In a ruling that appears to declare password sharing a federal crime, the 9th U.S. Circuit Court of Appeals recently upheld the conviction of a man who used a borrowed password to gain access to his former employer’s database.
The case involved a man named David Nosal, a former employee of Korn/Ferry International, a research firm. Nosal was convicted under the provisions of the Computer Fraud and Abuse Act (CFAA) when he used a former co-worker’s password to access one of the firm’s databases. The CFAA—a piece of legislation designed to combat hacking—makes it a crime to access a system without “authorization.” The court ruled that, since Korn/Ferry didn’t authorize Nosal to use the password, his access was unauthorized, and the court upheld the conviction.
However, some analysts are worried that the court’s ruling could set a dangerous precedent. As a dissenting opinion in the ruling notes, CFAA doesn’t define who has the authority to authorize access to a system or the use of a password. Civil liberties advocates warn that if the company issuing the password—rather than the user of that password—determines “authorized” use under CFAA, millions of Americans could theoretically be jailed for sharing accounts for things like Netflix, Facebook or Spotify.
The ruling will be binding for other decisions in the 9th Circuit—which covers much of the West Coast and includes Silicon Valley—and will likely be consulted by judges in other courts around the country.
Think twice prior to sharing your password! Thanks for reading.