Narrow definition of unauthorized access allowed in CFAA cases

The 1986 Computer Fraud and Abuse Act was intended to fight hacking. However, the law was passed in a time long before today’s understanding of computers or the advent of the internet as we know it today. The U.S. Supreme Court recently had a chance to consider whether the CFAA was still adequate by hearing two cases decided by the Ninth Circuit. Unfortunately, the justices turned the cases away and left in place what may be far too narrow a definition of “unauthorized access.”

Rights groups such as the Electronic Frontier Foundation are concerned by the Ninth Circuit’s reading of the law. That appellate court determined in the two cases that the only entity able to grant authorized access to a computer or computer system is the owner. However, many people might assume that an account holder, for example, could legally grant secondary access to a spouse or family member even though some terms of service prohibit password sharing.

In other words, the groups argue, people could be found criminally liable under the CFAA if they innocently shared their banking password with a spouse so they could, for example, continue making transactions if the account holder were temporarily unable to. You might think it’s a good idea to have a backup user to ensure your bills still got paid if you were in a car accident. Under the Ninth Circuit’s interpretation, however, you could be violating the CFAA if your bank’s terms of service don’t allow for that.

It’s quite concerning when people taking part in some relatively innocuous behavior could unknowingly be violating federal law. It’s also unlikely that’s what Congress intended.

The two Ninth Circuit cases involve two forms of access that an ordinary person might not consider to be computer hacking.

The first involved a company that set up shortcuts to its clients’ Facebook accounts on a convenient online portal. This was done with the account holders’ full knowledge and participation. Facebook objected because the company’s setup allowed it to harvest data not only from its own clients but from other users. The Ninth Circuit ruled that Facebook was able to withdraw authorization that had been granted by its users.

The second involved a man who accessed a confidential database maintained by his former employer. He did not hack into the system, however. He borrowed an existing employee’s login and password. He was found guilty of violating the CFAA. He appealed based on the idea that the law does not clearly define what constitutes unauthorized access.

It’s crucial for the average person to be able to predict what behavior will result in a lawsuit or criminal charges. Can they?