Munck Wilson Mandala

Password-Sharing May Be a Federal Crime Under the Muddied Waters of the CFAA


Shannon Tipton
Public Relations Director 

Shain Khoshbin and Aaron Dilbeck for Corporate Counsel, January 5, 2018.

The Computer Fraud and Abuse Act (CFAA) is a federal statute that provides for not only criminal liability, but also civil liability, when a person accesses a computer “without authorization” or “exceeding authorized access.” However, as a result of differing opinions among federal circuit courts, the scope of actionable conduct under the CFAA remains unclear. And due to high-profile cases like United States v. Nosal and Facebook v. Power Ventures, the CFAA has recently drawn increased attention from practitioners and scholars alike—often hoping for the Supreme Court to end the lack of clarity under the statute. This has not yet happened.  Nevertheless, this attention has led to the issue of when and how can password sharing be subject to criminal (and civil) liability.

The CFAA’s Muddy Waters

There has been much debate and consternation over what the phrase “exceed authorized access” in the CFAA means. Numerous articles have addressed this issue and the circuit split concerning this issue. Nonetheless, some of this attention and analysis has been misplaced.

For example, some commentators and practitioners have mistakenly conflated the phrase “without authorization” (which is not defined in the CFAA) with the phrase “exceeds authorized access” (which is defined in the CFAA)—often just referring generically to “authorization.” Further muddying the waters, some courts have interpreted the defined term “exceeds authorized access” narrowly (to avoid making an act commonly subject to civil liability into a criminal act), and other courts have interpreted it broadly (to make everyone liable for his/her cybermisdeeds). Indeed, that phrase has led to “a subtle and fraught inquiry” (Facebook Resp. to Pet. for Cert. p. 12) into whether “exceeds authorized access” includes using a work computer for non-work purposes, violating a terms of use agreement, and accessing information in one part of a network for which permission was not expressly given.  Unfortunately, the Supreme Court has yet to uniformly define the CFAA’s phrase “exceed authorized access.”

Password Sharing in the CFAA’s Muddied Waters

This lack of uniformity in the law has become a subject of growing concern, including concern over whether the statute transforms mundane and nonmalicious acts—those that may otherwise be a civil issue—into a criminal matter. For example, in United States v. Nosal(9th Cir. 2012) (Nosal I), a former employee of a company conspired with current employees of that company to use their passwords to access and download files from the company’s database to start a competing business.  In basically ruling that violating terms of use does not constitute violating the CFAA, the en banc panel stated: “If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.”

Then later in United States v. Nosal (9th Cir. 2016) (Nosal II), the U.S. Court of Appeals for the Ninth Circuit essentially held that those now all former employees violated the CFAA because, after their former employer revoked their access to its computers, they used a current secretary’s password to access the computer. In sum and substance, that revocation was all that mattered for the majority’s opinion as it concerned violation of the CFAA. Significantly, in his dissenting opinion in Nosal II, Judge Reinhardt noted that—under the majority’s opinion—one spouse may be in violation of the CFAA for using the other spouse’s password (with permission) to pay a bill on their bank’s website. To further illustrate his concern, Judge Reinhardt noted that the majority’s interpretation of the CFAA may turn a parent’s checking his child’s email account into a federal crime.

This issue was recently highlighted in Facebook v. Power Ventures (9th 2016). In that case, Power Ventures, a social networking company, received permission from Facebook account holders to access their accounts and aggregate the social media information in one place. While the account holders desired such a service that aggregated their information, Facebook did not approve and sent Power Ventures a cease and desist letter. When Power Ventures disregarded Facebook’s cease and desist letter, Facebook sued it for violating the CFAA. And although Power Ventures had the account holders’ permission to access their accounts, the Ninth Circuit affirmed the lower court’s holding that Power Ventures was liable for accessing Facebook’s computers “without authorization.”

When all is said and done, it may be that the courts have lost their way with regard to the purpose and scope of the CFAA. Or, at a minimum, both the courts and the legislature have not been able to keep up with the velocity of changes in technology as it concerns the CFAA. Originally titled the Counterfeit Access Device and Computer Fraud and Abuse Act, the CFAA was enacted in 1984 basically to address the theft of classified information from government computers. In fact, the CFAA was exclusively a criminal law until it was amended in 1994 to also provide for civil liability. The most recent amendment was introduced in May 2008, less than a year after the release of the first iPhone and before a single Android device was sold.

The Jersey in the Locker

Perhaps part of the confusion in the law arises from the fact that computers have become so much more than a machine that a person uses to process and keep his/her own information. In fact, in today’s day and age, and increasingly so, “computers” often contain someone else’s information. Herein may lie some insight into the issue with the CFAA and password sharing.

Consider a computer and the data in that computer as a locker and a jersey in that locker.  Computers can be password protected and lockers can be pad-locked. Also, data can be stolen without harming the computer like a jersey can be stolen without damaging the locker. Power Ventures essentially held that the locker owner has a CFAA cause of action against someone who takes the jersey in the locker, even though the jersey’s owner gave that someone the pad-lock combination and permission to take the jersey. Indeed, that person who took the jersey with permission of its owner could be held criminally liable for this seemingly innocent act. Yet, Nosal Iessentially held that the locker owner did not have a CFAA cause of action against someone who wrongfully takes the jersey, which belongs to the locker owner, because the locker owner at one point gave the pad-lock combination to that someone to use the locker. Then, Nosal II essentially held that the locker owner had a CFAA cause of action against someone who takes the jersey, which belongs to the locker’s owner, even though that someone received the pad-lock combination from a person authorized by the locker owner to use the locker.

Insights Into the CFAA Arising From Jersey-In-The-Locker Comparison

In sum, while the owner of the information and the computer where it is stored is often the same, the two different properties can easily have different owners in today’s age of the Internet, social media, and cloud computing. As it concerns “password sharing” (where there is no damage to the computer system itself), perhaps one method to resolve inconsistencies in the interpretation and application of the CFAA is to start focusing the analysis on who owns the information in the computer for which the password is being used. It is noteworthy that the CFAA was originally enacted to protect government information contained in government computers from cybercriminals. Now, however, a social media company has been held liable under the CFAA because it accessed a Facebook account holder’s posts, after receiving permission from that account holder to do so.

The judiciary, or preferably Congress, needs to address the CFAA’s lingering issues, including exactly what and whom the CFAA was meant to protect. Indeed, in addition to conflicting opinions over the meaning of “exceeds authorized access,” courts also disagree about what constitutes an actionable “loss” under the CFAA. In the meantime, however, the CFAA remains a useful tool to businesses as a part of their crisis management plan(s) for data breaches, and to seek justice from those who improperly access electronic assets.  Because of the ongoing debates and uncertainty regarding the scope of the CFAA, businesses need to plan ahead to realize the statute’s value. For example:

  • If possible in the given business model, companies should ensure that data they wish to protect is password protected (and even separately password protect different databases in the same network) because—in the first instance—the issue of authorization may turn on whether the information is adequately password protected or publically available. See HiQ v. LinkedIn (N.D. Cal. 2017) (now on appeal);
  • Carefully issue passwords (with regular updates), specifically limit authorization to those password-protected databases, and delineate the purpose of such access; and
  • Effectuate policies, procedures, terms and conditions and/or user agreements that delineate such protections, including the prohibition of password sharing and automatic termination of rights of access/authorization upon certain defined events.

Reprinted with permission from the Jan. 5, 2018 edition of Corporate Counsel. ©2018 ALM Media Properties, LLC.  All rights reserved.  Further duplication without permission is prohibited.”