The Washington PostDemocracy Dies in Darkness

Opinion Password-sharing case divides Ninth Circuit in <em>Nosal II</em>

The Ninth Circuit has handed down United States v. Nosal (“Nosal II“), a case on the scope of the Computer Fraud and Abuse Act that I blogged about here and here. The court held 2-1 that former employees of a company who had their company accounts revoked violated the CFAA when they subsequently used the passwords of a current employee, with the current employee’s permission, to access the company’s computers.

I think that the majority’s result is right on its facts but that its analysis is less helpful than it could be. This post explains my thinking, and it then explains the likely importance of the Ninth Circuit’s still-pending case in Facebook v. Power Ventures.

I. The Facts

Nosal left the the global executive search firm Korn/Ferry with plans to start a competitor business. He planned to take along three Korn/Ferry employees: Christian, Jacobson and Nosal’s former executive assistant Froehlich-L’Heureaux (known in the opinion as “FH”). Nosal’s idea was to rely on Korn/Ferry’s valuable database of information at the new company and to keep Nosal’s participation secret. Importantly, however, accessing Korn/Ferry’s valuable database required a valid username and password on Korn/Ferry’s network.

Nosal had already left Korn/Ferry, so he schemed to harness the login credentials of those still employed there in two different ways. First, Nosal had Christian and Jacobson use their usernames and passwords to access Korn/Ferry records and to send them to Nosal. Later, after Christian and Jacobson left Korn/Ferry, Nosal had them ask FH for her username and password so that they could continue to access Korn/Ferry’s database. FH agreed and told them her username and password. Christian and Jacobson later accessed Korn/Ferry’s database using FH’s login credentials.

In an earlier round of litigation, leading to Nosal I, the government argued that Nosal violated the CFAA with the first of these strategies. According to the government, Nosal was aiding and abetting CFAA violations because the then-current employees had themselves violated the CFAA when they used their access to Korn/Ferry’s computers in violation of its terms of use. The government argued that the employees exceeded their authorized access when they violated the terms of use saying that access to the network was for work purposes only. On this thinking, Nosal was liable because he aided and abetted the terms of use violation. The Ninth Circuit disagreed in Nosal I, however, and ruled that violating terms of use does not exceed authorized access.

The government went back to the drawing board. It came up with a different theory of the case and obtained a second indictment. This time the prosecution theory was based on Nosal’s second strategy. Specifically, the government argued that after Nosal, Christian and Jacobson left the company, they lacked any rights to access Korn/Ferry’s network. Because they lacked rights to access the network, Christian and Jacobson’s use of FH’s login credentials (with Nosal’s encouragement) violated the CFAA’s ban on “access without authorization.”

II. The Big Question

The case now hinges on whether it matters that FH gave permission to Christian and Jacobson to use her credentials. Korn/Ferry said no, you can’t use the network. FH said yes, you can use her account. Which governs? The panel divided 2-1. The majority thought that Korn/Ferry’s “no” controlled and the CFAA was violated. The dissent thought that FH’s “yes” controlled and the CFAA was not violated.

III. The Majority Opinion

The majority opinion, authored by Judge McKeown and joined by Judge Thomas, presents the case as very easy. The simple fact was that Korn/Ferry controlled access to its computers and it had revoked the rights of Christian, Jacobson and Nosal to access Korn/Ferry’s computers. It’s not clear to me if the rights were revoked simply because the employment relationship ended or whether there was some more formal act of revocation. With respect to Nosal, for example, the opinion just states that “[a]s of December 8, 2004, Korn/Ferry revoked Nosal’s access to its computers[.]” Either way, the employment relationship for those employees had ended and it was then clear that they were not permitted to access Korn/Ferry’s computers.

For the majority, that fact was all that mattered. In an earlier case, Brekka, the Ninth Circuit held that a person cannot use an account after their right to use the account was revoked. The new case was just a replay of Brekka, the majority concluded. Korn/Ferry had revoked the rights of Christian, Jacobson and Nosal when they left Korn/Ferry. With their access rights revoked, they could not access Korn/Ferry’s computers.

The majority saw the fact that FH gave permission to access her account using her credentials as simply irrelevant:

[Access] “without authorization” is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.

As the court later puts it:

There is no question that Korn/Ferry owned and controlled access to its computers, including the Searcher database, and that it retained exclusive discretion to issue or revoke access to the database. After Nosal’s login credentials were revoked on December 8, 2004, he became an “outsider” and was no longer authorized to access Korn/Ferry computers, including Searcher. Christian and Jacobson’s credentials were also revoked after they left, at which point none of the three former employees were “insiders” accessing company information. Rather, they were “outsiders” with no authorization to access Korn/Ferry’s computer system.

Why didn’t FH’s authorization give the defendants the right to access her account? There isn’t a lot on this in the opinion. But here’s the key passage:

FH had no authority from Korn/Ferry to provide her password to former employees whose computer access had been revoked. Also, [recognizing FH’s authorization] would render meaningless the concept of authorization. And, pertinent here, it would remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.

Later in the decision, the majority says that allowing FH’s authorization to matter would cause significant problems:

[A]n employee could willy nilly give out passwords to anyone outside the company — former employees whose access had been revoked, competitors, industrious hackers, or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery.

But wouldn’t the majority’s approach criminalize routine password-sharing? The majority says it wouldn’t, although it doesn’t have a very good explanation of why:

[T]he circumstance here — former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer — bears little resemblance to asking a spouse to log in to an email account to print a boarding pass. The charges at issue in this appeal do not stem from the ambiguous language of Nosal I — “exceeds authorized access” — but instead relate to a common, unambiguous term. The reality is that facts and context matter in applying the term “without authorization.”

IV. The Dissent

Judge Reinhardt dissented. In Reinhardt’s view, access is “without authorization” if the user lacks authorization from either the computer owner or a legitimate account-holder. Because FH permitted the access, it was legally authorized:

The question that matters is not what authorization is but who is entitled to give it. As one scholar noted, “there are two parties that have plausible claims to [give] authorization: the owner/operator of the computer, and the legitimate computer account holder.” Orin S. Kerr, Computer Crime Law 48 (3d ed. 2013). Under a proper construction of the statute, either one can give authorization.

Why does the legitimate account-holder (here, FH) have a right to confer authorization? According to Reinhardt, it is because the CFAA is about hacking. Under the rule of lenity a court should adopt a narrow construction of the statute that limits its application to hacking. By saying that a user can authorize another person to access the computer, a court can ensure that the CFAA does not apply to cases of routine password-sharing that most people don’t think is illegal and is far beyond hacking:

Take the case of an office worker asking a friend to log onto his email in order to print a boarding pass, in violation of the system owner’s access policy; or the case of one spouse asking the other to log into a bank website to pay a bill, in violation of the bank’s password sharing prohibition. There are other examples that readily come to mind, such as logging onto a computer on behalf of a colleague who is out of the office, in violation of a corporate computer access policy, to send him a document he needs right away. “Facebook makes it a violation of the terms of service to let anyone log into your account,” we noted in Nosal I, but “it’s very common for people to let close friends and relatives check their email or access their online accounts.” 676 F.3d at 861 (citing Facebook Statement of Rights and Responsibilities § 4.8).

To Judge Reinhardt, the court’s theory that punishes Nosal also appears to punish innocent cases of password-sharing:

It is impossible to discern from the majority opinion what principle distinguishes authorization in Nosal’s case from one in which a bank has clearly told customers that no one but the customer may access the customer’s account, but a husband nevertheless shares his password with his wife to allow her to pay a bill. So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates. It is not “advisory” to ask why the majority’s opinion does not criminalize this under § 1030(a)(2)(C); yet, the majority suggests no answer to why it does not.

V. My Take: The Right Result, but Less-Than-Helpful Analysis

I think the majority opinion reached the right result, but that its analysis was not particularly helpful. There was an easy way to address Judge Reinhardt’s concerns — a way that is going to matter to another pending Ninth Circuit case — and it’s a little unfortunate that the Ninth Circuit didn’t develop it.

Here’s my thinking. According to the majority, the key fact was that the company revoked the access rights of Nosal, Christian and Jacobson. FH’s permission didn’t change things because “FH had no authority from Korn/Ferry to provide her password to former employees whose computer access had been revoked.”

But this begs the question: Why wasn’t FH’s status as a legitimate user enough to confer a right to delegate her access rights? It wasn’t, the majority says. But why not?

The majority mostly sidesteps this question by focusing on the fact of revocation of access rights by Korn/Ferry. The majority presents this as a very narrow spinoff of Brekka. But the effort to simplify the issues has only limited success because a user whose account is revoked is presumably in the same authorization boat as someone who never received any access rights in the first place. While Nosal lost his right to access the accounts when he left the company, you would think that just placed him in the same position as most people. I have no access rights on Korn/Ferry’s computers, and chances are neither do you. We’re all “outsiders,” to use the majority’s terminology. Given that, Judge Reinhardt was fair to ask: Why wouldn’t any rule applied to Nosal also apply to anyone else who received a shared password?

With apologies for the self-promotion, I think the missing rationale in Nosal II that could explain the majority’s instincts and also address Reinhardt’s concerns is the authentication-based approach for shared password cases I developed in my recent article, Norms of Computer Trespass, 116 Colum. L. Rev. 1143 (2016). In my article, I argued that cases involving revoked accounts and shared passwords should be based on the notion of delegation of authority by authenticated accounts. When a computer owner gives a user an account, the computer owner delegates to the account-holder and her agent the rights to access the account. When the computer owner revokes the account, those rights are canceled (as Brekka held).

Under this rationale, whether use of a shared password violates the CFAA depends on a critical fact: Was the user intentionally acting outside the agency of the legitimate account-holder? Notably, all of Judge Reinhardt’s concerns about criminalizing password-sharing deal with fact patterns when an outside user is acting as an agent of a legitimate user. A wife accesses her husband’s bank account on his behalf. An employee logs into a colleague’s account with his permission to send an important document. These are cases in which the outsider acts as the insider’s agent. It makes sense that the agent should assume the access rights of the principal. Think of an analogous physical trespass case. If a house renter gives his keys to a neighbor to come in to water her plants while she is away, the neighbor isn’t committing a trespass when he enters to water the plants.

It’s a different situation when the outsider acts outside the agency relationship. In a traditional physical case, the entry becomes a trespass. If the neighbor enters the house to snoop through the renter’s stuff, the entry is a trespass. And the same rule makes sense for computer accounts. Nosal II hints at the reason when it says that allowing FH to authorized access would render authorization “meaningless” and let a user “willy nilly give out passwords to anyone outside the company.” The court is right that this is a problem, but I think it would have helped to say more about why. My own view, as I wrote in my article, is that the need to preserve the computer owner’s original authentication to the user requires barring users from authorizing access outside the agency relationship:

An account holder should have only a narrower power to confer access rights [within the agency relationship] because otherwise that delegation would interfere with the original authentication. If computer owner A can confer access rights to account holder B, an unlimited power of B to confer access rights to C, D, and E would nullify A’s judgment to confer access rights to only account holder B. The rule should be that third-party access outside the agency relationship is unauthorized access.

If the court had explicitly embraced the agency/non-agency distinction, it could have explained why the shared password hypotheticals Reinhardt raised bear “little resemblance” to the facts of Nosal II. The reason is that Christian and Jacobson were not acting as FH’s agent. Instead, they obtained her password from her to use for their own purposes. They accessed the computer outside the scope of any agency, and I think that should explain why FH’s permission could not authorize their conduct. (You could also argue that Korn/Ferry’s revocation was sufficiently broad to implicitly ban acting even as an agent of FH. See my article at pages 1176-77. The panel’s reasoning is consistent with that, although the panel doesn’t get into the details.)

VI. Next Up: Facebook v. Power Ventures

We may see how the Ninth Circuit deals with these problems unusually soon. As I noted in my post back in December, a different panel of the Ninth Circuit heard oral argument in another password-sharing case, Facebook v. Power Ventures, just a few weeks after the argument in Nosal II. I explained the Facebook case as follows:

Power Ventures (“Power”) allowed Facebook users to set up an account at the Power website and to give Power permission to access the user’s Facebook account on the user’s behalf. Facebook didn’t like this, as it wanted to maintain control of Facebook’s system. So Facebook told Power to stop accessing its website and also blocked an IP address used by the Power website. Power continued to access Facebook’s site anyway. The legal question: Did the subsequent access by Power, with Facebook user permission but against the permission of Facebook, constitute a criminal unauthorized access under the CFAA?

The big question now for the panel in Facebook v. Power Ventures is what to do with Nosal II. Just as a matter of precedent, you could see the court going either way.

First, imagine the panel is inclined to rule for Facebook. It could incorporate Nosal II by saying that Facebook is like Korn/Ferry, Power is like Christian and Jacobson, and Facebook’s users are like FH. By that reasoning, Facebook revoked access rights by telling them to go away and by imposing an IP address block on Power. Power could not “sidestep the statute” by relying on permission of Facebook’s users who wanted them to access Facebook on their behalf.

On the other hand, if the panel is inclined to rule for Power, it could easily distinguish Nosal II. It could first say that telling Power to go away and blocking IP addresses is insufficient to revoke access rights because it does not actually cancel any authenticated accounts. If Facebook wants to revoke access, it has to revoke the accounts that have authenticated access — which it hasn’t done — just like Korn/Ferry revoked the accounts of its employees when they left. At that point, Nosal II then offers no guidance because it is expressly limited to revocation. Accessing an account as the legitimate user’s agent is then authorized, just as it would be in a physical trespass case.

If I’m right about the options, Nosal II may end up as only a very narrow decision that is largely overshadowed by what the Ninth Circuit does next in Facebook v. Power Ventures.

Stay tuned, as always.