Supreme Court Leaves Troubling CFAA Rulings In Place: Sharing Passwords Can Be Criminal Hacking

from the congress-fix-this-shit dept

For many, many years now, we've talked about problems with the CFAA -- the Computer Fraud & Abuse Act -- which was passed in Congress in the 1980s in response to the Hollywood movie War Games (seriously). It was a messed up moral panic back then, and over the years it's been abused widely in both civil and criminal cases to define almost anything as hacking. Over the past few years we've been following two cases in particular related to the CFAA: the David Nosal case and the case. Both involved fairly twisted interpretations of the CFAA -- and, unfortunately, the 9th Circuit found both to be okay. And, unfortunately, this week, the Supreme Court declined to review both cases, meaning they remain good (if stupid) law in the 9th Circuit (which will likely influence cases elsewhere).

I won't go into all of the background in both cases, but the super short version is that under the Facebook v. Power ruling, it's a CFAA violation for a service to access a website -- even if at the request of users -- if the website has sent a cease-and-desist. That shouldn't be seen as hacking, but the court said it's "unauthorized access." Power was a service that tried to help consolidate different social networks into a single user interface for users -- and lots of people found that valuable and signed up for the service. But, Facebook didn't like it and sent a cease-and-desist to Power. Power figured that since users were asking it to continue and they were the ones who had the accounts, it was okay to continue. The court, unfortunately, claimed that it was a CFAA violation -- the equivalent of "hacking" into a system (despite having legit credentials) just because of the cease-and-desist.

In the Nosal case, the court said that merely sharing your passwords can be a CFAA violation. In that case a guy looking to compete with his old firm had someone still there share a password so he could log in and get customer info. That may be unethical and problematic -- but should it be the equivalent of computer hacking? While the 9th Circuit had rejected an even broader interpretation of the CFAA that would say merely violating a terms of service became "unauthorized access" it said okay to the password sharing one.

There was some hope that the Supreme Court would hear these cases and explain that these rulings stretched the CFAA to dangerous degrees. Unfortunately, that's not the case.

And so we're back where we've been for a few decades now: talking about why Congress needs to reform the CFAA and fix these problems that leave the law wide open to abuse -- especially in an era where so many people use dozens of services, and sometimes do things like share passwords or ask others to log into sites for them. These should never be seen as "hacking" violations, but in the 9th Circuit, they are.

Filed Under: cease & desist, cfaa, david nosal, passwords, scotus, supreme court
Companies: facebook, power

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Paul Brinker, 11 Oct 2017 @ 5:16pm

    Social Hacking

    Not saying this guy was good or bad, but the concept of social hacking is as old as hacking. In this case he used social engineering instead of cracking to get into the company system but the concept is as old as hacking itself.

    Social hacking is and is not the same as sharing your Netflix account, the distinction however is a very gray area but you could generally say the public vs private nature of the networks. His employer network was only open to employees, a closed group of people, with gateways and other things put in place to prevent unauthorized access.

    Netflix on the other hand is a public network designed to give access to anyone willing to pay the gatekeeper.

    Realistically the guy who gave him the password should be the one in trouble, breach of contract for giving someone his password.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Show Now: Takedown
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.