Supreme Court Leaves Troubling CFAA Rulings In Place: Sharing Passwords Can Be Criminal Hacking

from the congress-fix-this-shit dept

For many, many years now, we've talked about problems with the CFAA -- the Computer Fraud & Abuse Act -- which was passed in Congress in the 1980s in response to the Hollywood movie War Games (seriously). It was a messed up moral panic back then, and over the years it's been abused widely in both civil and criminal cases to define almost anything as hacking. Over the past few years we've been following two cases in particular related to the CFAA: the David Nosal case and the Power.com case. Both involved fairly twisted interpretations of the CFAA -- and, unfortunately, the 9th Circuit found both to be okay. And, unfortunately, this week, the Supreme Court declined to review both cases, meaning they remain good (if stupid) law in the 9th Circuit (which will likely influence cases elsewhere).

I won't go into all of the background in both cases, but the super short version is that under the Facebook v. Power ruling, it's a CFAA violation for a service to access a website -- even if at the request of users -- if the website has sent a cease-and-desist. That shouldn't be seen as hacking, but the court said it's "unauthorized access." Power was a service that tried to help consolidate different social networks into a single user interface for users -- and lots of people found that valuable and signed up for the service. But, Facebook didn't like it and sent a cease-and-desist to Power. Power figured that since users were asking it to continue and they were the ones who had the accounts, it was okay to continue. The court, unfortunately, claimed that it was a CFAA violation -- the equivalent of "hacking" into a system (despite having legit credentials) just because of the cease-and-desist.

In the Nosal case, the court said that merely sharing your passwords can be a CFAA violation. In that case a guy looking to compete with his old firm had someone still there share a password so he could log in and get customer info. That may be unethical and problematic -- but should it be the equivalent of computer hacking? While the 9th Circuit had rejected an even broader interpretation of the CFAA that would say merely violating a terms of service became "unauthorized access" it said okay to the password sharing one.

There was some hope that the Supreme Court would hear these cases and explain that these rulings stretched the CFAA to dangerous degrees. Unfortunately, that's not the case.

And so we're back where we've been for a few decades now: talking about why Congress needs to reform the CFAA and fix these problems that leave the law wide open to abuse -- especially in an era where so many people use dozens of services, and sometimes do things like share passwords or ask others to log into sites for them. These should never be seen as "hacking" violations, but in the 9th Circuit, they are.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 11 Oct 2017 @ 4:18pm

    Hold on sec ... if Sharing Passwords Can Be Criminal Hacking
    then what are they asking for at the border? They want me to commit a crime in order to enter?

    reply to this | link to this | view in chronology ]

    • icon
      Coyne Tibbets (profile), 11 Oct 2017 @ 5:17pm

      Re:

      Of course. That way they can keep you out, you criminal mastermind you.

      reply to this | link to this | view in chronology ]

      • icon
        ShadowNinja (profile), 12 Oct 2017 @ 6:37am

        Re: Re:

        Nah, it's so that we can throw more people into those for profit prisons of course!

        And we can brag to the public about putting more people behind bars to show we're fighting crime!

        reply to this | link to this | view in chronology ]

    • icon
      Ryunosuke (profile), 11 Oct 2017 @ 5:38pm

      Re:

      that should make a compelling argument in court in regards to border crossings. "Do I HAVE to break the law in order to enter the country legally?" or rather, "If I have to break the CFAA in order to enter the US, does that mean I am an Illegal?"

      reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 11 Oct 2017 @ 6:40pm

      Re:

      No worries, giving your password at the border is a classic case of entrapment if sharing passwords is a crime. I'm sure the judge and jury will agree. Probably.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2017 @ 6:40pm

      Re:

      This is why cops don't usually get into trouble for entrapment.

      reply to this | link to this | view in chronology ]

  • identicon
    Paul Brinker, 11 Oct 2017 @ 5:16pm

    Social Hacking

    Not saying this guy was good or bad, but the concept of social hacking is as old as hacking. In this case he used social engineering instead of cracking to get into the company system but the concept is as old as hacking itself.

    Social hacking is and is not the same as sharing your Netflix account, the distinction however is a very gray area but you could generally say the public vs private nature of the networks. His employer network was only open to employees, a closed group of people, with gateways and other things put in place to prevent unauthorized access.

    Netflix on the other hand is a public network designed to give access to anyone willing to pay the gatekeeper.

    Realistically the guy who gave him the password should be the one in trouble, breach of contract for giving someone his password.

    reply to this | link to this | view in chronology ]

    • identicon
      Almost Anonymous, 13 Oct 2017 @ 10:23am

      Re: Social Hacking

      I'm really torn on that one. I think they should both be in trouble, the inside man for contributing (similarly to a getaway driver), and the outside man for unauthorized access. Should it be called "hacking"? Probably not... but let's say he did the exact same thing by using some script-kiddie brute-force technique to get in, versus his buddy sharing a password. I guess that can be called "hacking"?

      Anyway, we probably shouldn't focus so much on the word "hacking", as much as that this dude was illegally accessing data he wasn't supposed to be.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Oct 2017 @ 5:21pm

    Becasue "we're scared of Mathew Broadric" laws are always gointg to be reasonable..

    Sorry if your ascared that "wargames" is a real thing and your response is not to secure the open connections but to pass a law making it illegal to access that open connection your name might be bonzo

    reply to this | link to this | view in chronology ]

  • identicon
    Brent Bunch, 11 Oct 2017 @ 6:25pm

    Sharing passwords on Amazon

    Note that the ruling means it is illegal for me to use my wife's Amazon prime account. Of course, Amazon is perfectly happy to sell me things too, so they aren't likely to report that abuse. But the concept that it is abuse in the first place is just crazy.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 11 Oct 2017 @ 8:40pm

    1) A business cannot rely on others for its content.

    Scraping is not a valid "business model".

    2) A business invading another for purpose of gleaning client names isn't legal either.

    3) You are a Masnick.

    reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 11 Oct 2017 @ 11:26pm

      Re: 1) A business cannot rely on others for its content.

      Scraping is not a valid "business model".

      Google begs to differ.

      A business invading another for purpose of gleaning client names isn't legal either.

      I don't disagree. But I don't think it's hacking.

      You are a Masnick.

      Very observant.

      reply to this | link to this | view in chronology ]

  • icon
    MyNameHere (profile), 11 Oct 2017 @ 11:35pm

    Troubling?

    I often find that you feel that the courts applying the law is troubling. These two cases are both perfect examples of why that law fits almost exactly.

    Facebook v. Power is incredibly simple: Given that they had already received a cease and desist, any action beyond that is (a) a violation of that C&D, and (b) unauthorized access to their system. While it may not be a hack in the sense of forcing a password or other, they did access the system and retrieve information that they were specifically C&D'ed from doing. Seems pretty clear.

    The Nosal case is even easier: There is no reason for the guy to share the password from his previous job with anyone except with bad intentions. In sharing the password and having someone else enter the system for him, he effectively entered into a conspiracy to illegally access the system. Nosal himself didn't do the work, but made the most significant contribution to someone illegally accessing the system.

    What is troubling to me is that you seem not to be able to understand the difference from voluntary and involuntary actions. In both of these cases, we are well beyond a simple violation of a terms of service, in each case the defendants made voluntary actions that ended up in unauthorized access. Each of them had to do something well beyond just violating terms of service to get there. Nosal had to intentionally give out a password to his ex-employer's system, and Power had to willfully ignore a C&D.

    Simply put, neither of these would have been good cases to take to SCOTUS, because both of them are clearly in the wrong, and the statute in plain text covers it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Oct 2017 @ 11:46pm

      Re: Troubling?

      Going over your comments, an observant reader would often find that you feel that the requirement of warrants is troubling, despite it being mandatory under application of the law...

      reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 12 Oct 2017 @ 1:40am

      Re: Troubling?

      Anyone simply saying "cease and desist" to anything does not make it a valid or remotely legally binding utterance. It takes idiots to misapply laws to rule that a) the c&d is valid, and b) it constitutes criminal behavior under a ridiculously stretched interpretation of an already bad law.

      So, say, when someone tells you to shove off, but you keep showing up anyway, does that mean you should end up in prison?

      reply to this | link to this | view in chronology ]

    • identicon
      Rekrul, 12 Oct 2017 @ 7:57am

      Re: Troubling?

      Facebook v. Power is incredibly simple: Given that they had already received a cease and desist, any action beyond that is (a) a violation of that C&D, and (b) unauthorized access to their system. While it may not be a hack in the sense of forcing a password or other, they did access the system and retrieve information that they were specifically C&D'ed from doing. Seems pretty clear.

      So websites can put anything they like in the terms of service and people are legally obligated to follow them?

      BTW, my terms of service are that if you want to reply to this message, you must do so while naked and your body covered in lime-green Jello. I'll need a photo as proof, otherwise you'll be committing a crime under the CFAA.

      reply to this | link to this | view in chronology ]

      • icon
        MyNameHere (profile), 12 Oct 2017 @ 8:12am

        Re: Re: Troubling?

        "So websites can put anything they like in the terms of service and people are legally obligated to follow them?"

        Umm, no.

        T&C must be legal and proper, generally the public cannot be forced to waive their rights to get service.

        However, that said, a website is a private company, and they do have the rights to set (within the law) the rule by which they offer service. Facebook is well within their rights to say "you may not share your password in any manner" and yes, to some extent they can specify how you can connect to their service (web browser, app, etc).

        The rest of your post is nonsense.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 12 Oct 2017 @ 9:03am

          Re: Re: Re: Troubling?

          "The law is the law is the law! Unless it's Wyden's. Also, Wright is wrong. Oooooooh!"

          reply to this | link to this | view in chronology ]

          • icon
            MyNameHere (profile), 12 Oct 2017 @ 4:06pm

            Re: Re: Re: Re: Troubling?

            Any congress critter can propose any law, most of what is proposed dies before even getting a reading, as nobody wants to take it up. So Wyden's latest grandstanding is most likely to be just that, and nothing more.

            Nice trolling though!

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 12 Oct 2017 @ 4:30pm

              Re: Re: Re: Re: Re: Troubling?

              You do have a highly averse reaction whenever Wyden's name shows up specifically. Now why is that?

              reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Oct 2017 @ 9:15am

        Re: Re: Troubling?

        I tried but it broke the camera.

        reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 12 Oct 2017 @ 12:03pm

      Re: Troubling?

      A C&D has no legal weight, MNH. I could send you a C&D for anything, even order you to not post to Techdirt, and violating it would not cause you to lose an ensuing lawsuit.

      Masnick himself could issue you a C&D to stop visiting Techdirt's site and reading the articles, but as long as the side makes them available upon request, then there is no unauthorized access.

      reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 12 Oct 2017 @ 7:59am

    And so we're back where we've been for a few decades now: talking about why Congress needs to reform the CFAA and fix these problems that leave the law wide open to abuse

    In other words we're screwed, since Congress as a whole has shown absolutely no interest whatsoever in fixing any of the laws that are regularly abused.

    reply to this | link to this | view in chronology ]

  • identicon
    Mason Wheeler, 12 Oct 2017 @ 10:01am

    I won't go into all of the background in both cases, but the super short version is that under the Facebook v. Power ruling, it's a CFAA violation for a service to access a website -- even if at the request of users -- if the website has sent a cease-and-desist. That shouldn't be seen as hacking, but the court said it's "unauthorized access." Power was a service that tried to help consolidate different social networks into a single user interface for users -- and lots of people found that valuable and signed up for the service. But, Facebook didn't like it and sent a cease-and-desist to Power. Power figured that since users were asking it to continue and they were the ones who had the accounts, it was okay to continue. The court, unfortunately, claimed that it was a CFAA violation -- the equivalent of "hacking" into a system (despite having legit credentials) just because of the cease-and-desist.

    I actually don't see any problem with that. How is it any different than a person running a brick-and-mortar business telling someone they aren't welcome there? Once you've said that, if they don't leave, or if they come back, you are within your rights to call the cops on them for tresspassing, and if they said "well I'm here on behalf of someone else who does have the right to be here," that's not going to get them anywhere. So why should this case be treated differently?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Oct 2017 @ 3:27am

      Re:

      If the person disguised themselves(cut hair and shaved facial hair) to get re-entry to the store, should they also be charged with "hacking," besides the trespassing? Or would the Barber who "hacked" it off be charged?

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.