U.S. Ninth Circuit - The FindLaw 9th Circuit Court of Appeals Opinion Summaries Blog

Sharing Your Password Is a Federal Crime, 9th Circuit Rules

The final decision from the Ninth Circuit case of United States v Nosal II has finally been filed and should make casual users of this thing we call the internet a little nervous. Nosal II involved accusations that a former employee who'd used other current employees' password information to access company information had violated the Computer Fraud and Abuse Act. Sounds harmless enough and even intuitive. That is, until you listen to the judge's language. This has all the eerie import of Matish III.

This ruling has petition written all over it. In the short term, we doubt this means that anyone within the Ninth Circuit will have to worry about sharing their email passwords with their friends. But the faintest hint of precedent is enough to send a chill down our spines.

Clear Shenanigans Leads to Slippery Slope?

The facts of Nosal I/II have been outlined simply by Orin Kerr of Volokh Conspiracy, so we won't really go into great detail here. The relevant gist is that a former employee (Nosal) got tired of his job and wanted to create a competing company. But he wanted to bring some proprietary information with him, so he conspired with other current employees within the company to access information. Two techniques were employed: getting the current employees to do the dirty work for him, and then later asking them for their login and access information so he and other conspirators could access the company database themselves.

The issue of the case hung on the following issue: Who "authorizes" access as envisioned under the Computer Fraud and Abuse Act? Was it Nosal's employer who owned the database? Or was it the employee who foolishly said, "Sure, go ahead"? The dissent thought that the employees' consent cleaned Nosal's actions of fraud under the CFAA. Too bad the majority thought otherwise.

Brekka Revisited

The Ninth Circuit majority relied on a previous case it heard called Brekka in which it ruled that an account cannot be lawfully accessed again after the license to use it is revoked. It's Brekka all over again, the circuit said.

Obviously, the circuit anticipated what a lot of practitioners were thinking, so it got right to the point. Allowing after-access by a former employee would create havoc:

[A]n employee could willy nilly give out passwords to anyone outside the company -- former employees whose access had been revoked, competitors, industrious hackers, or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery.

Intuitively, consumers understand this. This would be tantamount to having a key to an old building one has moved out of. There is a reason former tenants are required to return keys as a condition of their return-deposit.

But the opinion's less than clincher language still leaves open the disconcerting possibility that your use of your cousin's Netflix login information could be criminal under the CFAA. The Ninth Circuit addressed this, but didn't appear too worried. In its view, letting your roommate use your Prime account bore "little resemblance" to the admittedly more dastardly ex-employee scenario.

Related Resources: