In a recent opinion, the U.S. Court of Appeals for the Ninth Circuit upheld the conviction of a man who used a former co-worker’s password to access information from his previous employer.
A divided federal appeals court on Tuesday gave the U.S. Department of Justice broad leeway to police password theft under a 1984 anti-hacking law, upholding the conviction of a former Korn/Ferry International executive for stealing confidential client data.
The 9th U.S. Circuit Court of Appeals in San Francisco said David Nosal violated the Computer Fraud and Abuse Act in 2005 when he and two friends, who had also left Korn/Ferry, used an employee's password to access the recruiting firm's computers and obtain information to help start a new firm.
Writing for a 2-1 majority, Circuit Judge Margaret McKeown said Nosal acted "without authorization" even though the employee, his former secretary, had voluntarily provided her password.
Experts agree the decision could have far-reaching implications. That includes Judge Stephen Reinhardt, who in a dissenting opinion implied the verdict could end up classifying as criminals millions of users who share passwords.
This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA.
Like it or not, this is what 21st century sausage making looks like. A pair of federal judges interpret a 30-year-old law so that it (apparently) criminalizes widespread behavior to the benefit of a corporation that does $6 billion in annual revenue. (Next step? Find a few unlucky targets to make examples of to discourage the practice.)
This is one of the challenges of living in an era in which written laws can run 3,000 pages and consist of dense (and often vague) text few people can understand. As a result, Americans routinely commit felonies without even knowing it.
Nearly 200 years ago, Thomas Jefferson wrote how important it was that laws be written “for men of ordinary understanding.” He recognized that laws that relied on “metaphysical subtleties” could make “anything mean everything or nothing.”
Is Jefferson right? Is our lawmaking a mess and an affront to constitutional democracy? Or is it impractical to think laws and regulations can be written succinctly and plainly in a world that is growing increasingly complex?
[PHOTO CREDIT: Flickr-MikePetrucci | CC BY 2.0]