When laws are created or interpreted to make criminals out of the most innocent of activities, then innocent people are criminals.
This is now happening in cyberspace with a ruling from the Ninth Circuit Court of Appeals.
Last week, they issued a ruling that found, in part, that sharing passwords on the internet is a federal crime.
The decision – according to a dissenting opinion – puts millions of people who share their passwords for services like Netflix or Vudu in violation of the federal Computer Fraud and Abuse Act (CFAA). Fortune magazine reports.
The decision came in the case of David Nosal, an employee at the executive search (or headhunter) firm Korn/Ferry International. Nosal left the firm in 2004 after being denied a promotion. Though he stayed on for a year as a contractor, he was simultaneously preparing to launch a competing search firm, along with several co-conspirators. Though all of their computer access was revoked, they continued to access a Korn/Ferry candidate database, known as Searcher, using the login credentials of Nosal’s former assistant, who was still with the firm.
Nosal was eventually charged with conspiracy, theft of trade secrets and three counts under CFAA, and was sentenced to prison time, probation, and nearly $900,000 in restitution and fines.
Nosal’s conviction under CFAA hinged on a clause that criminalizes anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization”. Though CFAA is often understood to be an anti-hacking law, that clause in particular has been applied to many cases that fall far short of actual systems tampering.
CFAA has, for instance, been used to prosecute violation of Terms of Service agreements (which are themselves a contested practice). Most notoriously, the law was used to pursue Aaron Swartz, the young programmer who committed suicide after being charged with mass-downloading research papers from an MIT database, in violation of its terms of service—despite the fact that he was then a research fellow at MIT, with authorized access to the involved database.
In his dissent, Judge Stephen Reinhardt said the new decisions makes “consensual password sharing” a prosecutable offense. the entire purpose of the CFAA – to stop illegal hacking – has been turned on its head, he argues and “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”