Not exactly. A divided Ninth Circuit panel recently affirmed the conviction of a former employee under the Computer Fraud and Abuse Act (“CFAA”), holding that “[u]nequivocal revocation of computer access closes both the front door and the back door” to protected computers, and that using a password shared by an authorized system user to circumvent the revocation of the former employee’s access is a crime. United States v. Nosal, (“Nosal II”) Nos. 14-10037, 14-10275 (9th Cir. July 5, 2016). The dissenting opinion raised concerns that the majority opinion would criminalize password-sharing in a wide variety of contexts where the password was shared by an authorized user but in violation of a service provider’s terms of service, such as for email or social networking.
An inside job
David Nosal was a recruiter employed by the executive search firm Korn/Ferry. To serve its clients and help place executives in response to talent searches, Korn/Ferry maintained a confidential, proprietary database containing detailed personal information about over one million executives. Nosal left Korn/Ferry and launched a competing firm with two other Korn/Ferry colleagues. Korn/Ferry revoked Nosal and his colleagues’ authorization to access its database. After Nosal and his colleagues left Korn/Ferry, Nosal’s colleagues accessed the database at his behest using the log-in credentials of Nosal’s former executive assistant, who remained employed at Korn/Ferry and who was authorized to access the database. They used the assistant’s valid credentials in order to run searches for candidates and thereby compete with Korn/Ferry. Nosal was convicted of violating the CFAA on a theory of accomplice liability based on his colleagues’ actions. He was ordered to pay a sizeable restitution award to Korn/Ferry.
What does “without authorization” mean, anyway?
The CFAA imposes criminal penalties on whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .” 18 U.S.C. § 1030(a)(4) (emphasis added). In a previous appeal in the Nosal case (“Nosal I”), the Ninth Circuit held that the “exceeds authorized access” prong makes criminal conduct out of “violations of [a company’s] use restrictions.” The Ninth Circuit’s decision in Nosal II, however, focused entirely on the “without authorization” prong of the CFAA.
The majority concluded that “without authorization” is unambiguous, and that the Ninth Circuit’s ruling in LVCR Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) applied to Nosal’s conduct: “[A] person uses a computer ‘without authorization’ under [the CFAA] . . . when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.” The court stated that refusing to apply the CFAA to circumstances where an authorized user shared log-in credentials with a person whose credentials had been revoked by the owner of a protected computer system would “remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.”
So is password-sharing now a crime?
Judge Reinhardt dissented from the majority’s opinion, expressing concerns that the ruling would criminalize “password sharing.” Judge Reinhardt warned that the majority opinion “threatens to criminalize all sorts of innocuous conduct” and does not provide “a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners” like email service providers or social networking sites. Judge Reinhardt asserted that, in order to avoid criminalizing such commonplace conduct, the “best reading of ‘without authorization’ in the CFAA is a narrow one: a person accesses an account ‘without authorization’ if he does so without having the permission of either the system owner or a legitimate account holder.” (Emphasis original.)
It will be left to future cases to ascertain the outer boundaries of the majority’s holding. It seems unlikely that the Ninth Circuit would uphold a CFAA conviction of a person who watched Netflix using a friend’s login credentials, but Judge Reinhart correctly points out that there is no inherently limiting language in the statute itself. So, future litigants may focus on the Nosal II majority’s discussion of “revocation of access” as a means to distinguish simple password sharing. It would be one thing for a person to use a friend’s Netflix account to watch movies; it would be another thing if the person had previously had a Netflix account revoked for downloading and selling pirated copyrighted works, then used a friend’s account to circumvent the “revocation of access” and continue such piracy. The problem is, the statute’s language does not make any distinctions based on “revocation of access.” It remains to be seen whether Nosal II provides a workable rule for applying the CFAA in future cases.
Practical Implications for Employers
Setting aside the great password-sharing debate, Nosal II makes clear that criminal sanctions can be imposed against former employees who improperly access their employer’s systems after their authorization to do so is revoked by the employer. Whether former employees use their old log-in credentials or use those of current employees who are themselves authorized to use the employer’s systems, Nosal II means that any such access is “without authorization” under the CFAA.