CFAA, "Authorized" Access, and Common Sense

2016-07-16

Mike Gerwitz

There is little common sense to be had with the Computer Fraud and Abuse Act (CFAA) to begin with. To add to the confusion, the Ninth Circuit Court of Appeals last week held 2-1 in United States v. Nosal that accessing a service using someone else’s password—even if that person gave you permission to do so—violates the CFAA, stating that only the owner of a computer can give such authorization. This is absurd even with complete lack of understanding of what the law is: should your spouse be held criminally liable for paying your bills online using your account?

Common sense says no. In another case this week—Facebook v. Power Ventures—the same court (though a different panel of judges) stepped back from the original decision and stated that computer users can indeed provide authorization. This authorization holds even if the service’s Terms of Service say otherwise. Yet: the computer owner (in this case, Facebook) can revoke authorization, which takes precedence over any authorization provided by a user of that system. So with a seemingly magical incantation, a benign situation can be made into a federal crime, just like that.

These situations highlight dangerous confusion over the interpretation of an already dangerously vague law. The CFAA is the law that was used to prosecute Aaron Swartz for federal “crimes”—with a punishment of up to thirty-five years in prison—for liberating documents hosted on JSTOR. Because of this draconian threat, Aaron committed suicide on January 11th, 2013.

The CFAA already has blood on its hands; it needs to be reined in, not be given further broad powers. So don’t take news of the decisions in US v. Nosal and Facebook v. Power Ventures as canceling one-another out; things may appear the same for now, but serious problems still need to be resolved.