Two cases recently coming out of the 9th Circuit Court of Appeals decided issues related to the Computer Fraud and Abuse Act (CFAA) and “access without authorization.”
United States v. Nosal, a criminal case, involved a former employee accessing a computer system with borrowed login credentials from a current employee. Facebook v. Vachani, a civil case, involved a different social media outlet accessing Facebook’s computer system on the basis of user-granted access. In both cases, the Court decided that the parties accessed the system “without authorization,” despite being given “authorization” by a user or other authorized party. Specifically, the Court decided:
- In Nosal, a former employee whose access credentials have been revoked acts without authorization when the employee knowingly accesses a computer system using a borrowed login credential; and
- In Facebook, a third party who has been granted access by a user does not receive authority to access the entire system, but only to the user’s account; and receiving a cease and desist letter renders a party liable for CFAA violation for continued use.
Significance:
These decisions make a case for the notion of dual authorization regarding access to computer systems and accounts. Access is not authorized when either: (1) permission has been explicitly revoked and a party continues to access the system with borrowed credentials; or (2) a party knowingly continues to access a computer system based solely on permission from a user.
This represents the multi-dimensional nature of access; it is granted by either a user to a user’s account, or by the system’s owner to the entire system. Permission to access must originate from the party with the authority to grant access to the thing for which access is sought. Many articles discuss these cases in the context of password sharing practices with respect to Netflix and HBOGo accounts, and how password sharing may now be considered a federal crime under CFAA.
Read more about the United States v. Nosal decision
Read more about the Facebook v. Vachani decision
T.J. Wolf
Since joining DisputeSoft in 2016, T.J. Wolf has consulted for clients on a variety of software related matters, including breach of contract disputes, software implementation failure matters, and intellectual property matters involving allegations of copyright infringement and trade secret misappropriation. By researching and analyzing documentation to produce content and support for expert reports, T.J. has become deeply involved in analyzing the root causes of many IT failure cases and assessing misappropriation in intellectual property matters.