Danny Defendant, employed by Acme Widget Co., quits. Acme, of course, disables the password that Danny had used to access the Acme computer system. Danny then asks a friend, who still works at Acme, for her password. She gives her password to Danny, and he then uses her password to access the Acme computer system.
The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. §§ 1030 et seq., makes it a crime to access more or less any computer “without authorization. . . .” Danny is convicted, but appeals. His argument: he may not have had Acme’s “authorization,” but he did have the authorization of his friend, who gave him her password.
The actual case is United States v. Nosal, No. 14-10037, 2016 WL 3608752 (9th Cir. July 5, 2016); the appellate court rejected the Defendant’s argument, and affirmed his conviction. Judge Stephen Reinhardt dissented:
We would not convict a man for breaking and entering if he had been invited in by a houseguest, even if the homeowner objected. Neither should we convict a man under the CFAA for accessing a computer account with a shared password with the consent of the password holder.
Although the majority dismissed Judge Reinhardt’s concerns, flatly declaring “[t]his appeal is not about password sharing,” Judge Reinhardt warned that
[t]he majority’s construction of the CFAA threatens exactly that. It criminalizes a broad category of common actions that nobody would expect to be federal crimes.
The Department of Justice’s handbook, Prosecuting Computer Crimes, collects a number of cases which have held “that defendants lost their authorization to access computers when they breached a duty of loyalty to the authorizing parties, even if the authorizing parties were unaware of the breach.” Departing employees beware!Robert ("Bob") M. Frey