The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, was enacted by Congress in 1986 as an amendment to the Counterfeit Access Device and Abuse Act. While the CFAA is primarily a criminal law, an amendment in 1994 allows civil actions to be brought under the statute.
While the CFAA has been amended many times in attempts to make it successfully evolve with the needs of computer users, rulings in two recent Ninth Circuit cases leave many other questions unanswered about the proper interpretation of the law, opening the door for more uncertain litigation, and perhaps the prosecution of individuals that are predominantly innocent computer users.
In August of this year (2016), in U.S. v. Nosal, charges under the CFAA were brought based upon the government’s theory that Nosal violated the CFAA when former employees acting on his behalf allegedly used the legitimate access credentials of a current company employee, with that employee’s knowledge and permission, to access the propriety database of Nosal’s former employer. The district court refused to dismiss these charges, and Nosal was convicted in a jury trial, and given a sentence of one year and one day in prison.
Under the ruling in Nosal, only the person (or entity) that owns a computer, rather than an individual who just uses it or holds an account to use it, may “authorize” another person to validly access the computer. Under this rationale, for example, a spouse could not lawfully log into another spouse’s bank, utility, or other account, even with their permission or at their request, provided that the spouse knows that he or she doesn’t have permission from the host party to access its site.
In Facebook v. Power Ventures, decided after Nosal, a separate Ninth Circuit panel acknowledged that a computer user may validly authorize another to use their username and password, thus taking a step back from Nosal’s blanket criminalization of password sharing. In the Power Ventures case, Facebook users had given the defendant their usernames and passwords in order to organize and view all of their social media information in one location on their computer. These users gave Power Ventures permission to access accounts, but Facebook objected.
The court ruled that Facebook users could validly authorize Power Ventures to access their accounts, despite such authorization being a violation of Facebook’s terms of agreement. However, once Facebook expressly revoked permission, the consent that Power Ventures had received from Facebook users was insufficient to grant continuing authorization, and continuing to access Facebook’s computers was a violation of the CFAA.
Thus, an authorized user may designate someone to use his or her account despite any express prohibition in a contractual agreement, but if the computer owner yet again rebukes this action, this is somehow sufficient for the user to lose his or her authority, resulting in any continued use being considered a crime. If this isn’t confusing enough, the court’s decision fails to clarify the meaning of “authorized access” or from where such authorization must derive.
If you are an employer in California, it is important to obtain sound legal guidance for your business. DeAnn Flores Chase and her team of experienced attorneys can advise you on all your business needs. Contact Chase Law Group, P.C. at (310) 545-7700 or visit www.chaselawmb.com to schedule a consultation.