EFF, ACLU Asks Ninth Circuit Court To Rehear Two Recent CFAA Cases

from the let's-not-criminalize-even-MORE-common-activity dept

The EFF and ACLU are pushing the Ninth Circuit Court of Appeals to hold full en banc rehearings (with all 11 judges, rather than just three) of two recent CFAA-related cases. The first case, US v. Nosal, is the more (in)famous of the two. In this decision, the court read the language of the CFAA broadly enough to criminalize a mostly-harmless everyday activity participated in by thousands of Americans: password sharing.

The court tried to couple this with some "authorization" wording to make it appear as though the court wouldn't entertain frivolous prosecutions using interpretation of the CFAA, but that gives the court (and the DOJ) far more credit than they have earned.

The other case -- Facebook v. Power Ventures -- is dangerous in its own way, even if it involves two private companies, rather than the US government's prosecutorial arm. The same appeals court didn't go quite as far as it did in the Nosal decision in terms of criminalizing password sharing, but instead made the district's stance even more confusing by arriving at a seemingly-contradictory conclusion.

The Ninth Circuit found that Power Ventures violated the CFAA when it accessed Facebook’s data after receiving the cease and desist letter, on the ground that the letter gave the company notice that Facebook had revoked its authorization to access users’ Facebook accounts. The court acknowledged that Facebook users could give Power Ventures valid authorization to access their accounts without running into a CFAA violation—the step back from Nosal II’s blanket criminalization of password sharing. That was true even though Facebook’s terms of service expressly prohibit password sharing or letting anyone else use your account.

"Seemingly" is the key word. The conclusion reached by the three-judge panel finds no bright line for determining authorized access, instead opting for a reading that leaves it all up to the party moving forward with a lawsuit/prosecution. Here's Mike attempting to make some sense of the ruling:

At what point is access revoked? Does it require a full cease and desist letter? Or what if I add a drop-down telling visitors from certain IP addresses they're not welcome? What if I just type here that visitors from the state of New York are no longer allowed to visit Techdirt? If they continue to do so, is that a potential CFAA violation in the making? The same court has already ruled that a mere terms of service violation is not a CFAA violation but where's the line between a terms of service violation and a cease-and-desist letter? Or me just telling you to stop visiting my website? It seems wide open to abuse.

At best, the decisions -- when taken together -- are an incoherent mess. At worst, they're vehicles for bogus lawsuits and prosecutions, taking the CFAA even further away from its original intent: to punish malicious hackers/criminals who break into accounts, servers, etc. So, rather than activity simply being a violation of corporate policies and Terms of Service, it's now also a potential violation of federal law. The Ninth Circuit Appeals Court has, in two decisions, created a hefty, new CFAA book to be thrown at violators, who now might see themselves facing federal prosecution, rather than a writeup in their personnel file or a suspended account.

If nothing else, a full en banc hearing would at least hopefully generate a coherent, more-unified stance from the Appeals Court. The two decisions are not polar opposites, but there is some friction. The downside, of course, is that the full panel will create an even worse interpretation of the CFAA. But, even if so, at least those residing in the Ninth Circuit will know where they stand when it comes to "authorized" access, password sharing, etc.

[Nosal petition PDF] [Power Ventures petition PDF]

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 9th circuit, authorized access, cfaa, hacking
Companies: aclu, eff

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    TKnarr (profile), 1 Sep 2016 @ 4:30pm

    Re: Re:

    Not entirely correct. In these cases it's not a public page that's being viewed, it's a page restricted by an account login which can't be viewed without providing the correct credentials. Authorization to access it can be revoked or not granted by revoking the account's credentials or not granting them in the first place. The twist here is that the credentials weren't issued to the entity viewing the page but to the account-holder who then gave the viewing entity the credentials in violation of the terms of service the account-holder agreed to.

    Facebook would be fine if they just revoked the credentials, and sharing those credentials with Power Ventures is according to the ToS more than enough grounds for doing just that. Facebook's trying to shut down Power Ventures without cutting the account-holder off though, and the CFAA arguably isn't something that can do that (especially since PV didn't alter any data or do anything else that would cause damage in the sense the CFAA defines it to Facebook's systems).

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.