Share Your Password, Become a Hacker?

By Christopher Coble, Esq. on October 11, 2017 | Last updated on March 21, 2019

The federal Computer Fraud and Abuse Act prohibits accessing a protected computer without authorization. That seems clear enough, until you consider the myriad permutations of authorization.

Let's say I have permission to access a computer at work. Can I give authorization, by way of my username and password, to a coworker? What about someone else? Let's say a former coworker had his access to our computer system revoked, and I let him use my login info -- does that make me a hacker? Or him?

The Supreme Court declined to weigh in on these questions, presumably believing the Ninth Circuit Court of Appeals had settled them adequately. So what were those cases and what constitutes hacking nowadays?

No Authorization

In one case, executive recruiter David Nosal was found guilty of computer fraud by a jury for accessing a confidential database belonging to his former employer. Two other former company employees used the login credentials of a third employee still at the company to download confidential information from the database to use at Nosal's new enterprise.

In the other case, Facebook successfully sued social media platform Power Ventures after Power began offering its users access to Facebook through its own online portal. Power appealed, arguing it had users' consent to access data they had stored on Facebook.

Both Nosal and Power argued that, because the CFAA doesn't define who grants authorization, owners or account holders may do so, meaning their access was not unauthorized under the statute.

No Back Door

And in both cases, the Ninth Circuit decided that such access was unauthorized. In Nosal, the court reiterated that "once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door."

In Facebook, the court found that revocation in Facebook's cease-and-desist letter to Power Ventures. "Once permission has been revoked," the court reasoned, "technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability."

The Supreme Court declined the appeals in both cases, letting the Ninth Circuit's interpretation of the CFAA stand. Meaning that using someone else's login information to access a database or account, even with their permission, may constitute hacking under federal law. One good note? The court in Facebook's case explicitly stated that "a violation of the terms of use of a website -- without more --cannot be the basis for liability under the CFAA." So you don't have to worry you might go to federal prison for not reading those. (Hopefully.)

Related Resources:

Copied to clipboard