Tuesday, July 12, 2016

Follow up to password sharing

Yesterday I published a post on the recent 9th circuit court of appeals case where it was effectively upheld that sharing your password to bypass restrictions is a crime under the CFAA.


If you are interested in the ruling on the case, check it out here (PDF).  The ruling was not unanimous.  A three judge panel ruled 2-1 in favor of upholding the original conviction under the CFAA statute.  While not unanimous, it still sets legal precedent until the supreme court hears the case (or one similar).

It's clear from their blog post that the EFF disagrees with the ruling.  But in my opinion they seem to be overplaying their hand quite a bit.  They seem to think the ruling criminalizes sharing a password in general.  But the real issue at play is whether you, an authorized user of a computer system, can delegate your authorized access to a third party.  And the 9th circuit seems to say "no, that's not okay."


The EFF tries to bring in some pretty unrelated examples to bear here.  Let's examine them one at a time.

1. A husband tries to pay a bill using his wife's banking credentials
Nobody has been defrauded here and there's no apparent harm done.  The wife delegates use of her account to use her resources to pay a bill.

2. A student uses a parent's Hulu or Amazon account password
Presumably this is wrong.  The student uses the password to avoid paying for their own account.  Nothing left to say about this.  It's wrong plain and simple.  Amazon or Hulu are being robbed of additional revenue from this unauthorized account sharing.  Should it be a federal crime?  I hate to weigh in on this - but I think when the situation is examined objectively we can agree this is wrong.

3. Someone checks Facebook for a sick friend
If the sick friend provided authorization, I can't imagine how this is going to be considered a crime under the CFAA, despite the EFF's posturing.  The user providing permission to the account "owns" the data (though Facebook clearly does as well).

Closing thoughts
The EFF provided one example of bad behavior and two examples that clearly aren't related to the case at hand.  But think about this from the perspective of a system owner.  You provide access to an employee who is now an authorized user.  The authorized user then shares their password with some random stranger you didn't authorize.  Are you okay with that? Of course not.  Did they have the authority to share your system access? Of course not.  The EFF also wants to split hairs about whether the situation changes if the person is someone who was previously authorized to access a computer system (e.g. a former employee).  But if the person knows (or reasonably should know) that their access has been revoked, I think the situation is just as clear here.  Common sense should rule the day.

The EFF also has a nice collection of documents on the case, including briefs that they filed.  Regardless of which side of the issue your opinions lie, those briefings represent legal opinion while the ruling represents law.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.