Orin Kerr writes:
The Ninth Circuit has handed down United States v. Nosal (“Nosal II“), a case on the scope of the Computer Fraud and Abuse Act that I blogged about here and here. The court held 2-1 that former employees of a company who had their company accounts revoked violated the CFAA when they subsequently used the passwords of a current employee, with the current employee’s permission, to access the company’s computers.
I think that the majority’s result is right on its facts but that its analysis is less helpful than it could be. This post explains my thinking, and it then explains the likely importance of the Ninth Circuit’s still-pending case in Facebook v. Power Ventures.
Read more on The Volokh Conspiracy.
From the opinion:
Embracing our earlier precedent and joining our sister circuits, we conclude that “without authorization” is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.
I think the majority’s notion that “unauthorized access” means “accessing a protected computer without permission” and that’s somehow unambiguous may be an overstatement. Should publication of a site in public areas of the Internet constitute permission or authorization, or do we need to write to every site and ask “Mother, may I?” before we read a site or download materials from it? Look at the controversy over white-hat or grey-hat researchers who find unsecured sites or databases. By my standard, if they have no intend to defraud or use the material for fraud, they should not be considered to have violated CFAA. That, however, has not stopped some entities from trying to accuse them of hacking under CFAA.
Perhaps some of the confusion could be eliminated if the courts remembered the second part of the statute that states that “and by means of such conduct furthers the intended fraud and obtains anything of value.” In Nosal, that wasn’t really an issue, but in other situations, it is. Keep watching the ACLU’s lawsuit on behalf of researchers.
Tell that to the USA and what Snowden did to his victims. Its unauthorized personal use, to gain elevated privileges or to gain unauthorized permissions to otherwise restricted files.
Tell which part of it? Did Snowden have authorized access to all those files but just misused the access for nonauthorized purposes? That’s a different matter.
It all boils down to password sharing.
Snowden acted as a rep for the agency, asking for the password to people’s accounts to apparently fix issues…. a typical social engineering attack.
Apparently he had a set number of people he targeted to gain access to data he did not have access or the authority to view.
Once a person passes credentials to another for use, it technically becomes a shared account, or group account. Several people know the password and have access to the files, using a common user name and password.
Now prove, without a shadow of a doubt that person A or person B used the credentials to access files. You can pin it down to an individual computer accessing the material.
If a third person (person C) overhears the password, or knows it, its simple for person C to place files in person A or B’s home directory and say they are the culprit, accessing unauthorized data,and person C can walk away unscathed.
One thing people forget is, very simple. Its the viewing of other people’s personal data. No matter how you get there does not matter. It still does not give anyone the right to access files that are not yours. Call it the ethical thing to do.
Most of the searches by “researchers” is motivated by intent. They search these servers and databases with the intent to find things wrong. That makes them half as evil as a potential hacker. They approach the search with expectations to find something wrong, and are willing to go the extra steps to put themselves in a position of power, to expose data that otherwise may never be found. A researcher should NEVER put themselves in the position of power or act as a third party judge of what happens to the data – its NOT their job. To make demands is to act as if your trying to intimidate, or to eventually victimize the company in question. How close is that to blackmail. In the technical portion of the act – pretty close. Same goes for any other entity (like google researchers finding holes in other people’s software and demanding they fix in 90 days or else).
Go to congress. provide the information and a solution. They give grants for this type of cluster. before you know it, there will be a clearinghouse for potential breaches. Offer any company, agency or small business the ability to be given a report of a server without any reprisal, and have scheduled reminders that re-scans should be done on a periodic basis.
The subject of researchers looking for wide open data is an over flogged dead-and-gone horse, in which the majority of the world obviously does not care about. Any organization that has issues will always question the finder of the source or ignore them as a ploy to gain access to their network. It’s the researchers word against a company that’s supposedly rock solid when it comes to reputation. But as we all see over time, most of these places are either ignorant or they have one hell of a smoke-and-mirrors marketing scheme.