EFF, ACLU Asks Ninth Circuit Court To Rehear Two Recent CFAA Cases

from the let's-not-criminalize-even-MORE-common-activity dept

Thu, Sep 1st 2016 11:52am — Tim Cushing

The EFF and ACLU are pushing the Ninth Circuit Court of Appeals to hold full en banc rehearings (with all 11 judges, rather than just three) of two recent CFAA-related cases. The first case, US v. Nosal, is the more (in)famous of the two. In this decision, the court read the language of the CFAA broadly enough to criminalize a mostly-harmless everyday activity participated in by thousands of Americans: password sharing.

The court tried to couple this with some "authorization" wording to make it appear as though the court wouldn't entertain frivolous prosecutions using interpretation of the CFAA, but that gives the court (and the DOJ) far more credit than they have earned.

The other case -- Facebook v. Power Ventures -- is dangerous in its own way, even if it involves two private companies, rather than the US government's prosecutorial arm. The same appeals court didn't go quite as far as it did in the Nosal decision in terms of criminalizing password sharing, but instead made the district's stance even more confusing by arriving at a seemingly-contradictory conclusion.

The Ninth Circuit found that Power Ventures violated the CFAA when it accessed Facebook’s data after receiving the cease and desist letter, on the ground that the letter gave the company notice that Facebook had revoked its authorization to access users’ Facebook accounts. The court acknowledged that Facebook users could give Power Ventures valid authorization to access their accounts without running into a CFAA violation—the step back from Nosal II’s blanket criminalization of password sharing. That was true even though Facebook’s terms of service expressly prohibit password sharing or letting anyone else use your account.

"Seemingly" is the key word. The conclusion reached by the three-judge panel finds no bright line for determining authorized access, instead opting for a reading that leaves it all up to the party moving forward with a lawsuit/prosecution. Here's Mike attempting to make some sense of the ruling:

At what point is access revoked? Does it require a full cease and desist letter? Or what if I add a drop-down telling visitors from certain IP addresses they're not welcome? What if I just type here that visitors from the state of New York are no longer allowed to visit Techdirt? If they continue to do so, is that a potential CFAA violation in the making? The same court has already ruled that a mere terms of service violation is not a CFAA violation but where's the line between a terms of service violation and a cease-and-desist letter? Or me just telling you to stop visiting my website? It seems wide open to abuse.

At best, the decisions -- when taken together -- are an incoherent mess. At worst, they're vehicles for bogus lawsuits and prosecutions, taking the CFAA even further away from its original intent: to punish malicious hackers/criminals who break into accounts, servers, etc. So, rather than activity simply being a violation of corporate policies and Terms of Service, it's now also a potential violation of federal law. The Ninth Circuit Appeals Court has, in two decisions, created a hefty, new CFAA book to be thrown at violators, who now might see themselves facing federal prosecution, rather than a writeup in their personnel file or a suspended account.

If nothing else, a full en banc hearing would at least hopefully generate a coherent, more-unified stance from the Appeals Court. The two decisions are not polar opposites, but there is some friction. The downside, of course, is that the full panel will create an even worse interpretation of the CFAA. But, even if so, at least those residing in the Ninth Circuit will know where they stand when it comes to "authorized" access, password sharing, etc.

[Nosal petition PDF] [Power Ventures petition PDF]

073 Amicus Brief of Eff Aclu and Aclu Nc in Support of Nosal Petition for Rehearing en Banc 8 26 16 (PDF)073 Amicus Brief of Eff Aclu and Aclu Nc in Support of Nosal Petition for Rehearing en Banc 8 26 16 (Text)

089 Amicus Curiae Brief of Eff Aclu and Aclu Nc 8 19 16 (PDF)089 Amicus Curiae Brief of Eff Aclu and Aclu Nc 8 19 16 (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 9th circuit, authorized access, cfaa, hacking
Companies: aclu, eff

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

orbitalinsertion (profile), 1 Sep 2016 @ 12:00pm

The government is hereby enjoined from viewing anything i post on the internet unless i want them to.

But you can.
[ link to this | view in thread ]
Hephaestus (profile), 1 Sep 2016 @ 12:55pm

Question
This could lead to a seriously interesting experiment.

Techdirt creating a Terms Of Service policy that denies access to people coming in from big media companies and notifies them via pop up, that they are banned based on those IP addresses.

I wonder what the DOJ would do with a case along those lines?
[ link to this | view in thread ]
Mason Wheeler (profile), 1 Sep 2016 @ 1:32pm

I personally don't see any problem with this specific aspect of the CFAA.

If I ran a business with a physical storefront, and someone was being a nuisance and I told them to leave and not come back, and then they came back, I'd be perfectly within my rights to call the cops and have them arrested for trespassing.

Why should it be any different if I run a business with a Web storefront?
[ link to this | view in thread ]
Thad, 1 Sep 2016 @ 1:44pm

Re:
Because you can't trespass on a website. It's a website.
[ link to this | view in thread ]
TKnarr (profile), 1 Sep 2016 @ 1:51pm

Re:
There's some differences though. The biggest one is that there's more than just the business involved. The equivalent would be a mall occupied by multiple businesses. What happens when it's the mall that's thrown someone out, but a particular business in the mall invited them in and authorized them to come into that business. In a case like that, speaking as someone who's been in the mall's position, the cops and/or the DA's going to take one look at the invitation from the business and drop the whole thing after telling the mall it's between them and the business.
[ link to this | view in thread ]
Anonymous Coward, 1 Sep 2016 @ 3:44pm

Re:
Because it isn't a physical storefront. It's a website. You're talking of forbidding someone from viewing a poster you put up on the side of a building, which is utterly absurd.
[ link to this | view in thread ]
TKnarr (profile), 1 Sep 2016 @ 4:30pm

Re: Re:
Not entirely correct. In these cases it's not a public page that's being viewed, it's a page restricted by an account login which can't be viewed without providing the correct credentials. Authorization to access it can be revoked or not granted by revoking the account's credentials or not granting them in the first place. The twist here is that the credentials weren't issued to the entity viewing the page but to the account-holder who then gave the viewing entity the credentials in violation of the terms of service the account-holder agreed to.

Facebook would be fine if they just revoked the credentials, and sharing those credentials with Power Ventures is according to the ToS more than enough grounds for doing just that. Facebook's trying to shut down Power Ventures without cutting the account-holder off though, and the CFAA arguably isn't something that can do that (especially since PV didn't alter any data or do anything else that would cause damage in the sense the CFAA defines it to Facebook's systems).
[ link to this | view in thread ]
Tin-Foil-Hat, 1 Sep 2016 @ 5:29pm

By Design
If you make almost everything a crime, give police and prosecutors immunity and exceptions from their transgressions for fuck ups "in good faith" then everybody's rights can be potentially suspended. They will be subject to searches at any time and the government doesn't have to concern themselves with pesky oversight.
[ link to this | view in thread ]
Anonymous Blowhard, 1 Sep 2016 @ 10:43pm

Re: Re:
"Because it isn't a physical storefront. It's a website. You're talking of forbidding someone from viewing a poster you put up on the side of a building, which is utterly absurd."

But that's the point

Cop:
"I stopped and searched him because he glanced at that poster. That's when I noticed this pot seed on the bottom of his pant leg. I confiscated his money, jewelry and impounded his car."

Judge: "the stop was justified"
[ link to this | view in thread ]
Anonymous Coward, 2 Sep 2016 @ 6:08am

Re: By Design
Potentially?

When dealing with the government there is NO POTENTIAL.

The Government WILL abuse and misuse every tool you provide it with. Once you provide a tool that says it is okay to remove liberty in just a few situations, all of a sudden every situation is ones of those "rare" situations.

Despite the fact that Government frequently applies the law, it rarely dispenses Justice.

We allowed this!

Every Nation gets the Government it DESERVES!
[ link to this | view in thread ]
Mason Wheeler (profile), 2 Sep 2016 @ 6:56am

Re: Re:
Non sequitur. How does it being a website make it suddenly non-tresspassable? One of the big principles on here is that something doesn't magically become different and all the rules stop applying just because you tack "on a computer" on the end. Well, that works both ways.
[ link to this | view in thread ]
Uriel-238 (profile), 2 Sep 2016 @ 10:21am

"We deserve it" doesn't follow "we allowed it."
Human society continues to function both by forcing people into circumstances directly (I'm taking your house. Resist and my squad will gun you down.), or by encouraging them to make decisions without being fully informed (Your new job requires a cell phone? Just sign here. Note and agree to abide by the 60K word TOS.)

We only learn to overcome specific instances of these tactics after enough people fall victim to them, much like we only developed a cure for polio after enough people died from it (or were permanently crippled from it) that we sought out a cure (...in some cases by experimenting on human orphans, but that's another story.)

Or maybe you were speaking in a more cosmic sense, that all these notions of justice and fairness are silly mammal / ape bullshit, and the universe doesn't even notice. In which case, I can only suggest that that silly mammal / ape bullshit is the best lead we have in making a civilization that the universe might notice, and without it, we're going to go extinct on this rock for sure. Deserve doesn't even figure.
[ link to this | view in thread ]
Uriel-238 (profile), 2 Sep 2016 @ 10:32am

Making everything a crime...
...is the means to step the system back from a state of laws to a state of lords, or to dispense with Napoleonic Law.

Say that you'll never need it.
Everybody wants to rule the world.
[ link to this | view in thread ]
gwen, 13 Sep 2016 @ 12:33pm

brian curtis nbc
to the brian curtis famely some man named otis livingston was talking bad about brian curtis calling him gay and looser. when i spoke with otis livingston he had racial views against brian curtis, otis livingston meyby dangerous man!!!!!!!
[ link to this | view in thread ]