How many times have you knowingly shared your account password with another person? Or just as importantly, how many times have you accessed someone else’s account with their permission? Before answering, consider these possibilities:
- You give a friend access to your video streaming account;
- You have a multi-connection VPN account, so you offer your friends access to extras you don’t need;
- You give your spouse your online banking password to manage accounts;
- You access your ex-workplace account to retrieve personal data; or
- You manage someone else’s social media account, possibly for marketing purposes.
All these possibilities are totally reasonable, not to mention commonplace, but here’s the kicker: Each of these scenarios is potentially a criminal act that could land you in jail.
Two court cases in particular set a precedence under the nightmarishly vague, Computer Fraud and Abuse Act that makes unauthorized access of a computer illegal. The trouble is, the CFAA doesn’t define what authorization really is.
- United States v. Nosal. This several-year battle ended with the courts declaring only a system owner can offer authorization, not a user or employee. Basically, ex-employee Nolan asked a current employee for their password to access customer data. Granted, that’s bad, but it was argued that the ex-employee had authorization and a willfully provided password doesn’t circumvent any security protocols. However, since the system owner hadn’t given explicit permission, the access was unauthorized, which makes that access illegal under the CFAA. So basically, that means Nosal was guilty of hacking for simply using someone else’s password with their permission.
- Facebook v. Power Ventures. Power Ventures allowed authorized users to extract data from their own Facebook accounts. Facebook took issue with that and demanded they stop. The courts ruled that as soon as Facebook told them to cease and desist, any access by or through Power Ventures was unauthorized. Although this was a civil suit, it was successfully based on the CFAA.
Both cases endeavored to appeal to the Supreme Court, but the Supreme Court refused to review either one. This means the original judgments stand, which could set a dangerous precedence.
Summary of Rulings
On the surface, neither case is earth-shattering, but the precedence could have far-reaching effects on law-abiding Americans and their personal rights. First, let’s review what these cases have established under the federal anti-hacking CFAA law:
- Unauthorized access of any computer system is illegal hacking. That’s pretty much the definition: When you circumvent protective measures to access a system without permission, you’re hacking.
- Using someone else’s authorized password is illegal hacking. Basically, being given authorization from an authorized person still makes you unauthorized unless the system owner specifically gives you authorization him/herself. So even if you’re not hacking through security protocols, per se, you’re still hacking.
- Giving out your password is illegal. While this would appear to be a simple terms-of-use violation, if third-party use of your password is a federal crime under the CFAA, then just giving that third-party your password is also illegal. That is, you’re helping someone commit a crime.
- A website’s terms-of-use play an integral part in whether or not your actions are criminal. That is, if a service’s terms-of-use unequivocally state you are allowed to share your password and those with whom you share your password are equally authorized to access that service, then everything’s probably good. However, absent that statement, you and your friends (or family) are effectively criminals.
What This Could Mean
By extension, this all means that:
- The rulings potentially and retroactively criminalize millions of otherwise law-abiding Americans. Although the prosecution stated that wasn’t their intent, the fact remains that’s the result. There’s nothing in black and white that differentiates between the Nolan case and other password sharing situations. Yes, the Nolan case seems a little sketchier than giving someone access to your video streaming account, but the ruling is a blanket statement that either situation is equally unauthorized and equally criminal. So if you’re not careful, you could be making yourself, your friends and your family technically criminals.
- This potentially opens the door for law enforcement fishing expeditions. Let’s say you did something to put you on the law enforcement radar. Maybe you wrote about or search for a red-flag topic or maybe you dumped your ex-boyfriend police officer who’s now heartbroken and out to get you. Following these rulings, they could theoretically get a search warrant under the premise that you have committed a crime under the CFAA (assuming they had probably cause of such, which probably isn’t too terribly difficult to establish) and then use that warrant to look for something more substantial. I’m not saying this is likely, but it wouldn’t be the first time governments have overstretched their powers.
- It creates a conflict at the border. It’s now well-known that border agents can request access to, and even clone a copy of data on, your cell phone. They can also request passwords, including those in social media accounts. Legally, you’re under no obligation to provide any of that, but they could delay US citizens or even deny entry for non-citizens, if you don’t. So there’s immense pressure to comply. And even if you only provide access to your phone, there’s a good chance it’s still logged into your social media accounts, which means you’re providing access to your account to a third-party, which according to the CFAA is illegal. So you’re basically being asked to commit a crime before being allowed in the country.
I predict (or at least hope) these legal loopholes will be filled in the future. After all, privacy and human rights organizations like the EFF and ACLU are putting up the good fight to protect us. But, at least for now, there are vulnerabilities that could potentially put Americans at risk of legal trouble.