On July 5, 2016, the Ninth Circuit affirmed a conviction for “knowingly and with intent to defraud accessing a protected computer “without authorization”. The former employee had his computer access credentials revoked and used the login credentials of a current employee to gain access to data owned by the former employer. The court found the former employee acted “without authorization” and circumvented the revocation of access thus violating the Computer Fraud and Abuse Act (CFAA).
The CFAA imposes criminal penalties on whoever “knowingly and with intent to defraud, accesses a protected computer without authorization” and by means of such conduct obtains anything of value.” CFAA 18 U.S.C. § 1030.
The Court concluded that “without authorization” is an unambiguous, non-technical term: its plain and ordinary meaning covers the access to a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, “the user cannot sidestep the statute by going through the back door and accessing the computer through a third party”.
According to the dissent, password sharing is a common practice. Let’s think for example to the colleague that logs onto a computer on behalf of another colleague who is out of the office – in violation of a corporate computer access policy – to send him a document he needs right away. The dissenting opinion reminds the Court that the CFAA has an anti-hacking purpose. It does not intend to make “the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals”.
United States v. Nosal (Nosal II), 2016 WL 3608752 (9th Cir. July 5, 2016), is available at https://d3bsvxk93brmko.cloudfront.net… Open PDF
Originally pubblished at Technethics on July 2016