Appeals Court Says That Sharing Passwords Can Violate Criminal Anti-Hacking Laws

from the wait-just-a-second... dept

Thu, Jul 7th 2016 9:34am — Mike Masnick

Remember David Nosal? He was the former Korn/Ferry executive looking to set up his own competing firm, but one that mainly relied on Korn/Ferry's big database of people. As part of that process, after he left the company to head out on his own, he had some former colleagues who were planning to join him log into their Korn/Ferry accounts to access information. Then after those employees left, they got another former colleague to share her password so they could continue to log in. He was charged with violating the criminal portion of the CFAA, under the theory that convincing his former colleagues to gather info for him was a terms of service violation -- and that meant he had "exceeded authorized access" under the statute. This became a key case in determining whether merely violating a terms of service could be considered criminal hacking under the CFAA. Thankfully, back in 2012, the 9th Circuit rejected such a broad ruling of the CFAA, pointing out that such an interpretation would "unintentionally turn ordinary citizens into criminals" and that couldn't be the intent from Congress. This was a huge win that helped limit some of the worst abuses of the CFAA.

However, the US government was not yet done with Nosal. It then filed new CFAA charges against him, not over the original information sharing, but rather for getting that last colleague to share her password with Nosal. The feds argued that this fell under the other prong of the CFAA, that it was a version of accessing a computer system "without authorization" (as opposed to exceeding authorization). Unfortunately, the 9th circuit appeals court has ruled that merely sharing a password can be a CFAA violation.

The underlying question was how can this be unauthorized access since an employee of Korn/Ferry chose to hand over her login info, and thus a fairly strong argument can be made that the access was now authorized -- i.e., it was authorized by an employee of Korn/Ferry. You could argue that that employee (who is referred to in the ruling as "FH") violated the terms of her work agreement, for which perhaps she should have been fired. But it's ridiculous to argue that merely receiving someone's password is a criminal act. And yet, that's what the court decided.

It tries to wave away the concerns about the everyday occurrence of password sharing by basically saying "but that's different." It also argues that if an employee handing over a password removes the CFAA, then the CFAA is never applicable to any situations where there's "an insider" helping to get scammers into a computer system:

FH had no authority from Korn/Ferry to provide her password to former employees whose computer access had been revoked. Also, in collapsing the distinction between FH’s authorization and that of Christian and Jacobson, the dissent would render meaningless the concept of authorization. And, pertinent here, it would remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.

The court's majority ruling insists that this won't harm everyday password sharing... mainly because Nosal and his other colleagues had lost access to the database directly. The reasoning seems to be "well, they once had access, and now they don't, so now they know what they did was wrong."

Implicit in the definition of authorization is the notion that someone, including an entity, can grant or revoke that permission. Here, that entity was Korn/Ferry and FH had no mantle or authority to give permission to former employees whose access had been categorically revoked by the company. There is no question that Korn/Ferry owned and controlled access to its computers, including the Searcher database, and that it retained exclusive discretion to issue or revoke access to the database. After Nosal’s login credentials were revoked on December 8, 2004, he became an “outsider” and was no longer authorized to access Korn/Ferry computers, including Searcher. Christian and Jacobson’s credentials were also revoked after they left, at which point none of the three former employees were “insiders” accessing company information. Rather, they were “outsiders” with no authorization to access Korn/Ferry’s computer system.

The court later repeats that it's the combination of this password sharing with the fact that Nosal's own, earlier access, had been revoked that makes this a clear "without authorization" situation:

the circumstance here—former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer—bears little resemblance to asking a spouse to log in to an email account to print a boarding pass. The charges at issue in this appeal do not stem from the ambiguous language of Nosal I —“exceeds authorized access”—but instead relate to a common, unambiguous term. The reality is that facts and context matter in applying the term “without authorization.”

That feels a bit like handwaving. It's the court basically saying, "Well, we'd never go after just everyday password sharing, but this is serious!"

There's a separate issue of why Nosal is the one facing criminal charges. After all, he's not the one who shared the password! He was just the recipient. The government argues that Nosal "knowingly and intentionally aided" this "crime" of sharing the password. But the court is not too concerned about that, saying that he was in charge and demanded that his other employees "get what I need" in the form of access to Korn/Ferry's database.

To me, the dissent argument makes much more sense. This is expanding areas for which law enforcement can throw the CFAA book at people for doing fairly common things such as password sharing:

This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA.

The dissent similarly argues that once an employee handed over the username and password, access was "authorized." It also makes a key point I've tried to raise in the past: if the CFAA is supposed to be about stopping "hacking," why is it always used for situations like this where there was no real "hacking"?

This narrower reading is more consistent with the purpose of the CFAA. The CFAA is essentially an anti-hacking statute, and Congress intended it as such. Nosal I, 676 F.3d at 858. Under the preferable construction, the statute would cover only those whom we would colloquially think of as hackers: individuals who steal or guess passwords or otherwise force their way into computers without the consent of an authorized user, not persons who are given the right of access by those who themselves possess that right. There is no doubt that a typical hacker accesses an account “without authorization”: the hacker gains access without permission – either from the system owner or a legitimate account holder. As the 1984 House Report on the CFAA explained, “it is noteworthy that Section 1030 deals with an unauthorized access concept of computer fraud rather than the mere use of a computer. Thus, the conduct prohibited is analogous to that of ‘breaking and entering.’” ...We would not convict a man for breaking and entering if he had been invited in by a houseguest, even if the homeowner objected. Neither should we convict a man under the CFAA for accessing a computer account with a shared password with the consent of the password holder.

The dissent further notes that this ruling appears to conflict with the ruling in the first Nosal case:

Worse, however, the majority’s construction would base criminal liability on system owners’ access policies. That is exactly what we rejected in Nosal I.... Precisely because it is unacceptable in our legal system to impose criminal liability on actions that are not proscribed “plainly and unmistakably,” ... it is also unacceptable to base “criminal liability on violations of private computer use policies.”

It also calls out the hand waving by the majority:

It is impossible to discern from the majority opinion what principle distinguishes authorization in Nosal’s case from one in which a bank has clearly told customers that no one but the customer may access the customer’s account, but a husband nevertheless shares his password with his wife to allow her to pay a bill. So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates.12 It is not “advisory” to ask why the majority’s opinion does not criminalize this under § 1030(a)(2)(C); yet, the majority suggests no answer to why it does not.

The dissent is littered with examples of perfectly reasonable password sharing that may now be criminal acts. Orin Kerr, who has been involved in a number of high profile CFAA cases and has been quite vocal on the law, doesn't like the majority's reasoning, though he agrees with the result. I'm not convinced. It still seems to me the issue should be between the company and the employee who handed over the access, not Nosal for receiving such info, from an employee, and then using it.

That said, Kerr notes that much more attention should be focused on another case on a related topic -- Facebook's crazy lawsuit against Power.com, an online social network aggregator that used people's logins to collect and aggregate social media posts from a variety of platforms (including, obviously, Facebook). Kerr notes that the court can use this ruling to justify ruling either way in the Power case.

First, imagine the panel is inclined to rule for Facebook. It could incorporate Nosal II by saying that Facebook is like Korn/Ferry, Power is like Christian and Jacobson, and Facebook’s users are like FH. By that reasoning, Facebook revoked access rights by telling them to go away and by imposing an IP address block on Power. Power could not “sidestep the statute” by relying on permission of Facebook’s users who wanted them to access Facebook on their behalf.

On the other hand, if the panel is inclined to rule for Power, it could easily distinguish Nosal II. It could first say that telling Power to go away and blocking IP addresses is insufficient to revoke access rights because it does not actually cancel any authenticated accounts. If Facebook wants to revoke access, it has to revoke the accounts that have authenticated access — which it hasn’t done — just like Korn/Ferry revoked the accounts of its employees when they left. At that point, Nosal II then offers no guidance because it is expressly limited to revocation. Accessing an account as the legitimate user’s agent is then authorized, just as it would be in a physical trespass case.

Either way, after this ruling, there's at least a lot more legal uncertainty and liability in sharing passwords. And that's unfortunate.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: authorized access, cfaa, cfaa reform, david nosal, password sharing, passwords
Companies: korn/ferry

52 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

brad, 7 Jul 2016 @ 10:04am

This is hacking, even if it's on the social engineering side of the spectrum, assisted by an inside man (or woman of course no discriminatory intent here). Whether or not I agree with that act (it's complicated) the enforcement of that provision in this case makes more sense for me than most (DRM).

"It also makes a key point I've tried to raise in the past: if the CFAA is supposed to be about stopping "hacking," why is it always used for situations like this where there was no real "hacking"?"
[ link to this | view in chronology ]
- Anonymous Coward, 7 Jul 2016 @ 11:22am
  
  Re:
  By your logic, if I give you my car keys, you are a car thief and if I give you the keys to a company car, you are a car thief and I am co-conspirator.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 7 Jul 2016 @ 11:28am
    
    Re: Re:
    But that logic is correct.
    
    If your company lets you use a company car, you don't own it and you have no say as to its use beyond what the company allows. If you loan the car to someone else or otherwise use it in a way the owner of the car prohibits, then you have committed the crime of "unauthorized use of a motor vehicle". (Although the person you loaned the car to did not commit a crime unless he was aware that you did not have the authority to lend it to him.)
    
    That's been the law for very, very long time.
    [ link to this | view in chronology ]
    - jsf (profile), 8 Jul 2016 @ 6:53am
      
      Re: Re: Re:
      So what about handing the keys to a valet to park your car, or an attendant at a car wash, or the tow truck driver, auto service mechanic, etc. Do you need specific permission from your company for every possibility? Does the company have to create a legal document that spells out the exact details for all of these possibilities?
      [ link to this | view in chronology ]
      - pixelpusher220 (profile), 8 Jul 2016 @ 10:23pm
        
        Re: Re: Re: Re:
        Perhaps you've heard of lawyers. They tend to write in pretty expected situations into the agreement you signed to get the car in the first place.
        [ link to this | view in chronology ]
- Anonymous Coward, 7 Jul 2016 @ 1:03pm
  
  Re:
  Hacking isn't "asking someone for something".
  
  Social engineering isn't hacking. Hacking isn't social engineering.
  
  I'm giving you the benefit of the doubt that you're not trolling, but given your extraordinarily inflammatory opening, that benefit is thin.
  [ link to this | view in chronology ]
  - brad (profile), 8 Jul 2016 @ 7:51am
    
    Re: Re:
    What a silly thing to say. Because I used the term "hacking" in its more well-known form, instead of the BoingBoing usage (it's about being a ~Maker~) you accuse me of maybe-trolling, but you'll "give me the benefit of the doubt". Thanks for doing me that honour! I only hope I can live up to your standards for poasting in the future :rolleyes:
    [ link to this | view in chronology ]
AricTheRed (profile), 7 Jul 2016 @ 10:29am

So if...
...my girlfriend gives me the password to her gmail account, now I'm a felon?, 'cause I never clicked I agree to the TOS?

Lame.

No comments on my girlfriend giving me access to her email acct please...
[ link to this | view in chronology ]
- Uriel-238 (profile), 7 Jul 2016 @ 11:16am
  
  The answer is yes.
  Your girlfriend violated the CFAA by giving you access to her account provided the TOS includes a password nondisclosure clause. You're just abetting. She's the guilty party.
  
  So you're also violating the CFAA for helping your 12-year-old daughter create a Facebook account, incidentally.
  
  To be fair, it's very difficult for anyone to not commit CFAA felonies.
  
  Thank our Constitutional Framers for prosecutory discretion, so no one important ever has to suffer a CFAA indictment.
  [ link to this | view in chronology ]
Anonymous Coward, 7 Jul 2016 @ 10:44am

And also
This make felons of all of those employers who demand passwords to employees social media accounts.
[ link to this | view in chronology ]
- That One Guy (profile), 7 Jul 2016 @ 8:49pm
  
  Re: And also
  Not a chance, the rules only apply to the little people, it would never be applied against a company.
  [ link to this | view in chronology ]
Drake, 7 Jul 2016 @ 10:52am

This seems like a clear case of social engineering
Perhaps the ruling is overly broad, but this seems pretty clearly like social engineering to me.

It's getting access to the system that would not have been allowed from an inside employee.

If this isn't covered, is spear phishing allowed too?
[ link to this | view in chronology ]
- Anonymous Coward, 7 Jul 2016 @ 12:15pm
  
  Re: This seems like a clear case of social engineering
  I agree, this is just hacking the person to gain access to the system.
  
  Through trickery or peer pressure the end result is someone who did not have access obtained access he was not entitled to have.
  [ link to this | view in chronology ]
  - Anonymous Coward, 7 Jul 2016 @ 1:05pm
    
    Re: Re: This seems like a clear case of social engineering
    Covering "hacking a person" for the COMPUTER Fraud and Abuse Act seems to be too many degrees of separation away.
    [ link to this | view in chronology ]
Whatever (profile), 7 Jul 2016 @ 11:28am

"Either way, after this ruling, there's at least a lot more legal uncertainty and liability in sharing passwords. And that's unfortunate."

It's a bad week on Techdirt for over reach and over reading court judgments. The conclusion in this story is Fox News in "quality".

Part of the problem here is that you seem unwilling or unable to accept the concept of intent. The password was given out with the intention of hacking, causing harm, or otherwise illegally accessing the system. The intent is there.

Sharing your gmail password with your brother won't get you sent to jail (unless of course you have magically conspired to hack gmail).

Techdirt use to be pretty good with this stuff, but more and more, it seems you are more worried about riling up the troops and a lot less about drawing sensible conclusions.
[ link to this | view in chronology ]
- PaulT (profile), 8 Jul 2016 @ 12:24am
  
  Re:
  "The password was given out with the intention of hacking, causing harm, or otherwise illegally accessing the system"
  
  Citation required on the first 2, although the third is acceptable to some degree. From what I've read, the only intention was to access the data within, not to change it or access other parts of the system.
  
  "Part of the problem here is that you seem unwilling or unable to accept the concept of intent"
  
  "Sharing your gmail password with your brother won't get you sent to jail (unless of course you have magically conspired to hack gmail)"
  
  Depends on the intent, by your own admission, doesn't it? Accessing GMail won't let you hack it - but, then, accessing this database with normal user privileges won't let you hack it either. Once you get over that idiotic statement, it's easy to see that accessing GMail may violate T&Cs, and that's the only standard really being addressed directly here. Sure, intent is a factor, but then so it is in GMail access to a third party. There's no argument you can use here that's not applicable there.
  
  As ever, in your zeal to attack this site, your own assertions are found wanting.
  [ link to this | view in chronology ]
  - Anonymous Coward, 8 Jul 2016 @ 1:17am
    
    Re: Re:
    When you consider his weekend rants and his dismissal of the T-shirts, insisting that suddenly the scarcity he's been championing magically doesn't apply because Techdirt, Whatever's shtick becomes clear. He, like the other trolls, claims to not take the site seriously and generally despise it, but they keep coming back. It's an unhealthy obsession, for which there is no cure aside from a kick in the teeth.
    [ link to this | view in chronology ]
    - Whatever (profile), 8 Jul 2016 @ 9:59pm
      
      Re: Re: Re:
      Hi idiot AC.
      
      I don't champion scarcity. Sorry, you fail. That's Mike's schtick.
      
      As for PaulT:
      
      "accessing this database with normal user privileges won't let you hack it either"
      
      If you are accessing it yourself with your password given by your employer when you are still working for the company, it's not hacking (illegal access). Once you are fired, or when you are using someone else's password (social hacking or otherwise) then you have crossed the line.
      
      I can't imagine that simple concept is too hard to understand. Try thinking about it for a couple of weeks and check back with us once you earn your gold star in basic English.
      [ link to this | view in chronology ]
      - Anonymous Coward, 11 Jul 2016 @ 5:42pm
        
        Re: Re: Re: Re:
        You spam the website with insults and somehow think that merits as "insightful".
        
        People read your comment history, mate, and it's pretty obvious who the idiot is here.
        [ link to this | view in chronology ]
    - Wendy Cockcroft, 11 Jul 2016 @ 5:52am
      
      Re: Re: Re:
      You're describing "Scraptivism," the act of picking fights online to start a conversation aimed at winning your opponents over to your way of thinking.
      
      Given the responses he tends to get, I'd say he sucks as much at that as at successfully attacking this site or calling Mike out. It's just noise, that's why we hide his comments.
      [ link to this | view in chronology ]
      - Wendy Cockcroft, 11 Jul 2016 @ 5:54am
        
        Re: Re: Re: Re:
        *your opponent's audience.
        
        You've usually got no chance of winning your opponent over in these cases since they're convinced they're right and no amount of logic or evidence will shift them.
        [ link to this | view in chronology ]
John Fenderson (profile), 7 Jul 2016 @ 11:35am

I think the court ruled correctly
Unless I misunderstand the court's ruling, they did not rule broadly that sharing passwords is a crime, but ruled that in this particular instance, the password sharing happened as part of an effort to intentionally bypass controls intended to keep the person out.

It seems pretty much the same as if you have a a key to your workplace and lent it to someone who was specifically prohibited from access.

That seems sensible and logical to me, and doesn't seem to comment on the more usual password-sharing events such as sharing your personal email password with a friend.
[ link to this | view in chronology ]
- Uriel-238 (profile), 7 Jul 2016 @ 11:52am
  
  Re: I think the court ruled correctly
  I think after the whole mess of employers demanding Facebook passwords, a lot of terms of service added password nondisclosure clauses to prevent that kind of practice (since it was unethical but perpetuated by being commonplace, shortage of jobs leading to high demand leading to abusive treatment of employees and all that)
  
  So in some cases, such a clause is intended to protect the end-user by making it criminal to coerce someone to disclose their password.
  
  Ideally, sharing your email account password with a friend could fall into the no-harm-no-foul category, but I can easily see some official pushing prosecution via the CFAA if he wanted to dispose of someone.
  [ link to this | view in chronology ]
  - Anonymous Coward, 7 Jul 2016 @ 12:23pm
    
    Re: Re: I think the court ruled correctly
    There is a large different between willingly sharing a password to "your PERSONAL account" and "your EMPLOYER's account"
    
    I think the courts, in this case, have made the right decision and this decision would only apply to similar future cases. Sharing the password of your personal email account with a friend is NOT a similar case.
    [ link to this | view in chronology ]
    - Anonymous Coward, 9 Jul 2016 @ 11:57pm
      
      Re: Re: Re: I think the court ruled correctly
      And what's to say this won't be a precursor to NetFlix saying it's their account that they are simply allowing you and only you to use?
      
      Seriously, your argument is so myopic as to beg the question of why you're posting in a comment section full of people who don't think like you in the slightest.
      [ link to this | view in chronology ]
- Anonymous Coward, 7 Jul 2016 @ 12:17pm
  
  Re: I think the court ruled correctly
  That seems sensible and logical to me, and doesn't seem to comment on the more usual password-sharing events such as sharing your personal email password with a friend.
  
  The point here is along the lines of: a significant number of web services (particularly financial services, but also things like email, streaming, etc.) include in the TOS a statement that only the account holder (or account holder and household, or some other variation) is allowed to access the account. That is, everyone except the people listed are specifically prohibited from access.
  
  Thus, while the court didn't broadly rule that sharing passwords is a crime, the majority of password sharing does actually fall under this ruling due to how common services are set up.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 7 Jul 2016 @ 8:34pm
    
    Re: Re: I think the court ruled correctly
    I understand, but I don't really see how this ruling has much to do with violating a ToS. It has to do with an employee misusing his employer's property.
    [ link to this | view in chronology ]
    - Anonymous Coward, 7 Jul 2016 @ 10:11pm
      
      Re: Re: Re: I think the court ruled correctly
      And how is that too far removed from a ToS that dictates you don't own use of your own credentials?
      [ link to this | view in chronology ]
      - John Fenderson (profile), 8 Jul 2016 @ 6:46am
        
        Re: Re: Re: Re: I think the court ruled correctly
        There's a pretty massive legal difference between sharing credentials that you own and sharing credentials that are owned by your employer.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 8 Jul 2016 @ 7:25am
        
        Re: Re: Re: Re: Re: I think the court ruled correctly
        Who determines who owns what? What about an employee who creates passwords and disseminates them to his colleagues on a regular basis for legitimate business reasons? What about the manufacturer providing a (ill advised but not unprecedented) "emergency login" password?
        
        It betrays gross ignorance on the part of the judge of how Information Technology actually works in practice in an organization.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 8 Jul 2016 @ 8:10am
        
        Re: Re: Re: Re: Re: Re: I think the court ruled correctly
        "Who determines who owns what?"
        
        In this case, ownership was very clear. This was about an account provided by the employer to provide access to the employer's machines for the employer's purposes. The employer owned everything.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 8 Jul 2016 @ 8:13am
        
        Re: Re: Re: Re: Re: Re: I think the court ruled correctly
        Ack, I ended too soon.
        
        "What about an employee who creates passwords and disseminates them to his colleagues on a regular basis for legitimate business reasons? "
        
        Whether or not that's OK depends on the employer's policies. For instance, at my last employer the policy was that all credential sharing was prohibited (and a firing offense) under any circumstances. There is never a legitimate business reason to do so.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 8 Jul 2016 @ 9:25am
        
        Re: Re: Re: Re: Re: Re: Re: I think the court ruled correctly
        So how would your interpretation be any different from NetFlix writing in their ToS that you're not allowed to use anyone else's username + password, even if it's that of a family member?
        
        You're moving away from the technical security necessity of accounts and are trying to make this an issue about violating a business process. This only begs unintended consequences.
        [ link to this | view in chronology ]
        
        John Fenderson (profile), 8 Jul 2016 @ 10:12am
        
        Re: Re: Re: Re: Re: Re: Re: Re: I think the court ruled correctly
        Remember, I'm talking about what I understand the court is saying in this particular case. I'm not talking about the larger issue that would encompass things like ToS of services you are using.
        
        The larger issue is much murkier, and is one that I suspect you & I are on the same page of.
        
        "make this an issue about violating a business process"
        
        No, not violating a business process so much as misusing the property of another.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 8 Jul 2016 @ 5:32pm
        
        Re: Re: Re: Re: Re: Re: Re: Re: Re: I think the court ruled correctly
        Claiming credentials are property is ridiculous. It's not property nor is it copyrighted, trademarked, or patented.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 8 Jul 2016 @ 7:28pm
        
        Re: Re: Re: Re: Re: Re: Re: Re: Re: I think the court ruled correctly
        In terms of a precedent, you can't just say "this case". It has to be seen in the broader context of the legal system.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 8 Jul 2016 @ 7:51pm
        
        Re: Re: Re: Re: Re: Re: Re: Re: Re: I think the court ruled correctly
        The larger issue cannot be separated from this issue. Legal precedents are just that - precedents. They don't operate in a vacuum.
        [ link to this | view in chronology ]
Anonymous Coward, 7 Jul 2016 @ 12:53pm

Right target, wrong reason
Lets get rid of the whole "digital" aspect of the case:

1) Man leaves company1 to start competing company2

2) Man, now owner of company2 convinces a current employee of company1 to provide key to building of company1

3) Man enters company1 and records proprietary data without permission and leaves company1 as he found it

This is essentially what happened. In reality he should be prosecuted for a) trespassing, and b) corporate espionage, both of which are illegal. So the feds is going after the right man for all the wrong reasons.

We do not need new laws, we need common sense applied to existing laws and removal of duplicate laws. Trespassing is already illegal. Peeping is already illegal. We do not need new laws to prosecute people for performing these acts digitally.
[ link to this | view in chronology ]
Peter, 7 Jul 2016 @ 12:54pm

Don't confuse having a password with being "authorized"
In broad-brush terms, I think this case was decided correctly.

The court is looking at the question of "authorization" in legal terms, not technical terms. And in legal terms, the former employee was clearly not authorized to access the computer. Only the company has the right to grant access in this case, and that access was unambiguously revoked. The buddy who shared his password did not have the legal right to grant access, and so it does not constitute "authorization."

So even though the former employee might have gotten a password, that does not make him "authorized" in the legal sense. The current employee who gave him the password did not have the authority to grant access. I think any other interpretation of the law would make it almost impossible to prosecute for any kind of hacking that involves tricking someone into disclosing a password.

The reason this can seem wrong is that it's easy to confuse "authorized" in the technical sense of the word (i.e. did the computer grant you access?) with "authorized" in the legal sense (i.e. did someone with the legal authority to do so give you permission to access the computer?).

A real-world analogy would be a secured office building. Only certain people have permission to grant access to the building. If you get fired from a company and they take away your keycard and tell you you're not allowed in the building anymore, it would still be trespassing if you borrowed a buddy's keycard to get in.
[ link to this | view in chronology ]
- michael, 7 Jul 2016 @ 3:28pm
  
  Re: Don't confuse having a password with being "authorized"
  Thank you for being just about the only intelligent person in this comment section.
  
  People above you are actually arguing that "social engineering isn't hacking," when in fact, 90%+ of large-scale hacking is social engineering.
  
  Techdirt readers are beginning to sadden me in the same way that ARS and Slashdot have.
  [ link to this | view in chronology ]
  - Anonymous Coward, 7 Jul 2016 @ 7:27pm
    
    Re: Re: Don't confuse having a password with being "authorized"
    Just because something is labelled hacking doesn't make it hacking. Fraud and deceit are age-old societal ills, but that doesn't make them hacking.
    
    People like you sadden me immensely. You, who try to shame people who don't think like you do in your niche world view.
    [ link to this | view in chronology ]
    - Padpaw (profile), 8 Jul 2016 @ 4:59am
      
      Re: Re: Re: Don't confuse having a password with being "authorized"
      I would bet my life that they are paid to say crap like this instead of actually believing it.
      [ link to this | view in chronology ]
- Anonymous Coward, 7 Jul 2016 @ 7:30pm
  
  Re: Don't confuse having a password with being "authorized"
  That is an extraordinarily dangerous interpretation of who is permitted to delegate authorization. What is different from your interpretation versus, say, NetFlix writing in their terms of service that only they have the authority to dictate who is authorized to use the credentials you create for the service you purchase?
  
  I understand your reasoning, but I don't agree with it in the precedential sense.
  [ link to this | view in chronology ]
Anonymous Coward, 7 Jul 2016 @ 7:20pm

Holy Shit
So now what ???
LastPass is illegal ???
[ link to this | view in chronology ]
Padpaw (profile), 8 Jul 2016 @ 4:57am

Has nothing to do with law and everything to do with spite for him.

If you refuse to do what your told to at the point of the gun you discover all your rights and the laws that are supposed to protect you against stuff like this are ignored and no longer apply solely because it was an illusion the entire time.

America stopped being a nation of equal rights for all a long time ago, all that is left is the illusion.
[ link to this | view in chronology ]
- Wendy Cockcroft, 11 Jul 2016 @ 5:57am
  
  Re:
  That's what happens when you're worth what the market says you're worth. Equal rights do not apply to people without worth.
  [ link to this | view in chronology ]
Anonymous Coward, 8 Jul 2016 @ 6:38am

Walk down the street drinking from a bottle of Mountain Dew and everything is fine. Swing that bottle at someone and you could be charged with possession of a deadly weapon (no comments here about the health benefits of Mountain Dew).

What changed? Two instances, both possession of a bottle, different outcomes. Intent is what turned that green bottle into a deadly weapon.
[ link to this | view in chronology ]
- Anonymous Coward, 8 Jul 2016 @ 7:26am
  
  Response to: Anonymous Coward on Jul 8th, 2016 @ 6:38am
  Wouldn't the "swinging" in this case be an action?
  [ link to this | view in chronology ]
Ninja (profile), 8 Jul 2016 @ 8:39am

Oh shit. My entire family is going to jail. Damn Netflix password!
[ link to this | view in chronology ]
- Anonymous Coward, 8 Jul 2016 @ 6:39pm
  
  Re:
  Sharing a Netflix account with your family? You must be a pirate!
  
  /s
  [ link to this | view in chronology ]
Anonymous Coward, 12 Jul 2016 @ 6:49pm

Perhaps this revolves around the account creation process?
I feel like there's a quantifiable difference between the circumstances here and those of the Netflix password-sharer. I just wish the court could have promulgated an actual description of a difference as opposed to handwaving.
[ link to this | view in chronology ]
CWSonoma (profile), 1 Oct 2018 @ 7:29pm

Hacking and Password Sharing ~ There is a diff
I think everyone on this thread has no clue what Nosal really did and how serious it is. It is not only about password sharing, it is moreso about what he took from his employer. 2400 resumes with contact information. Imagine you give a recruitment firm your resume in pure confidentiality to the #1 Executive Searh firm in the world and it is hijacked. Also, what was Nosal going to do with that proprietary list? Make money from it that was not his. He took something of value that did not belong him. There are comments about sharing Netflix Passwords. Can you take something from Netflix and turn it around into a million dollars like Nosal did from his theft? He should be in jail for the full 5 years. No one gets it. He is a thief and he is shady and belongs where he is right this very moment. In the hooskow.
[ link to this | view in chronology ]