Chap fails to quash 'shared password' 'hacking' conviction

Appeals Court says CFAA can be wielded in Nosal case

Password screen

A man who used his colleagues' passwords to swipe confidential information from his employer has failed to overturn his computer hacking conviction.

In a 2-1 decision [PDF] today, the California 9th Circuit Court of Appeals agreed with a lower court's judgment that David Nosal broke the Computer Fraud and Abuse Act (CFAA).

In 2004, Nosal left his job with corporate recruiting agency Korn/Ferry to start a rival company. In the process, the court heard, Nosal used the login credentials of other employees to access Korn/Ferry's contacts files and use the confidential information with his new company.

When Nosal quit, his access to the computer network was removed, and he obtained the passwords by asking his coworkers for their login details. After resigning, he continued to work for Korn/Ferry as a contractor during his one-year no-compete period; during that time, he offered his colleagues jobs at his new business and persuaded three of them to share their passwords with him to help him out.

In 2008, Nosal and the trio were charged with breaking the CFAA. In January 2014, Nosal was sentenced to one year and a day in prison and fined $60,000 following a jury trial in San Francisco in April 2013.

The case has raised debate over whether sharing a password should constitute a violation of the CFAA, an anti-hacking law. The divided panel declared that Nosal's use of other employees passwords after his own credentials had been revoked was a malicious act.

"Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access," wrote Judge Margaret McKeown.

"This access falls squarely within the CFAA’s prohibition on access “without authorization,” and thus we affirm Nosal’s conviction for violations of the CFAA."

Dissenting in the case was Judge Stephen Reinhardt, who worries that the ruling sets a dangerous precedent that could be used against other people who simply share their passwords with others.

"In my view, the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals," Reinhardt wrote.

"Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA."

Judge McKeown, however, dismissed the notion that Nosal's conviction would allow the CFAA to be misused to punish the simple act of sharing a password.

"Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case," McKeown writes.

"This appeal is not about password sharing. Nor is it about violating a company’s internal computer-use policies. The conduct at issue is that of Nosal and his co-conspirators, which is covered by the plain language of the statute." ®


Biting the hand that feeds IT © 1998–2017