How The CFAA Ruling Affects Individuals And Password-Sharing

How The CFAA Ruling Affects Individuals And Password-Sharing

Individuals and Password-Sharing

With the 1980s came the explosion of computing. In 1980, the Commodore ushered in the advent of home computing. Time magazine declared 1982 was “The Year of the Computer.” By 1983, there were an estimated 10 million personal computers in the United States alone.

As soon as computers became popular, the federal government began to legislate their use. In 1986, the Comprehensive Crime Control Act was amended to included the Computer Fraud and Abuse Act (CFAA). The CFAA criminalized trafficking in passwords, distributing malicious code, and other computer-related acts.

The CFAA has been amended five times in four decades (including in 2001 when it was amended by the Patriot Act), and the courts have interpreted it in ways that further extend its scope. The result is a law that Tim Wu called “the worst law in technology.” As part of his article for The New Yorker, Wu wrote:

Orin Kerr, a former Justice Department attorney and a leading scholar on computer-crime law, argues persuasively that the law is so open-ended and broad as to be unconstitutionally vague. Over the years, the punishments for breaking the law have grown increasingly severe—it can now put people in prison for decades for actions that cause no real economic or physical harm. It is, in short, a nightmare for a country that calls itself free.

Wu wrote these words in 2013, and the CFAA is only worse today. It goes far beyond its original intent to target cybercriminals and hackers, and now threatens many normal people, using their computers in harmless and legitimate ways.

Nothing demonstrates this as ominously as the July 5 opinion from the U.S. Ninth Circuit Court of Appeals. In this opinion, the court found that sharing passwords can be grounds for prosecution under the CFAA. Theoretically, this means a husband could be prosecuted for sharing a banking password with his wife, or vice versa.

The court issued this opinion knowing full well the implications of it. They state in their opinion, quoting part of another court’s ruling:

We are mindful… that ill-defined terms may capture arguably innocuous conduct, such as password sharing among friends and family, inadvertently ‘mak[ing] criminals of large groups of people who would have little reason to suspect they are committing a federal crime.’”

Their “mindfulness” will be of cold comfort to Americans who are prosecuted under CFAA. It’s not only innocuous password-sharing that makes someone run afoul of the Act; it has also been used to prosecute the violation of terms of service agreements. Most infamously, the FBI used it to pursue Aaron Swartz. Swartz was a programmer and activist who downloaded research papers from a database at MIT, in violation of its terms of service. The fact that he was a research fellow at MIT, with authorized access to the database, didn’t matter. Swartz committed suicide while under federal indictment.

The July 5 opinion from the Ninth Circuit Court of Appeals will turn many others like Swartz into criminals. The dissenting judge on the case noted this, stating that the majority opinion “… loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”

The vagueness of the CFAA and the nuances of terms of service, which vary from company to company, make this ruling dangerous for ordinary corporate and individual citizens. Will sharing a bank or Netflix password with a spouse or child be a federal crime? The only way to know would be to find the terms of service, find any clauses that apply to password- or account-sharing, and work out how it legally applies in each case. It’s not simple or straightforward.

Take the examples of Netflix and HBO Go. Both subscription-based services have limits that prevent too many people from using the same account. Both companies’ CEOs have stated account-sharing is positive. They view it as an excellent way of marketing their services.

Yet this ruling raises many questions about what the government may consider an offense worthy of prosecution, regardless of what Netflix or HBO thinks about it. Is it a violation of the CFAA if a Netflix account owner enters the password to their account to watch a show on a friend’s device? Does that count as password-sharing?

The situation gets even murkier when:

  • A service’s terms of service do not specify if you can or cannot share passwords.
  • It’s not easy to find the terms of service.
  • The login to a service uses a multi-factor login (such as a Facebook account) rather than a password. In this situation, does sharing your Facebook account then count as password-sharing for the other service?
  • Corporations keep password libraries for use of many employees in the same company.

This ruling also fails to account for the practical nature of life and business. How can a parent or business plan for serious illness, death, or other significant events without consensual password-sharing? Our personal and business lives revolve around myriad disparate online services requiring password access, and in some cases not sharing those passwords could lead to serious business or personal disruptions. Consider, for instance, a wife using her husband’s bank accounts to pay the bills while he is in the hospital.

It’s dispiriting to watch individuals being prosecuted. The CFAA has veered far from its original intent of targeting hackers and other egregious offenders. It’s possible it will be used like the Digital Millennium Copyright Act (DMCA) was used to go after illegal file sharers in bulk, going after the many, many Americans who innocuously share their passwords with others.

 

Sadly, this is only one of many recent examples of the courts extending the scope of criminal law in a way that seriously undermines people’s ability to function and do business on the Internet. The cases of Lavabit and Apple clearly show the encroachment of government fingers into the electronic privacy rights of American citizens.

There is some steady light at the end of this tunnel. Another ruling shortly after the July 5th one, in Facebook v. Power Ventures, a separate court ruled that one can willfully pass along your authorization to specific login credentials to another person. However, even this ruling leaves many unanswered questions as to what types of activity are allowed and what “authorized access” exactly means. In particular, under what specific conditions can this delegated access be revoked such that continued use would be considered a crime?

The message of these cases: The government gets to dictate how Americans use computers and the Internet, regardless of their rights or what makes sense. Americans should be vigilant in staying on top of the legal developments surrounding their online lives, and communicate loud and clear with their representatives to let them know what they think about legislation such as the CFAA.

By Erik Kangas

About Erik Kangas

LuxSci founder Erik Kangas has an impressive mix of academic research and software architecture expertise, including: undergraduate degree from Case Western Reserve University in physics and mathematics, PhD from MIT in computational biophysics, senior software engineer at Akamai Technologies, and visiting professor in physics at MIT. Chief architect and developer at LuxSci since 1999, Erik focuses on elegant, efficient, and robust solutions for scalable email and web hosting services, with a primary focus on Internet security. Lecturing nationally and internationally, Erik also serves as technical advisor to Mediprocity, which specializes in mobile-centric, secure HIPAA-compliant messaging. When he takes a break from LuxSci, Erik can be found gleefully pursuing endurance sports, having completed a full Ironman triathlon and numerous marathons and half Ironman triathlons.

View Website
View All Articles

Sorry, comments are closed for this post.

Comics
Using Cloud Technology In The Education Industry

Using Cloud Technology In The Education Industry

Education Tech and the Cloud Arguably one of society’s most important functions, teaching can still seem antiquated at times. Many schools still function similarly to how they did five or 10 years ago, which is surprising considering the amount of technical innovation we’ve seen in the past decade. Education is an industry ripe for innovation…

Despite Record Breaches, Secure Third Party Access Still Not An IT Priority

Despite Record Breaches, Secure Third Party Access Still Not An IT Priority

Secure Third Party Access Still Not An IT Priority Research has revealed that third parties cause 63 percent of all data breaches. From HVAC contractors, to IT consultants, to supply chain analysts and beyond, the threats posed by third parties are real and growing. Deloitte, in its Global Survey 2016 of third party risk, reported…

Three Reasons Cloud Adoption Can Close The Federal Government’s Tech Gap

Three Reasons Cloud Adoption Can Close The Federal Government’s Tech Gap

Federal Government Cloud Adoption No one has ever accused the U.S. government of being technologically savvy. Aging software, systems and processes, internal politics, restricted budgets and a cultural resistance to change have set the federal sector years behind its private sector counterparts. Data and information security concerns have also been a major contributing factor inhibiting the…

The Cancer Moonshot: Collaboration Is Key

The Cancer Moonshot: Collaboration Is Key

Cancer Moonshot In his final State of the Union address in January 2016, President Obama announced a new American “moonshot” effort: finding a cure for cancer. The term “moonshot” comes from one of America’s greatest achievements, the moon landing. If the scientific community can achieve that kind of feat, then surely it can rally around…

Cloud-Based or On-Premise ERP Deployment? Find Out

Cloud-Based or On-Premise ERP Deployment? Find Out

ERP Deployment You know how ERP deployment can improve processes within your supply chain, and the things to keep in mind when implementing an ERP system. But do you know if cloud-based or on-premise ERP deployment is better for your company or industry? While cloud computing is becoming more and more popular, it is worth…

Maintaining Network Performance And Security In Hybrid Cloud Environments

Maintaining Network Performance And Security In Hybrid Cloud Environments

Hybrid Cloud Environments After several years of steady cloud adoption in the enterprise, an interesting trend has emerged: More companies are retaining their existing, on-premise IT infrastructures while also embracing the latest cloud technologies. In fact, IDC predicts markets for such hybrid cloud environments will grow from the over $25 billion global market we saw…

The Rise Of BI Data And How To Use It Effectively

The Rise Of BI Data And How To Use It Effectively

The Rise of BI Data Every few years, a new concept or technological development is introduced that drastically improves the business world as a whole. In 1983, the first commercially handheld mobile phone debuted and provided workers with an unprecedented amount of availability, leading to more productivity and profits. More recently, the Cloud has taken…