Editors' pick: Originally published July 20.
Many of the worst issues in technology originate with copyright and patent trolls, but what is often rated as the absolute worst piece of cyber law comes from an even less sophisticated space: security. It's the Computer Fraud and Abuse Act (CFAA), an anti-hacking statute that targets just about everybody. And it makes such acts like sharing passwords on your Netflix accounts illegal.
Critics have long warned that by criminalizing "unauthorized access," the CFAA effectively gives software terms of service the force of law. With hefty punishments and ill-defined language about "unauthorized access," it can turn pranks into felonies and password sharing into a crime.
This is the problem with overly-broad laws. Congress has inadvertently made using someone else's Netflix password punishable by 10 to 20 years in prison. And, let's face it, the second season of "Daredevil" wasn't that good to run the risk of time in the slammer.
This has been a long-controversial interpretation, given America's longstanding policy of not attaching criminal penalties to contract disputes. Yet a pair of recent cases out of the Ninth Circuit have poured fuel on this fire, upholding exactly the interpretation of the CFAA that privacy advocates fear.
United States v. Nosal is the criminal trial of one David Nosal, a former employee of the recruiting firm Korn/Ferry. After leaving to set up his own agency, Nosal had two of his former colleagues log on to the firm's database and distribute confidential information. This, prosecutors argued, was a violation of the CFAA's prohibition on unauthorized access. The court agreed.
In upholding Nosal's conviction, Judge Margaret McKeown wrote that "'without authorization' is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission" and went on to clarify that this permission can only come from the system's owner.
"Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing," McKeown wrote, trying to defuse the implications of her own ruling. "But these warnings miss the mark in this case. This appeal is not about password sharing."
This is what lawyers call restricting to the facts, when judges urge their rulings to have a one-time application, and it doesn't work. Judges decide what the law means, but they don't get to do so selectively. Inconvenient as it may be, McKeown's decision seems to have a plain and ordinary meaning:
When someone accesses a computer without the owner's permission, or in spite of specifically withheld permission, it's punishable as a felony under the CFAA. And most terms of service do ban sharing your login credentials.
"The section doesn't say, 'Don't break into a device,'" explained Jamie Williams, an attorney with the Electronic Frontier Foundation. "It prohibits 'unauthorized access' of a computer, but it doesn't define what authorized access means."
"Nosal exemplifies this," she said. "This is so unclear [that it] has deterred security researchers from publishing research findings, because the statute is so broad."
It's a problem, Williams pointed out, that's only going to get more complex as an increasing number of devices come with microchips.
A second case, decided shortly after the Nosal decision by the Ninth Circuit, only muddied the waters further.
In Facebook v. Power Ventures the court addressed a social media aggregator service sued by Facebook under the FCAA when it logged in on behalf of its users.
The terms of service don't allow third party access, Facebook argued, and it emphasized this by sending Power Ventures a cease and desist letter. The court agreed, holding specifically that Facebook's second, direct notice to Power Ventures made the difference.
In her opinion, Judge Susan Graber wrote (referring to Power Ventures as "Power"):
Initially, Power users arguably gave Power permission to use Facebook's computers to disseminate messages. Power reasonably could have thought that consent from Facebook users to share the promotion was permission for Power to access Facebook's computers. In clicking the "Yes, I do!" button, Power users took action akin to allowing a friend to use a computer or to log on to an e-mail account. Because Power had at least arguable permission to access Facebook's computers, it did not initially access Facebook's computers "without authorization" within the meaning of the CFAA.
But Facebook expressly rescinded that permission when Facebook issued its written cease and desist letter to Power on December 1, 2008.
The record shows unequivocally that Power knew that it no longer had authorization to access Facebook's computers, but continued to do so anyway.
In other words, Facebook's terms of service couldn't establish a CFAA violation but its specific notice did. This hurts as much as it helps.
In a sense, Power Ventures adds at least some clarity to the question of who gets to authorize a user. According to Graber's opinion it's the owner of the computer, not the account holder. Whether or not the end user gives permission, the server owner can revoke that any time it wants.
In another sense, however, this case just muddies the waters further.
After all, apparently the end user can allow third parties legitimate access to begin with, regardless of terms of service.
And why does a cease and desist letter (the dispositive element of Graber's entire opinion) matter so much? Seemingly this logic boils down to notice. Although Facebook was clear in its terms of service, Power Ventures didn't break the law until they knew that Facebook really, specifically meant it.
Nosal and Power Ventures matter. Although these decisions will only have immediate sway over the Ninth Circuit, this court has a lot of influence when it comes to technology issues. And this is an issue which needs to be resolved.
Companies are right to argue that they should retain control over who can access their computer systems. As Ed Cabrera, the Chief Cybersecurity Officer with Trend Micro, pointed out, issues of cybercrime are growing more urgent every day.
"To what extent and how expansive the issues of password sharing is, it's not known," he said, "however one thing is for certain. Stolen credentials are used daily by cybercriminals to breach victim networks around the world and so for that reason alone any password sharing at any level is incredibly insecure and ill advised."
It's also fair for many services to argue economics. As much as we may jealously guard the right to share Netflix passwords with our roommates or parents, exactly how far can that go? Should a user be allowed to share his account with the apartment building? The city block? Can he tweet it?
In a world where streaming services lose $500 million a year to password sharing, it's a fair point.
The problem with this whole muddled situation is that users have a fair point too.
A paying Netflix subscriber may feel entitled to give other people access to what is mine. Being told that doing so is a crime is akin to having your landlord evict you for having a roommate or houseguests.
Perhaps more importantly, the CFAA's punishments are breathtaking. A law intended to prevent hacking could now make felons of people for the crime of letting their cousins watch "Game of Thrones" semi-legitimately. The statute's private right of action could allow providers to package huge potential lawsuits into the terms of service, creating a world where Amazon sues whenever someone else hops on your Prime account.
And abuse of this law has happened many times before.
It's frightening to have a private right of action where the law is so incredibly unclear on mundane practices. It's downright terrifying when that law comes with criminal penalties.
"We have two decisions by six different judges," Williams said of Nosal and Power Ventures, "and at the end of them we're left with a state of CFAA law that's incredibly confusing."
"People are right to be upset when you have a law that could be applied so broadly," Williams added. "Even when the government promises to use restraint, that's not good enough."