Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a ruling that threatens to transform a law against computer break-ins into a mechanism for criminalizing password sharing and policing Internet use.

In an amicus brief filed with today, EFF urged the court to weigh in on a case in which an individual was charged with violating the Computer Fraud and Abuse Act (CFAA), a law intended to criminalize breaking into computers to access or alter data. Under the CFAA, it’s illegal to intentionally access a “protected computer”—which includes any computer connected to the Internet—“without authorization” or in excess of authorization. But the law doesn’t tell us what “without authorization” means.

Some courts have recognized that the CFAA must be interpreted narrowly to stay true to Congress’s intent of targeting crooks breaking into and stealing data from computers. These courts agreed that the CFAA mustn’t be used against, say, employees checking sports scores at work in violation of rules restricting Internet use at work to company business, or against people who shared their Facebook passwords, in violation of Facebook’s terms of service rules.

But other courts—including the U.S. Court of Appeals for the Ninth Circuit in its 2016 U.S. v. Nosal decision—have broadly interpreted the statute to cover using a computer in a way that violates corporate policies, preferences, and expectations. In the case, David Nosal, an ex-employee of the Korn/Ferry executive recruiting firm, was charged with violating the CFAA after other ex-employees acting on his behalf accessed Korn/Ferry’s proprietary database using legitimate credentials of a current company employee. The current employee knew of and authorized the use of her credentials, which was against Korn/Ferry’s computer policies. The Ninth Circuit found that in using the shared password, Nosal accessed the database “without authorization.” The court said that implicit in the definition of “authorization” is the proposition that authorization can come only from a computer owner—here, Korn/Ferry—not an employee with legitimate access credentials.

There is nothing in the CFAA, or even in the dictionary, that defines “authorization” to mean only permission from a computer owner. The Ninth Circuit imported a corporate ban on password sharing into its definition of “without authorization.”

“This ruling threatens to turn millions of ordinary computer users into criminals,” said EFF Staff Attorney Jamie Williams. “Innocuous conduct such as logging into a friend’s social media account or logging into a spouse’s bank account, with their permission but in violation of a corporate prohibition on password sharing, could result in a CFAA prosecution. This takes the CFAA far beyond the law’s original purpose of putting individuals who break into computers behind bars.”

“EFF has long advocated for reforming the CFAA, which overzealous prosecutors have exploited in troubling ways,” said Williams. “The Supreme Court can do its part by reviewing the Ninth Circuit’s troubling decision and giving “authorization” an appropriately narrow definition, specifically clarifying that password sharing is not—and was never intended to be—a crime.”

For EFF’s brief:

https://www.eff.org/document/nosal-v-us-cert-petition



For more on this case:

https://www.eff.org/cases/u-s-v-nosal