Related Attorney(s): Millard S. Bennett, Alexia Kent McClure, Jeffrey M. Schwaber, Donald N. Sperling, Paul T. Stein, E. Andrew Cole, David C. Driscoll, Jr., Mary Craine Lombardo , Deanna L. Peters, Elizabeth J. McInturff, Judith G. Cornwell, Eduardo S. Garcia
Media Type: Alert
Has a loved one ever given you their password and permission to access their email? Do you share a Netflix password with other family members? What about logging onto a colleague’s work computer with their credentials to send them a document that they need? According to two recent rulings by the Ninth Circuit, you may be breaking the law.
In United States v. Nosal, the United States Court of Appeals for the Ninth Circuit found that former employees of Korn/Ferry International violated the Computer Fraud and Abuse Act (CFAA) by using the credentials and passwords of a current employee, with that employee’s permission and knowledge, to access Korn/Ferry’s computer network.
The CFAA was designed by Congress to combat computer hacking and imposes criminal liability on individuals who, among other violations, are found to have accessed a computer without authorization. In Nosal, the question turned on whose authorization was needed to give permission to access the computer network. The majority found that, because Korn/Ferry controlled access to its computers and its network, it was Korn/Ferry’s authorization, not that of the current employee, that was needed for the former employees to lawfully access the computer network. The fact that the former employees had the permission of the current employee did not matter as the current employee did not have the authority to share her password. Based on these findings, the Court held that the former employees violated the CFAA because they did not have authorization to access Korn/Ferry’s computer network.
The holding in Nosal appears simple and understandable in the vacuum of a former employee accessing a previous employer’s computer network. However, as the dissent pointed out, what about when family members share passwords to commonly used sites such as Facebook or Netflix? Does the holding in Nosal criminalize routine password sharing? Although the majority argued that the facts of Nosal did not resemble “asking a spouse to log in to an email account to print a boarding pass”, the Ninth Circuit’s later holding in Facebook, Inc. v. Power Ventures, Inc. made it appear otherwise.
In this case, Power Ventures developed its own competing social networking application which allowed Facebook users to set up an account with Power Ventures, with permission for Power Ventures to access the user’s Facebook data. Facebook discovered that Power Ventures was accessing its users’ data without permission at which point Facebook sued Power Ventures, alleging violation of the CFAA.
The Ninth Circuit held that permission from a user alone to access their account was not sufficient to authorize a third party to access Facebook’s network. Permission is needed from both the user and from Facebook to access Facebook’s network.
The holding in Facebook appears to be the scenario about which the dissent in Nosal was concerned. When does accessing the social network or email site of a family member or friend, even with their permission, become a crime?
To date, guidance is lacking on the applicability of the CFAA to individual users. But it may make everyone think twice when they are deciding who and how to give access to their digital accounts, both now and within their estate plan.
If you have questions about the CFAA or any other civil litigation questions, please contact a member of our civil litigation department at 301-340-2020.
The purpose of a donor agreement is to clearly establish that donor is not the child's legal parent.
Letters of Administration? "Interested Persons"? Accounts? Learn about the Maryland Probate Process.
Missteps, such as misclassification of employees and paying workers "salary," can lead to claims.
Get tips for paying accident-related medical bills in Virginia, Maryland and D.C.
The laws are complex and provide for significant penalties for any violations.