US appeals court: Anti-hacking law applies to password sharing case

The 9th Circuit Court of Appeals ruling expands the scope of the already-broad Computer Fraud and Abuse Act.

A US appeals court on Tuesday ruled that the Computer Fraud and Abuse Act, a broad anti-hacking law passed in 2005, applies to a case in which a former executive gained access to his former employer's confidential client data through a password that was voluntarily shared with him.

In a two-to-one ruling, a three-judge panel on the 9th Circuit Court of Appeals upheld the conviction of David Nosal, who used the information from his former employer -- Korn/Ferry International -- to start a new firm. He gained access to the data after his former secretary shared her password with him.

The ruling expands the already-sweeping scope of the CFAA, which imposes criminal penalties on anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and bymeans of such conduct furthers the intended fraud and obtains anything of value."

The Nosal case focused specifically on the question of whether he acted "without authorization". The panel concluded that "'without authorization' is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission".

The court panel also upheld Nosal's conviction for trade secret theft under the Economic Espionage Act.

In his dissent, the court summary of the ruling notes, Judge Stephen Reinhardt "wrote that this case is about password sharing, and that in his view, the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals".

The practice of sharing passwords isn't uncommon, according to a SailPoint survey released earlier this year. It polled 1,000 office workers across six nations and found nearly one in three are willing to share passwords with their co-workers.

The CFAA -- opposed by the Electronic Frontier Foundation for its scope -- was also used to convict former Reuters editor Matthew Keys of helping Anonymous to deface the LA Times in 2010. Keys, who denied the charges against him, was sentenced to two years in prison.

UPDATE: This article was corrected to note that Keys was sentenced to two years in prison; he is not serving two years in prison.