Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Crime The Courts Communications Databases Electronic Frontier Foundation Government Network Networking Privacy Security The Internet United States News Technology Your Rights Online

Password Sharing Is a Federal Crime, Appeals Court Rules (vice.com) 165

An anonymous reader writes from a report via Motherboard: An appeals court ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all "hacking" law that has been widely used to prosecute behavior that bears no resemblance to hacking. Motherboard reports: "In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal's use of a former coworker's password to access one of the firm's databases was an 'unauthorized' use of a computer system under the CFAA. In the majority opinion, Judge Margaret McKeown wrote that 'Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.' She then went on to describe a thoroughly run-of-the-mill password sharing scenario -- her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore, so he got a password from a friend -- that happens millions of times daily in the United States, leaving little doubt about the thrust of the case. The argument McKeown made is that the employee who shared the password with Nosal 'had no authority from Korn/Ferry to provide her password to former employees.' At issue is language in the CFAA that makes it illegal to access a computer system 'without authorization.' McKeown said that 'without authorization' is 'an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.' The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"
This discussion has been archived. No new comments can be posted.

Password Sharing Is a Federal Crime, Appeals Court Rules

Comments Filter:
  • Considering he wasn't an employee anymore, it doesn't really matter.

    • lawyers who only talk to lobbyists, who only talk to money, which is only held by high-up executives who don't know how to log in. that's how the law was crafted. so what did you expect?

    • Considering he wasn't an employee anymore, it doesn't really matter.

      Of course it matters. We know the person in question committed crimes (stealing trade secrets), the question is whether charges of "computer hacking" aka unauthorized access to a computer with the intent blah blah blah can be added to the charges.

      The same thing with authorized access would have still been "stealing trade secrets" but without the additional charge.

  • Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided? I suppose that is a) too technical, and/or b) is a broad enough definition of "authorize" that any successful cracking of a password results in an authorized access.
    • by OverlordQ ( 264228 ) on Wednesday July 06, 2016 @04:29PM (#52458875) Journal

      Authorization != Authentication

    • by JaredOfEuropa ( 526365 ) on Wednesday July 06, 2016 @04:31PM (#52458899) Journal
      No. If 1) your company IT policy strictly prohibits sharing your password with anyone, including IT support staff (like many policies do), and 2) you access a database using a co-worker's credentials, then it should be crystal clear to you that this access is unauthorized. And that goes double if you are no longer an employee at that company.
      • I wish I had mod points for this. It's pretty black and white here. Common sense tells you that there is one owner to the account john.smith and that only that specific person is authorized to use it while they are employed.

        • by Aighearach ( 97333 ) on Wednesday July 06, 2016 @05:02PM (#52459091)

          I dated a sysadmin and we didn't even share passwords to our home computers, or ask to/let each other use work laptops. Not even "just for a minute."

          Password security shows respect, trust.

          Which is deeper trust: "I trust you not to hurt me" or "I trust you not to put me in a position where I have to trust you not to hurt me?"

          I'll go with the latter one.

          Or as my mother taught me regarding financial risk, "Trust is knowing you won't be left out on a limb without the proper paperwork in the first place."

          But none of that even matters in this case, because it was the employer who held the prerogative to grant a password permission, or not. The person who "shared" the password was not the owner of the system, there is no actual legit "sharing" there. It is just using a false credential, after having received it from "a person on the inside."

          • what about group passwords?

            stage 1 vpn passwords?

            SA password?

            administrator password?

            root password?

            and so on?

            • Group passwords should not shared between members of the group either. As a rule, a group member should not give the group password to another person claiming to be in that group; organisations with good security policies have provisions for diseminating, revoking or restoring forgotten group passwords, and a password should only be given out or shared by the authority, not other group members. But yeah, in practice the password will be shared between group members who know each other.

              In the past 15 ye
            • by jon3k ( 691256 )
              We established policies to address these decades ago. Root passwords are created by multiple people, each who knows part of it. They write down the passwords and store them together in a safe that requires 2+ people to open (each has part of the combination). That's how we do it anyway.

              Group passwords for VPN are shared among multiple people/systems and are only one part of authentication. So it doesn't matter if multiple people know them. They still have to authenticate using some other method on t
              • by pla ( 258480 )
                While nice in theory, what you describe counts as massive overkill unless you have PCI/HIPAA/similar data protection requirements for your systems.

                In the real world, a few people all have the root/sa/admin/whatever passwords, and if one of those people leaves, the rest simply change the passwords.

                I will agree that TFA makes for a really shitty test case for whether or not shared passwords violate the CFAA; but not every random data warehouse needs its DBAs to swear a blood-oath and split the holy crysta
                • by jon3k ( 691256 )
                  Buying a $100 safe is massive overkill? This whole process took three people about 5 minutes and we've never needed to touch it since. You just each type in half the password, write down your half, place it in the safe.
                  • by pla ( 258480 )
                    Buying a $100 safe is massive overkill?

                    No, that part counts as a pretty standard practice. The rest of your procedure, however:

                    in a safe that requires 2+ people to open

                    Congratulations, no two-out-of-three of you can now go on vacation at the same time, even though it might only take one of you to "keep the lights on" on a day-to-day basis. In fact, you shouldn't even ever ride in the same car together.

                    What you describe makes a great low-tech way to split a secret into X parts such that it takes
      • No. If 1) your company IT policy strictly prohibits sharing your password with anyone, including IT support staff (like many policies do), and 2) you access a database using a co-worker's credentials, then it should be crystal clear to you that this access is unauthorized.

        Sorry, but if you are authorized to access the computer, and you were stupid and forgot the password, then you are still authorised to access the computer. And using a co-workers password wouldn't take that authorisation away. It's correct that it doesn't give you authorisation either. The authorisation comes from elsewhere.

        • You are authorised to log into the computer using the account(s) you have been issued. You are not authorised to log in using a password belonging to the CEO or the janitor. The use of any other credentials is not authorised and so be prepared for a discussion with police, Feds or some sort of spook if you do.
        • by dcw3 ( 649211 )

          You may be authorized access, but that's NOT giving you permission to utilize someone else's account to do so. That breaks rules for logging who's done what on a system, and certainly isn't authorized anywhere that I've seen.

      • by Anonymous Coward

        Yeah ... about that policy ... at a previous employer, they forgot to have me sign the "I agree to X, Y, and Z" security policies until I'd been there a couple of months. Out of the 20 or so conditions, 3 - including password sharing - were broken as SOP by the group.

        In part, the security department at this company was manned by mostly incompetents. One of the systems my group accessed ... well, the security group had been unable to create a new ID for that system in three years. So there were a hand

    • by bored_lurker ( 788136 ) on Wednesday July 06, 2016 @04:38PM (#52458947)

      Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?

      No, if I come to your house and I find a key under your flowerpot, open the door and enter am I authorized because the key gave me access? Clearly not. If simply having a password was authorization then not only every hacker (e.g. brute force) but every stolen ID would be "authorized". Just no.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Your analogy is flawed. Let's amend it to more closely model the specific situation at hand. If you go to an office building, phone a friend who is a current employee at the business housed within said building, ask for and receive an electronic door lock PIN to gain facilities access, and stroll around inside taking pictures of the interior, can your activities be held as criminal trespass? -PCP

        • by Aighearach ( 97333 ) on Wednesday July 06, 2016 @05:03PM (#52459097)

          If you go to an office building, phone a friend who is a current employee at the business housed within said building, ask for and receive an electronic door lock PIN to gain facilities access, and stroll around inside taking pictures of the interior, can your activities be held as criminal trespass? -PCP

          Yes.

        • YES. This really is old and black and white. Just because people do something doesn't make it legal.

      • by bsolar ( 1176767 )

        Even if the door is open if you have no authorization it's still trespassing and this shows pretty well the issue the EFF is raising.

        it's pretty clear you are authorized to enter a restaurant and it's pretty clear you are not authorized to enter a random private home which happens to have the door left open.

        What about an anonymous FTP server? It could be argued it's like an open restaurant, or it could be argued it's like a private home with the door left open, so if you apply the "trespassing" analogy it's

        • What about an anonymous FTP server? It could be argued it's like an open restaurant, or it could be argued it's like a private home with the door left open, so if you apply the "trespassing" analogy it's not clear at all whether you are "authorized" or not.

          The arguing what it's like would be pointless. What counts is whether you have authorisation or not. And whether you have authorisation would depend on the circumstances. For example, if you went to Apple's website and found a page titled "Downloads" you would be authorised. If you found a page titled "Downloads - Employees only" you wouldn't be authorised if you are not an employee.

          • by david_thornley ( 598059 ) on Wednesday July 06, 2016 @05:29PM (#52459271)

            Now, for the purposes of the CFAA, exactly what counts as authorization? Traditionally, putting an anonymous FTP server up has been considered to authorize access, but is this so according to the CFAA? As long as "authorization" is vague here, the CFAA will have a chilling effect on what people do.

            • IMHO, anon or no password should equal authorized to all. Any password should mean limited authorization unless the password is anonymously shared.

              We need to stop rewarding stupidity, even if it was unintended.

    • Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?

      No, not any more than owning a key to my front door gives you "authorization" to use it to enter my home.

      • Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?

        No, not any more than owning a key to my front door gives you "authorization" to use it to enter my home.

        Uh.. you'd have a pretty hard time arguing I wasn't authorized to enter your home if you gave me a key. By virtue of giving me the key you've authorized me to enter your home.

        • by gnasher719 ( 869701 ) on Wednesday July 06, 2016 @05:36PM (#52459309)

          Uh.. you'd have a pretty hard time arguing I wasn't authorized to enter your home if you gave me a key. By virtue of giving me the key you've authorized me to enter your home.

          Absolutely not. I can give my neighbours my house keys when I go on holiday, so they can enter if there is an emergency. That doesn't give them authority to enter without reason. I had my neighbour's key with authorisation to enter the kitchen to feed the cats while she was on holiday; that didn't give me authorisation to enter her living room or bedroom.

          If you are renting, the landlord may have a key, the caretaker may have a key, they both have no authority to enter your home in most situations.

        • by Anonymous Coward

          What if he maid service company (whom I authorized to enter my house) gave you a key to my house? Does that grant you authorization to enter my house?

          I'd argue that no, it doesn't.

          And nor does one employee giving another person his password constitute authorization to the computer system.

          In both cases, the person giving the key/password doesn't have the authority to grant authorization to another party.

        • by JustAnotherOldGuy ( 4145623 ) on Wednesday July 06, 2016 @06:18PM (#52459555) Journal

          Oh.. you'd have a pretty hard time arguing I wasn't authorized to enter your home if you gave me a key. By virtue of giving me the key you've authorized me to enter your home.

          First of all, no I wouldn't. Who said I "gave" you a key? Maybe you found it, maybe you stole it. Maybe someone I gave it to turned around and gave it to you. None of those scenarios gives you "authorization" to unlock my front door and enter my home.

          Second, just having the key doesn't automatically grant you authorization, either. Maybe I gave it to you for use only in case of emergency (fire, flood, vacation emergencies, etc).

          None of those give you carte blanche to necessarily be in my home either, unless the circumstances warrant. If it's for emergency access, for example, that doesn't give you the right to come over, watch TV and raid my refrigerator.

          So no, just having a key doesn't mean you're automatically authorized to use it, even if I gave it to you.
           

    • Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?

      If that were the case then social engineering attacks where hackers get a company employee to divulge their password would be entirely legal. Knowing a username and password is no different than having a key and simply having a key does not automatically make it legal for you to access everything it unlocks.

    • Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?

      One could argue so, but one would be laughed out of court. Databases are not authorities who can give or deny authorisation. They are not people, they are not employees of the company, and they are not employees high enough up the ladder in the company to give or take away authorisation.

      • No, courts don't laugh when you make invalid arguments. You're supposed to make your arguments in filings first, and if they're not valid you won't be allowed to make them in court. If you start blurting it out in open court anyways, they don't laugh.

  • by gnasher719 ( 869701 ) on Wednesday July 06, 2016 @04:28PM (#52458847)
    A password doesn't give you authorisation. You get authorisation from your boss, or from your company, to access a computer to do your job. A password is only a means to help keeping unauthorised people out.

    If you lose your job, or your position where you need to access the computer, you lost the authorisation. If the company forgets to remove your password, or you find someone else's password, or a password is shared with you, that doesn't give you authorisation. In this case, everything is absolutely clear.

    Where this law is abused in some cases is in situations where someone had the authority to access the computer, but abused the authority to commit a crime. Say a bank manager with authorisation to access computers moving money into his own bank account, or a police officer with access to a license plate database abusing his position by finding out the address of his ex's new boyfriend. That's when authorities try to add "computer hacking" to the list of crimes.
    • by Anonymous Coward on Wednesday July 06, 2016 @06:03PM (#52459457)

      A password doesn't give you authorisation. You get authorisation from your boss, or from your company, to access a computer to do your job.

      One of the oddities of our current climate is this: How do you know when you're authorized?

      Much of the time it's common sense, but if we're talking about DMCA instead of CFAA, it gets very murky, very fast.

      You buy a DVD. You pay for a Netflix account every month. Are you authorized to decrypt the content? If you're authorized, then it's ok to watch it. If you're not authorized, then decrypting is circumvention of the DRM.

      According to the MPAA-vs-2600 case, you're either not authorized at all, or you're not authorized to do what DeCSS does. You're seemingly violating DMCA every time you watch anything, but of course nobody really believes that. (MPAA hasn't sued all their paying customers yet, and they've had ample time.)

      So just what is the mechanism for authorization, and how do you know when it's there, in non-obvious situations? It seems that authorization can be totally implicit, without a single word communicated to tell you whether or not you have it. Indeed, it seems like there might be unspoken and unexpressed conditions. (e.g. We think the conditions are that you're authorized to bypass a DVD's DRM if it's inserted a licensed player, but not if it's an unlicensed player. But is this written anywhere? can you look at a player and even figure out whether its manufacturer got a license or not?)

      If authorization is murky for DMCA, then why couldn't it be murky for CFAA too? Let's say you need access to something, to do something that your boss commands. The boss says "clean the dunsel" and you just happen to know that the key to the dunsel bracket's lock is stored in a certain drawer. Authorized? Maybe. Probably. Right?

      The truth is, you're going to assume you're authorized and take your chances since it's highly unlikely that the government is coming for you. Or perhaps you're constantly unknowingly committing crimes all day, year after year, where the feds are licking their lips, waiting for the day when you're on some "bad guy" list and they can suddenly throw the book at you. Then 6 years later, you literally don't even remember if the boss said, "Oh, the dunsel bracket key is in that drawer. You may use it." You've just been using it every month for 72 months.

  • by Art Challenor ( 2621733 ) on Wednesday July 06, 2016 @04:32PM (#52458907)
    So, is it now a federal crime to access someone's social media accounts with passwords that you coerced them to share (schools, companies, CBP, etc.)?
    • by slew ( 2918 )

      So, is it now a federal crime to access someone's social media accounts with passwords that you coerced them to share (schools, companies, CBP, etc.)?

      Let us hope this is the case...

    • by c ( 8461 )

      So, is it now a federal crime to access someone's social media accounts with passwords that you coerced them to share

      Probably.

      Best luck getting anyone to prosecute anyone for doing that, though.

    • Comment removed based on user account deletion
      • is that an American thing?

        It's an awful-company thing.

        Pro-tip: ask potential employees to give you all their social media passwords. If they do so, don't hire them. If they tell you to go fuck yourself, ask them to pick their parking space.

    • It's yet another case where the headline says something different than the article, as is unfortunately often the case here. Reading comprehension is in general getting worse everywhere and we see that happen a lot at Slashdot.
  • So now..... (Score:5, Insightful)

    by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Wednesday July 06, 2016 @04:33PM (#52458921) Journal
    ... not only can they hold you indefinitely for *NOT* giving your device's password to them if they want to inspect it, they can even arrest you if you do!
  • Terrible headline (Score:5, Insightful)

    by jratcliffe ( 208809 ) on Wednesday July 06, 2016 @04:34PM (#52458923)

    "Password Sharing Is a Federal Crime, Appeals Court Rules"

    No, the appeals court ruled that borrowing a password to get access to a system you knew you weren't authorized to access is illegal. To use a real world analogy, if I lose my job, and the company takes away my key to the office, it's illegal for me to use a key borrowed from a colleague to get in. I don't have to pick the lock for the access to be illegal.

    • I should have known better- I came here about to get all upset. Good thing I read the summary before commenting...

      Doesn't this also put the current employee who shared the password in hot water too?

      • I should have known better- I came here about to get all upset. Good thing I read the summary before commenting...

        Doesn't this also put the current employee who shared the password in hot water too?

        Certainly with the employer - I don't know if someone could be indicted as an accessory to violation of the statute.

  • by denis-The-menace ( 471988 ) on Wednesday July 06, 2016 @04:35PM (#52458929)

    https://www.gnu.org/philosophy... [gnu.org]

    Dan resolved the dilemma by doing something even more unthinkableâ"he lent her the computer, and told her his password. This way, if Lissa read his books, Central Licensing would think he was reading them. It was still a crime, but the SPA would not automatically find out about it. They would only find out if Lissa reported him.

  • by Stormy Dragon ( 800799 ) on Wednesday July 06, 2016 @04:36PM (#52458939)

    Given the volume of comments from that user, I'm convinced more than one person is using the account!

  • No shit. (Score:5, Informative)

    by penguinoid ( 724646 ) on Wednesday July 06, 2016 @04:38PM (#52458949) Homepage Journal

    Real headline: Having a coworker's password doesn't mean having the boss's permission.

  • What is a "password" is an oil change light reset code an password and one that the car manufacturers can use to shut down 3rd party shops?

    • If it is a leased car, then it depends on the terms of the lease.

      If the car is owned by the driver, then they are the source of authorization. It would only be a crime if the 3rd party shop didn't have the customer's permission.

      • but what if BMW never give permission for that 3rd party shop to use the reset code? and says that is a dealer only code and the shops / websites don't have the permission to have it?

        • See my answer above. If you find an additional way to ask the question, see above, the answer will be the same.

          If they sold the car, they gave up prerogatives regarding how it is used. If they didn't sell the car, then it depends on the contract who holds which prerogatives.

  • The case as given is clear: someone used social engineering to break into a database of a former employer. This is clearly unauthorized access.

    What I worry about with laws like this is where they end. It's fairly common to password-share between employees to get some damn work done, and it's not unheard of to share social site passwords, and I don't think we want these cases to be against the CFAA.

    • What I worry about with laws like this is where they end. It's fairly common to password-share between employees to get some damn work done, and it's not unheard of to share social site passwords, and I don't think we want these cases to be against the CFAA.

      You should read the court decision, and it is might quite clear. First, it's not just unauthorised access, it's unauthorised access plus causing some kind of damage. So the employees trying to get their job done are fine. (Legally. If the employer made absolutely clear that no passwords are to be shared under any circumstances then they could be fired). The same would apply to the social site password. And violating the terms of service of a website doesn't make access unauthorized.

      Likewise, the court de

  • The number of employees that share passwords (and usernames) is huge, the jails would be overflowing... Oh wait, they are with drug related crimes already.
  • by acoustix ( 123925 ) on Wednesday July 06, 2016 @04:55PM (#52459065)

    From the article:

    "Notably, Reinhardt appears to have a commanding knowledge of what constitutes “hacking,” something that comes up over and over again both in the media and in the courts. He said that the decision “loses sight of the anti-hacking purpose of the CFAA.”

    “There is no doubt that a typical hacker accesses an account ‘without authorization’: the hacker gains access without permission—either from the system owner or a legitimate account holder,” he wrote. Using someone else’s password with their permission but not the system’s owner isn’t “hacking,” but that’s what the court is treating it as."

    Using another person's password with their permission but not with the system owner's permission is definitely a form of hacking. It's called social engineering. Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Just because someone easily provided their account information doesn't mean that it was done so legitimately. It is ultimately the system owner who gets to decide who has authorization to their systems and what constitutes authorized access. At the same time, it is the system owner's responsibility to educate it's users as to what is allowed.

    I would also take issue with the sentence where the writer claims that the judge has a "commanding knowledge" of "hacking".

    • by Anonymous Coward

      Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Just because someone easily provided their account information doesn't mean that it was done so legitimately.

      If "tricking people" is involved, I doubt any serious person would argue that legitimate permission was given.

  • I rail against password sharing on the regular. It's right up there with with the crafty old hidden under the keyboard bullshit. I have taken the time to setup your user, I have granted all the permissions needed for you to do your job. Use the GD tools I have provided, else request more.

    When the surveillance guy sees you using somebody's creds, he is not going smile and ignore it. He is going to come to me with a reprimand, and to many of those means his businessmen stop coming and I don't get a raise nex

  • Many websites have in their EULA somewhere that using someone else's account is prohibited, or that signing up for a second account, or new account if you've been banned, are prohibited. Doing any of these prohibited things could be legally considered 'unauthorized access', even for a normally public website that anyone is welcome to use (Facebook etc.)
    Conflating EULA violations on a public website, with accessing private computer systems containing confidential data, is one of the reasons the CFAA needs to

    • Many websites have in their EULA somewhere that using someone else's account is prohibited, or that signing up for a second account, or new account if you've been banned, are prohibited. Doing any of these prohibited things could be legally considered 'unauthorized access', even for a normally public website that anyone is welcome to use (Facebook etc.)

      Read the court decision. These things could be considered "unauthorised access" by the company, but not legally by the court.

  • Stop using passwords. It really doesn't protect any of your personal devices, and if you can't trust the people you work with, they should be fired.
  • by Spazmania ( 174582 ) on Wednesday July 06, 2016 @06:11PM (#52459497) Homepage

    Effectively the court has rules that "authorization" for the purpose of computer hacking is mens rea, not actus reus. If you obviously knew you lacked authority (mens rea = mental state) then the element is satisfied regardless of any technicalities about the access control systems (actus reus = actual activity). Crimes require both mens rea (knew you lacked authority) and actus reus (used the computer anyway).

    That's why it's OK for the wife to log in and pay the husband's credit card bill: she has a _reasonable_ belief that it's OK to do so, thus the mens rea element of the crime is not proven.

  • a former employee of Korn/Ferry International research firm,

    This person was not an employee of the company. Any reasonable person would conclude that using another employee's password to access a database to a company that you no longer work for is not authorized. Authorization would be acquiring your own password from the company's IT staff, or a direct statement from management that you could use the employee's credentials to access said database.

    Trying to equate this with sharing my Netflix account is wrong. The Netflix account belongs to me, so I can give a

  • Like many posters above, I'm a little dismayed this made news. The title of the article is clickbait. We share passwords all the time at work -- heck, we have a password sharing application to make it easy to do so. But we only share passwords with people authorized to use them. If someone who wasn't authorized to use them is given one to access services, and is caught, then both that person and the person who gave the password to an unauthorized user broke the rules.

    Dumbest quote: The question that leg

  • Quick tip: Next time you want to steal your employers trade secrets, remember to have the admin print out the records and give them to you in paper. Then you're only violating the EEA and don't have to worry about these pesky, overly-broad interpretations of the CFAA causing you to be convicted as a hacker instead of just a thief.
  • Based on this ruling, it sounds like Microsoft has been violating the CFAA with Wi-Fi Sense in Windows 10.

No spitting on the Bus! Thank you, The Mgt.

Working...