Using Shared Passwords Shouldn't Be a Crime
The Computer Fraud and Abuse Act is a powerful tool -- and a dangerous weapon in the hands of prosecutors. For evidence, look no further than a federal appeals court ruling on Tuesday upholding a criminal hacking conviction -- against someone who gained access to a computer using a voluntarily shared password.
Although the defendant in the case acted immorally, the federal computer law shouldn’t be read that broadly. The decision increases the risk that the government could use the law to criminalize computer use that we’re accustomed to accepting as normal.
The facts of the case definitely reflected wrongdoing. David Nosal, working for an executive search firm, decided to leave with some colleagues to form a competitor. Before leaving, they downloaded information from the search firm’s database.
In a 2012 decision, the U.S. Court of Appeals for the Ninth Circuit held that it wasn’t unauthorized access under the federal computer law to use your own password to access and download material you otherwise weren’t supposed to get.
But that still left a further charge against Nosal. After leaving the firm, he continued to download material, this time using a password provided to him by his former executive assistant, who was still at the firm.
This time, the Ninth Circuit judges had to decide whether using someone else’s voluntarily provided password counts as gaining access “without authorization.”
The appellate panel split 2 to 1 this week. The majority held that Nosal’s continued downloading was criminal, reasoning that Nosal downloaded material he wasn’t supposed to have. When he left the firm, his password was revoked, as were those of his colleagues who left with him. Then, using the borrowed password, Nosal kept doing it anyway. As the court put it, Nosal “accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed.”
Morally speaking, the majority was right. Nosal knew he was accessing information that the firm had prohibited him from getting.
The literal meaning of the law also favors the majority position. Nosal was using a password that wasn’t issued to him and that he knew the firm had not authorized him to use. If that isn’t getting access without authorization, what is?
But there’s a further element to good appellate decision making: considering the consequences of a holding for future cases. That’s where the majority went wrong.
Judge Stephen Reinhardt, still going strong at age 85, dissented sharply. As he explained it, the case was about password sharing, not unauthorized computer use in general. He did not think the court should interpret the federal computer law to “make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.”
The law, Reinhardt pointed out, covers almost every computer and handheld device in the United States. If it’s a crime to use a computer when someone else has given you his or her password, he argued, that would allow the government to prosecute anyone who uses someone else’s password-protected device with permission.
There’s a superficially appealing answer to Reinhardt’s concern. Nosal was using a borrowed password not to access his former assistant’s personal device with her permission, but to access her employer’s material. She lacked the legal authority to give him that access.
In this view, it wouldn’t be a crime for me to share my password with you so that you could use my smartphone.
But Reinhardt rejected this response. “Take the case of an office worker asking a friend to log onto his e-mail in order to print a boarding pass, in violation of the system owner’s access policy,” he wrote. In any scenario where a third-party policy prohibits password sharing, Reinhardt noted, criminal liability would be possible. So if you not only used my smartphone but downloaded an app, you would become criminally liable.
Reinhardt concluded that the law should be read only to criminalize access obtained without permission of either the system owner or a legitimate account holder. That definition would leave Nosal’s conduct outside the reach of the statute because he had the permission of an account holder.
Reinhardt is right. It would be a shame that Nosal wouldn’t be criminally liable under Reinhardt’s interpretation of the Computer Fraud and Abuse Act. But it’s more important to deprive the federal government of the capacity to criminalize ordinary conduct.
We live in a world of gross overcriminalization, where prosecutors hold tremendous discretionary power. Mostly they use it wisely; but the more laws exist to criminalize everyday actions, the less ability we have to resist when the government comes after us.
The Ninth Circuit should reverse its panel’s ruling. If it doesn’t, the Supreme Court should.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
To contact the author of this story:
Noah Feldman at firstname.lastname@example.org
To contact the editor responsible for this story:
Jonathan Landman at email@example.com