Representation Nationwide Clientele Worldwide

Call
713-234-1416

Narrow definition of unauthorized access allowed in CFAA cases

The 1986 Computer Fraud and Abuse Act was intended to fight hacking. However, the law was passed in a time long before today's understanding of computers or the advent of the internet as we know it today. The U.S. Supreme Court recently had a chance to consider whether the CFAA was still adequate by hearing two cases decided by the Ninth Circuit. Unfortunately, the justices turned the cases away and left in place what may be far too narrow a definition of "unauthorized access."

Rights groups such as the Electronic Frontier Foundation are concerned by the Ninth Circuit's reading of the law. That appellate court determined in the two cases that the only entity able to grant authorized access to a computer or computer system is the owner. However, many people might assume that an account holder, for example, could legally grant secondary access to a spouse or family member even though some terms of service prohibit password sharing.

In other words, the groups argue, people could be found criminally liable under the CFAA if they innocently shared their banking password with a spouse so they could, for example, continue making transactions if the account holder were temporarily unable to. You might think it's a good idea to have a backup user to ensure your bills still got paid if you were in a car accident. Under the Ninth Circuit's interpretation, however, you could be violating the CFAA if your bank's terms of service don't allow for that.

It's quite concerning when people taking part in some relatively innocuous behavior could unknowingly be violating federal law. It's also unlikely that's what Congress intended.

The two Ninth Circuit cases involve two forms of access that an ordinary person might not consider to be computer hacking.

The first involved a company that set up shortcuts to its clients' Facebook accounts on a convenient online portal. This was done with the account holders' full knowledge and participation. Facebook objected because the company's setup allowed it to harvest data not only from its own clients but from other users. The Ninth Circuit ruled that Facebook was able to withdraw authorization that had been granted by its users.

The second involved a man who accessed a confidential database maintained by his former employer. He did not hack into the system, however. He borrowed an existing employee's login and password. He was found guilty of violating the CFAA. He appealed based on the idea that the law does not clearly define what constitutes unauthorized access.

It's crucial for the average person to be able to predict what behavior will result in a lawsuit or criminal charges. Can they?

No Comments

Leave a comment
Comment Information
Contact us

Contact Houston White Collar Lawyers for Experienced Representation

If you or your company is under investigation, charged or indicted for federal or state crimes, or you want to ensure future compliance, contact Hilder & Associates, P.C., for more information or to schedule an appointment with an experienced Houston white collar criminal defense lawyer.

Bold labels are required.

Contact Information
disclaimer.

The use of the Internet or this form for communication with the firm or any individual member of the firm does not establish an attorney-client relationship. Confidential or time-sensitive information should not be sent through this form.

close

Privacy Policy