Profile image
By Electronic Frontier Foundation (Reporter)
Contributor profile | More stories
Story Views

Last Hour:
Last 24 Hours:

Congress Needs To Clarify That Password Sharing Is Not a Federal Crime

Wednesday, November 2, 2016 9:57
% of readers think this story is Fact. Add your two cents.

The Internet has been on fire in recent months over two court decisions that threaten to criminalize password sharing. The law at the heart of the cases is the Computer Fraud and Abuse Act (CFAA), a 1986 statute meant to outlaw computer break-ins. Congress passed the CFAA after “War Games“—a techno-thriller film about a teen whose computer shenanigans nearly sparked World War III—put the fear of God into lawmakers about the vulnerability of our computer networks. The law—passed years before the advent of the modern Internet—is seriously showing its age.

How the CFAA, which was originally intended to target criminals for havoc-wreaking computer break-ins and data theft, came to be used to convict people for using someone else’s password is a study in prosecutorial overreach and shows how the law has failed to keep up with technology. Congress needs to step up and overhaul this flawed and outdated law.

The CFAA makes it illegal to intentionally access a “protected computer”—which includes any computer connected to the Internet—”without authorization” or in excess of authorization. But the law fails to define “without authorization.

This has caused a lot of confusion, with real consequences for computer users. In a world where we may spend nearly as much time using other people’s computers as we do our own, the wrong definition can turn innocuous computer uses intoserious federal offenses. The CFAA has disproportionality harsh penalties: First time offenses are currently punishable by up to 5 years in prison—10 years if the prosecution alleges more than one CFAA offense, which is common—plus fines. Other violations are punishable by 10 or 20 years, or even life in prison.

This summer, the U.S. Court of Appeals for the Ninth Circuit issued two confusing rulings in two separate cases that could allow prosecutors to charge users with CFAA violations for seemingly innocuous conduct—specifically, sharing a password.

In the first case, the government alleged that David Nosal, a former Korn/Ferry executive, violated the CFAA when other Korn/Ferry ex-employees, on Nosal’s behalf, used the password of a current employee, with her permission, to access the company’s private database. The court didn’t address whether Nosal broke into any computer system. It simply held that “authorization” under the CFAA must come directly from the computer owner—here, Korn/Ferry—and any authorization Nosal received from a current employee who voluntarily shared her password didn’t count.

Under this reasoning, anyone who has ever used someone else’s password with the approval of an account holder but without the approval of the computer owner is at risk of criminal prosecution.

In the second case, Facebook sued a social media aggregator, Power Ventures, under the CFAA for accessing its computers via the accounts of Facebook users. The Facebook users had voluntarily provided Power with their credentials, but Facebook felt that Power was violating its terms of service, so it sent Power a cease and desist letter. Power, however, continued to offer its services and access Facebook accounts.

In this case, the court’s judges held that account holders (here, the Facebook users) could initially provide third parties like Power with valid authorization under the CFAA to access their accounts. But it ruled that after the computer owner (here, Facebook) revokes the third party’s authorization—here, via a cease and desist letter—any further access is no longer authorized. It failed, however, to define the terms under which users will know for certain that if they access a computer system they are in violation of the CFAA. It also, like the judges in the Nosal case, failed to assess whether there was any computer break in.

Now, only one thing is clear: it’s time for Congress to fix this mess.

Thirty years after the CFAA’s enactment, we need a law that recognizes that we often access someone else’s computer—specifically, our Internet service providers’ servers—when we pull data from the cloud, check our Gmail or Facebook account, book a plane ticket, or watch a movie on Netflix—and that we often share with friends or loved ones our passwords for these very accounts. We need Congress to finally reassess this notoriously vague statute and craft a law that makes sense given how we use computers today.

This op-ed was originally published by The Hill on October 17, 2016 and is reprinted here with permission.

Share this: Share on Twitter Share on Facebook Share on Google+ Share on Diaspora Join EFF


We encourage you to Share our Reports, Analyses, Breaking News and Videos. Simply Click your Favorite Social Media Button and Share.

Report abuse


Your Comments
Question   Razz  Sad   Evil  Exclaim  Smile  Redface  Biggrin  Surprised  Eek   Confused   Cool  LOL   Mad   Twisted  Rolleyes   Wink  Idea  Arrow  Neutral  Cry   Mr. Green

Top Stories
Recent Stories



Top Global


Top Alternative




Email this story
Email this story

If you really want to ban this commenter, please write down the reason:

If you really want to disable all recommended stories, click on OK button. After that, you will be redirect to your options page.