In the 1983 film "WarGames," a teenage hacker played by Matthew Broderick nearly triggers a thermonuclear war when he attempts to hack into a video game company server, but accidentally dials the Air Force's War Operation Plan Response computer.
"WarGames" introduced much of the country to the computer "hacker" -- a person able to break into computer networks using back doors, bugs, and other exploits. It also captivated Capitol Hill and sparked an anti-hacker panic. By the end of 1983, six anti-hacking bills were introduced, some explicitly citing "WarGames" as a case in point.
The early legislation's ambition was relatively modest: to punish -- harshly -- outsiders attempting to hack into and disrupt major financial institutions or the United States military's mainframe computers. By 1996, however, the statute, now known as the Computer Fraud and Abuse Act (CFAA), criminally sanctioned the intentional unauthorized access to virtually any computer in America and offered a civil action avenue to any person who suffered damage or loss as a result of a violation of the act. Today, some consider the CFAA to be "one of the most far-reaching criminal laws in the United States Code"; others call it "the worst law in technology."
While gradually increasing the CFAA's coverage, Congress left the act's core terms -- "access" and "authorization" -- undefined. This meant that prosecutors (and private companies) were now able to bring actions outside the original hacker typecast.
The rapid advances in computing added to the complexity. Congress originally conceived the CFAA as the digital equivalent of physical trespass and burglary offenses. This may have made sense when the "WarGames" scenario -- outsiders attempting to break into government mainframes -- was the sole concern; today, few think of website or network security from a physical perspective. And thus, the CFAA may be ill-equipped to perform its original function: protect against cybercrime.
Three 9th U.S. Circuit Court of Appeals cases address one persistent and challenging aspect of the CFAA, which we dub the "inside hacker" problem. Unlike "traditional" hackers, inside hackers do not tunnel into a computer system by means of technological subterfuge. Instead, they commonly receive authorization to use the system either from the system owner or from an authorized user of the system. Problems arise when these hackers use their privileges in ways that the system owner has not approved (or has not envisioned). As these 9th Circuit cases demonstrate, today's technological realities mean that there is little discernable difference between prohibited "inside hacking" and commonplace (and often beneficial) computer use.
At issue in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (en banc), was the meaning of a core CFAA term: "exceeds authorized access." Specifically, the 9th Circuit was asked whether an authorized user of an employer's computer network "exceeded" authorized access by using the network in violation of the employer's terms-of-use.
Two dueling interpretations were offered: Nosal argued that one exceeds authorized access if one accesses files or locations that she is not authorized to view. The government argued that one exceeds authority whenever she misuses the information. Siding with Nosal, the 9th Circuit held that only restrictions on access, not on use, could form the basis for CFAA liability. Under this narrower construction, Nosal was not liable under the CFAA because Nosal's accomplices had permission to access the database at issue and to obtain the information it held.
This "access" vs. "use" distinction, while intuitive in the physical world, can prove challenging to apply in digital space. Consider, for example, that until 2012, Google forbade minors from "accessing" its services. Other well-known websites did the same. While minors could technically receive credentials to access Google's various websites, they could do so only after falsifying their age. Under these circumstances, did Google restrict access to its services, or merely limit their use? Or, consider the case of "conditional access," whereby, for example, an employee is forbidden to open her internet browser unless it is to browse certain work-related websites. In this scenario, was the employee's access to certain data or files restricted, or was the restriction on the use of her internet browser?
The answer, perhaps, lies not in the fact of restriction on access in itself but rather in the type of restrictions imposed. As Nosal I notes, a reading of the text and legislative history of the CFAA suggests that its general purpose was to punish hacking--the circumvention of technological access barriers. Under this reading, whenever the defendant can access data without resort to technological manipulation -- or hacking -- he does not exceed authorized access under the CFAA.
In United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016), after the alleged co-conspirators, too, lost their log-in credentials, they continued to access their former employer's database when a current employee (Nosal's former assistant) "loaned" them her login credentials. The Nosal II question was whether Nosal (and his co-conspirators) accessed a protected computer without authorization.
The Nosal II holding is simple: One who accesses a computer system after categorically being barred entry does so "without authorization." That Nosal and his co-conspirators obtained permission from an authorized user (a current employee) mattered little; giving weight to such permission, the court noted, would remove from the scope of the CFAA any hacking conspiracy with an inside person.
The dissent disagreed, accusing the majority of losing sight of the anti-hacking purpose of the CFAA, thereby criminalizing commonplace behavior: password sharing. Per the dissent, the question that matters is not what authorization is but who is entitled to give it. Must it be the owner/operator of the computer, or could a legitimate account holder authorize access to his account? If, as Congress intimated, the conduct prohibited by the CFAA is analogous to that of "breaking and entering," then, according to the dissent, one should not be liable if invited in by a houseguest.
Facebook v. Power Ventures, 844 F.3d 1058 (9th Cir. 2016), again posed a "password sharing" scenario: This time, the defendant, a social media "aggregator," used its users' passwords (and permission) to send out invitations to use Power's services through the Facebook platform. Facebook did not approve and instructed the defendant to "cease and desist." The defendant did not.
Was Power Ventures acting without authorization under the CFAA? Again, the court's response was simple: After receiving notification from Facebook that it may no longer access its computers, but continuing to access Facebook's computers, Power Ventures acted "without authorization" within the meaning of the CFAA.
In reaching its decision, the court distilled two "general" rules from its former CFAA cases: First, a defendant can violate the CFAA when she has no permission to access a computer or when such permission has been revoked explicitly. Enlisting of a third party to aid in access will not excuse liability. Second, a terms-of-use violation, without more, is not enough to offend the CFAA.
But Facebook insiders (its account holders) did allow Power to use their accounts. Much like in Nosal II, the court afforded little weight to user permission. It held that after Facebook expressly told Power to stop, user permission was meaningless. In other words, while user permission could suffice to shield an outsider from liability initially, once the system owner made its position clear, user permission no longer mattered.
What Should the CFAA Regulate?
Absent meaningful revision of the CFAA (or wisdom from the U.S. Supreme Court; both Nosal's and Power Ventures' petitions for certiorari are pending), the "inside hacking" questions will continue to dominate CFAA jurisprudence in the foreseeable future. As the law's reach continues to grow beyond the "traditional" hacker scenario, attention should be paid to the various tools developed by courts to separate benign (and often useful) computer activity from sanctionable behavior.