authorization” or “exceeding authorized access.” Critics of the law have long complained that this language criminalizes what the statute’s drafters could not have predicted would become commonplace activity.
     Nosal found himself in the CFAA’s crosshairs after encouraging his former colleagues at the Los Angeles-based recruitment firm Korn/Ferry to log onto its confidential database to send him its client list.
     Federal prosecutors indicted Nosal and the three employees in 2008.
     Four years into the case, the Ninth Circuit ruled en banc that Nosal’s charges related to “exceeding authorized access” were too broad.
     “While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be,” the court’s then-Chief Judge Alex Kozinski wrote in 2012. “Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.”
     The following year, a federal jury convicted Nosal on the remaining six counts, which included CFAA charges related to accessing a computer “without authorization.”
     U.S. District Judge Edward Chen later sentenced Nosal to spend a year and one day in prison.
     On appeal, Nosal’s attorneys argued the circuit’s fears of over-prosecution applied to either prong of federal computer hacking law.
     The Electronic Frontier Foundation, a digital civil liberties group, told the appellate court that upholding this interpretation of the CFAA “makes criminals out of the millions of people who use login credentials of family members or friends with their knowledge and permission.”
     But Circuit Judges M. Margaret McKeown and Sidney Thomas said that Nosal’s case “bears little resemblance to asking a spouse to log in to an email account to print a boarding pass,” in a 48-page opinion on Tuesday.
     “The charges at issue in this appeal do not stem from the ambiguous language of Nosal I — ‘exceeds authorized access’ — but instead relate to a common, unambiguous term,” McKeown wrote for the majority. “The reality is that facts and context matter in applying the term ‘without authorization.'”
     For Circuit Judge Stephen Reinhardt, his colleagues’ ruling “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”
     “The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners,” Reinhardt wrote in his dissent. “There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.”
     Reinhardt noted that this broadens that executive’s power in an election year.
     “Broadly interpreted, the CFAA is a recipe for giving large corporations undue power over their rivals, their employees, and ordinary citizens, as well as affording such indiscriminate power to the Justice Department, should we have a president or attorney general who desires to do so,” he said.
     Nosal notched a smaller victory with the circuit ordering the reduction of his court-ordered restitution of more than $595,000.
     Prosecutors initially requested more than $964,000 that included Korn/Ferry’s expenditures in the investigation, but Chen lowered that amount in what the appellate court called a “step in the right direction.”
     But Chen “should have gone further” in shaving off the firm’s investigation expenses, the circuit found.
     “The company’s attorneys are not a substitute for the work of the prosecutor, nor do they serve the role of a shadow prosecutor,” the majority opinion said.
     Dissenting Judge Reinhardt argued that the firm’s role in the investigation “blurs the line between criminal and civil law.”
     “Korn/Ferry and its counsel’s employment of their overwhelming resources to persuade prosecutors to bring charges against an economic competitor has unhealthy ramifications for the legal system,” he wrote.
     The U.S. Attorney’s Office from the Northern District of California declined to comment.
     Nosal’s lawyer Dennis Riordan of the San Francisco-based firm Riordan & Horgan said that he would seek another en banc review.
     “Because cloud computing depends on password sharing, the panel’s opinion threatens to upend the entire cloud computing industry,” Riordan said in a statement. “For that reason, the position taken by the majority was opposed by BSA/The Software Alliance, whose members include Apple, Microsoft, Oracle, and IBM.”
     The Software Alliance filed a friend-of-the-court brief on Nosal’s behalf.
     Calling the case “at most, a civil dispute,” Riordan expressed confidence that today’s ruling “will not be the final word on these important issues.”

%d bloggers like this: