EFF, ACLU Asks Ninth Circuit Court To Rehear Two Recent CFAA Cases
from the let's-not-criminalize-even-MORE-common-activity dept
The EFF and ACLU are pushing the Ninth Circuit Court of Appeals to hold full en banc rehearings (with all 11 judges, rather than just three) of two recent CFAA-related cases. The first case, US v. Nosal, is the more (in)famous of the two. In this decision, the court read the language of the CFAA broadly enough to criminalize a mostly-harmless everyday activity participated in by thousands of Americans: password sharing.
The court tried to couple this with some "authorization" wording to make it appear as though the court wouldn't entertain frivolous prosecutions using interpretation of the CFAA, but that gives the court (and the DOJ) far more credit than they have earned.
The other case -- Facebook v. Power Ventures -- is dangerous in its own way, even if it involves two private companies, rather than the US government's prosecutorial arm. The same appeals court didn't go quite as far as it did in the Nosal decision in terms of criminalizing password sharing, but instead made the district's stance even more confusing by arriving at a seemingly-contradictory conclusion.
The Ninth Circuit found that Power Ventures violated the CFAA when it accessed Facebook’s data after receiving the cease and desist letter, on the ground that the letter gave the company notice that Facebook had revoked its authorization to access users’ Facebook accounts. The court acknowledged that Facebook users could give Power Ventures valid authorization to access their accounts without running into a CFAA violation—the step back from Nosal II’s blanket criminalization of password sharing. That was true even though Facebook’s terms of service expressly prohibit password sharing or letting anyone else use your account.
"Seemingly" is the key word. The conclusion reached by the three-judge panel finds no bright line for determining authorized access, instead opting for a reading that leaves it all up to the party moving forward with a lawsuit/prosecution. Here's Mike attempting to make some sense of the ruling:
At what point is access revoked? Does it require a full cease and desist letter? Or what if I add a drop-down telling visitors from certain IP addresses they're not welcome? What if I just type here that visitors from the state of New York are no longer allowed to visit Techdirt? If they continue to do so, is that a potential CFAA violation in the making? The same court has already ruled that a mere terms of service violation is not a CFAA violation but where's the line between a terms of service violation and a cease-and-desist letter? Or me just telling you to stop visiting my website? It seems wide open to abuse.
At best, the decisions -- when taken together -- are an incoherent mess. At worst, they're vehicles for bogus lawsuits and prosecutions, taking the CFAA even further away from its original intent: to punish malicious hackers/criminals who break into accounts, servers, etc. So, rather than activity simply being a violation of corporate policies and Terms of Service, it's now also a potential violation of federal law. The Ninth Circuit Appeals Court has, in two decisions, created a hefty, new CFAA book to be thrown at violators, who now might see themselves facing federal prosecution, rather than a writeup in their personnel file or a suspended account.
If nothing else, a full en banc hearing would at least hopefully generate a coherent, more-unified stance from the Appeals Court. The two decisions are not polar opposites, but there is some friction. The downside, of course, is that the full panel will create an even worse interpretation of the CFAA. But, even if so, at least those residing in the Ninth Circuit will know where they stand when it comes to "authorized" access, password sharing, etc.
[Nosal petition PDF] [Power Ventures petition PDF]
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 9th circuit, authorized access, cfaa, hacking
Companies: aclu, eff
Reader Comments
Subscribe: RSS
View by: Time | Thread
But you can.
[ link to this | view in chronology ]
Question
Techdirt creating a Terms Of Service policy that denies access to people coming in from big media companies and notifies them via pop up, that they are banned based on those IP addresses.
I wonder what the DOJ would do with a case along those lines?
[ link to this | view in chronology ]
If I ran a business with a physical storefront, and someone was being a nuisance and I told them to leave and not come back, and then they came back, I'd be perfectly within my rights to call the cops and have them arrested for trespassing.
Why should it be any different if I run a business with a Web storefront?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Facebook would be fine if they just revoked the credentials, and sharing those credentials with Power Ventures is according to the ToS more than enough grounds for doing just that. Facebook's trying to shut down Power Ventures without cutting the account-holder off though, and the CFAA arguably isn't something that can do that (especially since PV didn't alter any data or do anything else that would cause damage in the sense the CFAA defines it to Facebook's systems).
[ link to this | view in chronology ]
Re: Re:
But that's the point
Cop:
"I stopped and searched him because he glanced at that poster. That's when I noticed this pot seed on the bottom of his pant leg. I confiscated his money, jewelry and impounded his car."
Judge: "the stop was justified"
[ link to this | view in chronology ]
By Design
[ link to this | view in chronology ]
Re: By Design
When dealing with the government there is NO POTENTIAL.
The Government WILL abuse and misuse every tool you provide it with. Once you provide a tool that says it is okay to remove liberty in just a few situations, all of a sudden every situation is ones of those "rare" situations.
Despite the fact that Government frequently applies the law, it rarely dispenses Justice.
We allowed this!
Every Nation gets the Government it DESERVES!
[ link to this | view in chronology ]
"We deserve it" doesn't follow "we allowed it."
We only learn to overcome specific instances of these tactics after enough people fall victim to them, much like we only developed a cure for polio after enough people died from it (or were permanently crippled from it) that we sought out a cure (...in some cases by experimenting on human orphans, but that's another story.)
Or maybe you were speaking in a more cosmic sense, that all these notions of justice and fairness are silly mammal / ape bullshit, and the universe doesn't even notice. In which case, I can only suggest that that silly mammal / ape bullshit is the best lead we have in making a civilization that the universe might notice, and without it, we're going to go extinct on this rock for sure. Deserve doesn't even figure.
[ link to this | view in chronology ]
Making everything a crime...
Say that you'll never need it.
Everybody wants to rule the world.
[ link to this | view in chronology ]
brian curtis nbc
[ link to this | view in chronology ]