Three judges of the Ninth Circuit Court of Appeals have taken a step back from criminalizing password sharing, limiting the dangerous rationale of a decision issued by a panel of three different judges of the same court last week. That’s good, but the new decision leaves so many unanswered questions that it’s clear we need en banc review of both cases—i.e., by 11 judges, not just three—so the court can issue a clear and limited interpretation of the notoriously vague federal hacking statute at the heart of both cases, the Computer Fraud and Abuse Act (CFAA).
To recap, the court’s language in last week’s case, U.S. v. Nosal, was so broad that it seemed to make it a federal crime to use someone else’s password, even with their knowledge and permission. In the new decision, in a case called Facebook v. Power Ventures, a separate Ninth Circuit panel acknowledged that a computer user can provide another person with valid authorization to use their username and password. That’s the good news. But the decision leaves unanswered so many other questions about how the law can be interpreted, and its rationale is so confusing, that it’s an invitation for more dangerous litigation and prosecutions under the CFAA.
The CFAA makes it illegal to engage in “unauthorized access” to any computer connected to the Internet. But the statue doesn’t say what “authorized access” means or make clear where authorization must come from. As we explain in an earlier post, under the rationale of last week’s decision in Nosal II (we call it Nosal II to differentiate it from an earlier ruling in this long-running case), only the person or entity that owns the computer—not someone who just uses it or holds an account to use it—can “authorize” another person to access the computer. That would mean a spouse could not lawfully log into their partner’s bank account to pay a bill, even with their permission or at their request, so long as the spouse knows that she doesn’t have permission from the bank to access its servers. The Ninth Circuit’s rationale turned anyone who has ever used someone else’s password without the approval of the computer owner into a potential felon. But we know that people use other people’s passwords all the time for good reasons. That’s why we’re happy the Power Ventures ruling, while claiming to be consistent with Nosal II, appears to have taken a step back from that bad result.
Facebook v. Power Ventures: The Facts
In the Power Ventures appeal, the company, a social media aggregator, was given usernames and passwords from Facebook users who wanted it to help them view all their social media information in one place. Power Ventures then asked for and received permission from the users to send invitations to those their contacts. Facebook objected to this and sent Power Ventures a cease and desist letter. It also blocked one of Power Venture’s IP addresses, although the block wasn’t effective because Power Ventures had many IP addresses. The company continued to offer its social media aggregating services to Facebook users for a month or so, until Facebook blacklisted the phrase “Power.com.”
Facebook also sued Power Ventures, arguing that it violated the CFAA, the corresponding state law in California (California Penal Code § 502), and the CAN-SPAM Act—the federal law that prohibits sending commercial emails with “materially misleading” header information. More on that CAN-SPAM claim below.
The district court ruled back in 2012 that Power Ventures was liable to Facebook under the CFAA, the state law, and CAN-SPAM Act and, in 2013, ordered it and CEO Steven Vachani, personally, to pay Facebook a crazy amount—more than $3 million in damages. Power Ventures appealed, and EFF filed an amicus brief in support of the company and argued at the Ninth Circuit hearing about the danger of extending crippling civil and criminal liability on services that provide competing or follow-on innovation.
The Ninth Circuit’s Facebook v. Power Decision
The Ninth Circuit found that Power Ventures violated the CFAA when it accessed Facebook’s data after receiving the cease and desist letter, on the ground that the letter gave the company notice that Facebook had revoked its authorization to access users’ Facebook accounts. The court acknowledged that Facebook users could give Power Ventures valid authorization to access their accounts without running into a CFAA violation—the step back from Nosal II’s blanket criminalization of password sharing. That was true even though Facebook’s terms of service expressly prohibit password sharing or letting anyone else use your account. But, according to the court, “[t]he consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission.” Because Power “unequivocally” knew that it no longer had authorization from Facebook to access Facebook’s computers and continued to do so anyway, it violated the CFAA.
So if we’ve got this right, an authorized user can designate someone to use their account even if the Terms of Service or other contractual agreement expressly forbids it, but if the computer owner then says “no” again, somehow that authority is lost and continued use is a crime. Huh?
Thankfully, the court got things right as far as Facebook’s CAN-SPAM claims were concerned. Facebook argued that the promotional messages its users sent their friends inviting them to try Power Ventures were “materially misleading”—and thus illegal—because the messages appeared to come from Facebook rather than from the users or Power Ventures. But that’s how Facebook set up its messaging system. The Ninth Circuit acknowledged, rightfully, that there was nothing misleading about the invitations. Any Facebook user that received an invitation to try Power would be able to tell that there were three separate parties involved: the friend, who sent the invite; Facebook, who facilitated the message; and Power, who’s service was being promoted.
Unanswered Questions
While we’re happy the court made it clear that using another person’s passwords in the first instance is OK, even despite a contractual agreement or terms of service forbidding it, the Ninth Circuit’s Power Ventures decision raises a host of new and unanswered questions about the scope of the CFAA.
The central problem is that, in both Power Ventures and Nosal II, by turning criminal liability on what someone knows or is told, the court seems to lose sight of the original goal of CFAA—targeting individuals who break into computer systems. Indeed, in the 2012 en banc Nosal I decision, the Ninth Circuit rejected turning the CFAA “into a sweeping Internet-policing mandate,” choosing instead to “maintain[] the CFAA’s focus on hacking[.]” Yet in Power Ventures (and earlier in Nosal II), there was no “breaking into” a computer; in both cases, legitimate passwords were used with the permission of the account holders. As a result, the Power Ventures court stretched the law to apply where it really wasn’t meant to go, turning criminal liability on Power Ventures' knowledge that Facebook revoked its “authority” to use those absolutely still good passwords. And because these decisions reach beyond the issue of breaking into computers, they suddenly implicate questions about the application of the CFAA to public websites, which have no technological barriers to access. (The court dropped a footnote saying that it wasn’t answering this question, but the fact that it felt the need to mention this was troubling. The CFAA should not reach that far.)
The decision also raises important questions about what notice or revocation means. Do you need to receive a written cease and desist letter? If a bank sends you a notice saying that your partner can no longer log into your account, is it a crime if they log in to pay a bill? What if it sends that notice to all its customers? Or can a website just post a notice, directed at all users, about conditions under which authorization is considered revoked? While the court seems clear that notice via terms of service is insufficient, it sheds no light on what sufficient notice looks like. It also seems disingenuous to draw a line between access revocations contained within a subsequent notice and restrictions contained within terms of use or other up-front agreements, but it seems like that’s what the court is doing.
More importantly, if a computer system owner doesn’t like how someone is using a computer—whether directly or through someone else—the remedy should be terminating the user’s credentials, not suing or seeking criminal indictment of the person using the legitimate credentials.
These questions remain unanswered and leave many situations unclear, convoluting the good Ninth Circuit precedent of Nosal I. And that’s important because even though Power Ventures is a civil case, the CFAA is a criminal statute and must provide adequate notice of exactly what conduct is criminalized.
We’re glad the Ninth Circuit rejected the district court’s absurd extension of the CAN-SPAM Act and stepped back a bit from Nosal II’s dangerous language. But the unanswered questions it raises for the CFAA may prove highly problematic. En banc review of both cases is necessary to bring clarity back to the Ninth Circuit’s interpretation of the CFAA—and to ensure that the law maintains its focus on computers break-ins.