nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Dear America, best not share that password with your pals. Lots of love, the US Supremes

You may end up in the clink with 'hacker' on your criminal record

By Iain Thomson, 11 Oct 2017

A California bloke fighting a computer hacking conviction has lost his final appeal after the US Supreme Court declined to hear his case.

The ramifications of this decision could affect everyone in America who has ever shared a password with their friends and family. We'll explain.

In 2004, David Nosal was a high-level regional director at recruitment consultancy biz Korn/Ferry. He then left to start up his own firm, although stayed on for a year as a contractor. During that time, he tried to lure his former colleagues over to his new business, and convinced three of them to share their passwords to Korn/Ferry's internal database of consultants with him.

Using the purloined passwords, Nosal copied the firm's one million-person database so that he could use it to kickstart his own recruitment outfit. When this was discovered, the US Department of Justice charged him with hacking crimes under America's Computer Fraud and Abuse Act.

At the heart of the matter was the fact that Nosal used the passwords to gain unauthorized access to a computer system.

Password screen

Chap fails to quash 'shared password' 'hacking' conviction

READ MORE

Nosal was found guilty by a jury in 2013, and was sentenced to a year and a day in the cooler. He was also fined $60,000 for his troubles. He appealed, arguing that his shenanigans fell shy of actual proper computer hacking that the law is supposed to tackle, and last year was shot down in a 2-1 split decision by the California 9th Circuit Court of Appeals.

The lone dissenting appeals judge said he had serious doubts about the case. Sharing a password among folks is a fairly common practice, be it someone sharing banking credentials with their spouse to pay a bill or friends sharing Netflix account details. The dissenting judge, Stephen Reinhardt, feared the justice system, by convicting Nosal, was about to outlaw the simple act of sharing passphrases.

Crucially, Nosal's fate hinged on the law's definition of authorized access. Since Nosal clearly didn't have permission aka authorization to access the database, the appeals court ruled that the hacking conviction should stand. So the legal precedent seemed to be that you cannot access a system you are not allowed to, whether or not you were slipped the password by an authorized user. And that appeared to be pretty straight forward.

That wasn't good enough for the Electronic Frontier Foundation, though, which filed an amicus brief to the US Supreme Court. The digital rights warriors argued the appeals court decision will criminalize millions of Americans simply for sharing their passwords among each other. Giving your friend the password to, say, your online video-streaming account may violate the terms and conditions of the website's use, which may trigger a prosecution under America's computer hacking laws. After all, your friend did not have authorization from the website to access the service.

In other words, even though you gave your pal permission to watch streamed TV shows from your account, the website may forbid such shared use – and that would be an unauthorized access, the kind that ultimately landed Nosal in the clink. This is why the EFF found the appeals court's ruling particularly dangerous.

The foundation has a real beef with the Computer Fraud and Abuse Act, which is key to this whole case, and has previously called for reforms in order to, as EFF staff attorney Jamie Williams put it, prevent "overzealous prosecutors" from exploiting the law to lock up folks. The campaigners therefore asked the Supreme Court to clarify that sharing passwords can never be a crime.

"This [appeals court] ruling threatens to turn millions of ordinary computer users into criminals," Williams said earlier this year. "Innocuous conduct such as logging into a friend's social media account or logging into a spouse's bank account, with their permission but in violation of a corporate prohibition on password sharing, could result in a [Computer Fraud and Abuse Act] prosecution. This takes the CFAA far beyond the law's original purpose of putting individuals who break into computers behind bars."

Well, the Supremes didn't see a need to take this further: this week, they declined to hear the case. So for now, to be safe, don't share your password with anyone – not just because it may break the rules and therefore possibly the law, but also because it's just not good security hygiene. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing