Sharing passwords? A Supreme Court Decision Soon Could Have Meaningful Consequences

In its new term, the Supreme Court could decide if someone who uses a work computer or takes social media data without authorization can be found guilty of breaking a federal law.   The Computer Fraud and Abuse Act (CFAA), which addresses computer hacking, broadly criminalizes intrusion into computer systems. The CFAA imposes criminal penalties on whoever “accesses a protected computer without authorization or exceeds authorized use.”

Recently, in United States v. Nosal, the Ninth Circuit upheld the conviction of a defendant whose co-conspirators used someone else’s login information to access the computers of the defendant’s former employer. Much of the controversy centers around the attempt to define “without authorization.” The majority concluded that the term was unambiguous and gave the terms its plain and ordinary meaning. According to the majority, only the computer owner holds the power to allow or disallow access to its systems. Critics, however, have argued that its interpretation could criminalize password sharing and inhibit the growth of cloud computing and other technologies. For example, as the dissent notes, the same “without authorization” language is used throughout the CFAA, including in broad provisions that do not require any fraud or intent.

Thus, the belief that only the owner of the system has authority to grant access undermines the authorization upon which many forms of computer access depend: it could be a crime for an individual to log in to someone else’s Facebook or Twitter account with that person’s permission.

As such, the dissent would’ve allowed the widespread practice of password sharing, in which legitimate users give access to systems. Thus, the conflict between the two sides highlights the difficulties in interpreting the CFAA. One side gives power to the CFAA and limits the power to give authorization to system owners, while the other side worries that this position runs the risk of overcriminalization under an old and unclear statute.

Again, in Facebook Inc. v. Power Ventures, Inc., the Ninth Circuit used a similar approach in deciding who may grant and receive authorization. In this case, the court held that a social media aggregator violated the CFAA by accessing Facebook user data with permission from the users but not from Facebook. The court noted that users could delegate authorization, but a system owner could override and revoke that grant of authorization. Here, users of Power Ventures’ site had given the site their Facebook login credentials and permission to access Facebook on their behalf. Facebook then issued a cease-and-desist letter prohibiting Power Ventures from accessing their site. When Power Ventures continued to use Facebook, the company sued. Power Ventures argued that Facebook isn’t a “protected computer” under the meaning of the CFAA, but rather a website that allows users to share their personal data. Moreover, that the authorization that is required under the CFAA should come from the data owners and users. Again, critics of this decision warn that it could have immense implications for users of social networking sites and that it just gives more power to data controllers like Facebook.

The Ninth Circuit could’ve lessened the chances of overcriminalization under the act by creating a distinction between individuals who are explicitly denied access and those who lack authorization from the system owner but may have authorization from a legitimate user. Instead, the two cases have created confusion over the types of conduct that the statute prohibits and could be used as a tool for policing internet use if the Supreme Court does not decide to clarify the meaning of the law.