EFF, ACLU Asks Ninth Circuit Court To Rehear Two Recent CFAA Cases

from the let's-not-criminalize-even-MORE-common-activity dept

The EFF and ACLU are pushing the Ninth Circuit Court of Appeals to hold full en banc rehearings (with all 11 judges, rather than just three) of two recent CFAA-related cases. The first case, US v. Nosal, is the more (in)famous of the two. In this decision, the court read the language of the CFAA broadly enough to criminalize a mostly-harmless everyday activity participated in by thousands of Americans: password sharing.

The court tried to couple this with some “authorization” wording to make it appear as though the court wouldn’t entertain frivolous prosecutions using interpretation of the CFAA, but that gives the court (and the DOJ) far more credit than they have earned.

The other case — Facebook v. Power Ventures — is dangerous in its own way, even if it involves two private companies, rather than the US government’s prosecutorial arm. The same appeals court didn’t go quite as far as it did in the Nosal decision in terms of criminalizing password sharing, but instead made the district’s stance even more confusing by arriving at a seemingly-contradictory conclusion.

The Ninth Circuit found that Power Ventures violated the CFAA when it accessed Facebook’s data after receiving the cease and desist letter, on the ground that the letter gave the company notice that Facebook had revoked its authorization to access users’ Facebook accounts. The court acknowledged that Facebook users could give Power Ventures valid authorization to access their accounts without running into a CFAA violation—the step back from Nosal II’s blanket criminalization of password sharing. That was true even though Facebook’s terms of service expressly prohibit password sharing or letting anyone else use your account.

“Seemingly” is the key word. The conclusion reached by the three-judge panel finds no bright line for determining authorized access, instead opting for a reading that leaves it all up to the party moving forward with a lawsuit/prosecution. Here’s Mike attempting to make some sense of the ruling:

At what point is access revoked? Does it require a full cease and desist letter? Or what if I add a drop-down telling visitors from certain IP addresses they’re not welcome? What if I just type here that visitors from the state of New York are no longer allowed to visit Techdirt? If they continue to do so, is that a potential CFAA violation in the making? The same court has already ruled that a mere terms of service violation is not a CFAA violation but where’s the line between a terms of service violation and a cease-and-desist letter? Or me just telling you to stop visiting my website? It seems wide open to abuse.

At best, the decisions — when taken together — are an incoherent mess. At worst, they’re vehicles for bogus lawsuits and prosecutions, taking the CFAA even further away from its original intent: to punish malicious hackers/criminals who break into accounts, servers, etc. So, rather than activity simply being a violation of corporate policies and Terms of Service, it’s now also a potential violation of federal law. The Ninth Circuit Appeals Court has, in two decisions, created a hefty, new CFAA book to be thrown at violators, who now might see themselves facing federal prosecution, rather than a writeup in their personnel file or a suspended account.

If nothing else, a full en banc hearing would at least hopefully generate a coherent, more-unified stance from the Appeals Court. The two decisions are not polar opposites, but there is some friction. The downside, of course, is that the full panel will create an even worse interpretation of the CFAA. But, even if so, at least those residing in the Ninth Circuit will know where they stand when it comes to “authorized” access, password sharing, etc.

[Nosal petition PDF] [Power Ventures petition PDF]

Filed Under: , , ,
Companies: aclu, eff

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “EFF, ACLU Asks Ninth Circuit Court To Rehear Two Recent CFAA Cases”

Subscribe: RSS Leave a comment
Mason Wheeler (profile) says:

I personally don’t see any problem with this specific aspect of the CFAA.

If I ran a business with a physical storefront, and someone was being a nuisance and I told them to leave and not come back, and then they came back, I’d be perfectly within my rights to call the cops and have them arrested for trespassing.

Why should it be any different if I run a business with a Web storefront?

TKnarr (profile) says:

Re: Re:

There’s some differences though. The biggest one is that there’s more than just the business involved. The equivalent would be a mall occupied by multiple businesses. What happens when it’s the mall that’s thrown someone out, but a particular business in the mall invited them in and authorized them to come into that business. In a case like that, speaking as someone who’s been in the mall’s position, the cops and/or the DA’s going to take one look at the invitation from the business and drop the whole thing after telling the mall it’s between them and the business.

TKnarr (profile) says:

Re: Re: Re:

Not entirely correct. In these cases it’s not a public page that’s being viewed, it’s a page restricted by an account login which can’t be viewed without providing the correct credentials. Authorization to access it can be revoked or not granted by revoking the account’s credentials or not granting them in the first place. The twist here is that the credentials weren’t issued to the entity viewing the page but to the account-holder who then gave the viewing entity the credentials in violation of the terms of service the account-holder agreed to.

Facebook would be fine if they just revoked the credentials, and sharing those credentials with Power Ventures is according to the ToS more than enough grounds for doing just that. Facebook’s trying to shut down Power Ventures without cutting the account-holder off though, and the CFAA arguably isn’t something that can do that (especially since PV didn’t alter any data or do anything else that would cause damage in the sense the CFAA defines it to Facebook’s systems).

Anonymous Blowhard says:

Re: Re: Re:

“Because it isn’t a physical storefront. It’s a website. You’re talking of forbidding someone from viewing a poster you put up on the side of a building, which is utterly absurd.”

But that’s the point

“I stopped and searched him because he glanced at that poster. That’s when I noticed this pot seed on the bottom of his pant leg. I confiscated his money, jewelry and impounded his car.”

Judge: “the stop was justified”

Tin-Foil-Hat says:

By Design

If you make almost everything a crime, give police and prosecutors immunity and exceptions from their transgressions for fuck ups “in good faith” then everybody’s rights can be potentially suspended. They will be subject to searches at any time and the government doesn’t have to concern themselves with pesky oversight.

Anonymous Coward says:

Re: By Design


When dealing with the government there is NO POTENTIAL.

The Government WILL abuse and misuse every tool you provide it with. Once you provide a tool that says it is okay to remove liberty in just a few situations, all of a sudden every situation is ones of those “rare” situations.

Despite the fact that Government frequently applies the law, it rarely dispenses Justice.

We allowed this!

Every Nation gets the Government it DESERVES!

Uriel-238 (profile) says:

Re: Re: "We deserve it" doesn't follow "we allowed it."

Human society continues to function both by forcing people into circumstances directly (I’m taking your house. Resist and my squad will gun you down.), or by encouraging them to make decisions without being fully informed (Your new job requires a cell phone? Just sign here. Note and agree to abide by the 60K word TOS.)

We only learn to overcome specific instances of these tactics after enough people fall victim to them, much like we only developed a cure for polio after enough people died from it (or were permanently crippled from it) that we sought out a cure (…in some cases by experimenting on human orphans, but that’s another story.)

Or maybe you were speaking in a more cosmic sense, that all these notions of justice and fairness are silly mammal / ape bullshit, and the universe doesn’t even notice. In which case, I can only suggest that that silly mammal / ape bullshit is the best lead we have in making a civilization that the universe might notice, and without it, we’re going to go extinct on this rock for sure. Deserve doesn’t even figure.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...