Under the 1986 Computer Fraud and Abuse Act, it’s a criminal act to intentionally access a computer or computer system without authorization. The law also allows victims of unauthorized access to sue for damages. In the modern world of the internet and social media, the definition of “unauthorized” has become contentious, however.
The CFAA does not specifically define who has the power to authorize access, so courts have had to do their best to determine what Congress meant when it passed the law, or similar laws.
In two cases, the 9th Circuit Court of Appeals ruled that only the owner of a computer or system can legally grant access. It seems that the appellate court has determined that third parties to the system, such as customers or employees, do not have that authority.
The appellants, along with the Electronic Frontier Foundation and other rights groups, say that definition is too limited for criminal law. They argue that clearly non-criminal behavior such as sharing your Facebook password with your spouse is made criminal under the 9th Circuit’s definition.
The first case involved a Cayman Islands-based company called Power Ventures, Inc., which was providing its users with the ability to access their Facebook accounts through its own online portal. Facebook sued for damages, but the company denied accessing anything without authorization. It had obtained each user’s consent before providing the access, along with consent to access whatever data they had stored in their Facebook accounts. Facebook said Power Ventures was accessing data from other users as well, however, making its data collection insecure.
In the second case, an executive recruiter was found to have accessed a confidential database owned by his former employer. He was assisted by two other former employees who obtained the login of a third employee who was still at the company. A jury found him guilty of violating the CFAA.
The two 9th Circuit cases had been consolidated in a bid for a hearing before the U.S. Supreme Court, but the high court has declined the cases. That leaves the 9th Circuit definition in place for the foreseeable future — and that means both criminal and civil liability for the appellants.
It may also mean that access to a computer or system by virtually anyone but the account holder and the owner is unauthorized if the owner prohibits password sharing, as most do. As the appellants and rights groups pointed out, this could have major implications for spouses, small companies and others who feel that password sharing is useful or important.
The high court’s inaction leaves a dangerously narrow rule in place, making it possible for seemingly innocent behavior to be interpreted as criminal.