The U.S. Supreme Court has turned away two cases involving the 1986 Computer Fraud and Abuse Act, which makes accessing computers without authorization into a federal crime. That leaves the existing 9th Circuit court rulings in place despite concerns that the definition of “without authorization” has been interpreted far too narrowly.
According to rights groups including the Electronic Frontier Foundation, the 9th Circuit has interpreted the phrase to mean that only the owner of the computer or computer system has the ability to grant authorization. Account holders and employees of the owner do not.
That puts ordinary people at risk of federal prosecution for performing some fairly innocuous acts, the group says. For example, if account holders share passwords with their spouses or family members and that were forbidden by the account’s terms of service, they could be violating the CFAA and be criminally prosecuted.
The two cases that had been appealed to the high court involve different degrees of forbidden password sharing.
The first involved a Cayman Island-based company called Power Ventures, Inc., which provided its clients with a shortcut to their own Facebook accounts through its own online portal. Before a client could have the shortcut, they had to give Power Ventures their permission to set it up. The benefit to clients was convenience, while Power Ventures apparently got the ability to collect marketing data from the Facebook accounts.
Facebook filed a lawsuit, which is allowed under the CFAA, claiming that Power Ventures was able to harvest data not only from its clients but from others. That made the data insecure, according to Facebook. The appellate court ruled that Power Ventures’ access was unauthorized as soon as Facebook objected to it, even though the account holders had granted their permission.
In the second case, a jury found an executive recruiter guilty of fraud under the CFAA. He had accessed a confidential database owned by his former employer. This was not done by hacking the database, but through the use of an existing employee’s login.
The appellants in each case argued that the CFAA does not sufficiently define who has the power to authorize access to a computer or computer system. Without a clear definition, it’s unclear who is liable under the law.
It’s impossible for the Supreme Court to accept every petition brought before it. However, it’s unfortunate for the unwary that this narrow definition of who can authorize access was left in place. The law was passed in 1986 and did not anticipate the various possibilities for access. As the Electronic Frontier Foundation and other groups point out, ordinary people may unwittingly violate the law simply through ignorance of the 9th Circuit’s definition.