Shared passwords and the Computer Fraud and Abuse Act

|The Volokh Conspiracy |


Next week, a panel of the Ninth Circuit Court of Appeals (Thomas, Reinhardt, and McKeown) will hear oral argument in the second round of United States v. Nosal. This time around, the main question in the case is whether and when accessing an account using a shared password is an unauthorized access under the Computer Fraud and Abuse Act. A second question is how to interpret Nosal I, the en banc decision from 2012, and in particular whether it required circumventing a technical access barrier. You can read all the briefs in the case here.

For reasons I explained in this post in May, I think Nosal I does require circumventing a technical access barrier—and that for reasons I explained in this law review article, that should be a requirement of violating the CFAA.

My forthcoming article, Norms of Computer Trespass, offers some thoughts on how to deal with the shared password problem. This part of the article is still tentative as I'm still somewhat undecided on it. Here's what the current draft says:

When the computer owner limits access to accounts, a valid account is required to access the site. Authorization to use the account should hinge on whether there is a valid path of delegation from owner to valid account holder to the third party who is given the login credentials. The key issue is whether the access by the third party non-account holder is within the zone of authorization granted by the account holder. And that in turn rests on a difficult question: What norms identify that zone of authorization? Do Terms of Use define that zone? Or something else?

The answer, in my view, is that an agency test best distinguishes authorized use of a shared account from unauthorized use of a shared account. When the valid account holder gives login credentials to a third party, access by the third party is authorized when the third party acts as the agent of the account holder. On the other hand, access by a third party should be deemed unauthorized when the third party acts outside the scope of the agency. When passwords are shared, agents are authorized but nonagents are not.

An agency test accurately reflects the underlying delegation of authority. If the account holder shares a user name and password with an agent, and the agent accesses the account on the account holder's behalf, the agent is acting in the place of the account holder. The agent should have the same authorization rights as the account holder. On the other hand, a third party who uses a password in pursuit of his own ends stands in the same place as a third party who has guessed or stolen the password.

This approach would then place a lot of emphasis on mental state—the requirement that any unauthorized access be intentional:

The [intentional] mental state requirement is particularly important in cases that involved shared passwords. If A shares a password with B, B's access is without authorization when B is acting outside the agency of A. At the same time, B's access is intentionally without authorization only if B knows or hopes of facts that would bring his access outside the agency of A. In many cases, B may not know how A uses the account, how often, or for what. B's state of mind about whether he is outside the agency relationship element may sharply limit his liability.

For example, imagine Ann gives Bob her Netflix username and password and tells Bob to feel free to use Ann's account. Bob then uses Ann's account as if it was his own. Whether Bob's use of Ann's account is outside the agency relationship is itself a murky question: General permission to use the account whenever Bob likes implies a broad or even perhaps limitless authorization. But that murkiness aside, Bob can't be criminally liable for accessing Ann's account unless he knows or hopes that his acts are outside Ann's authorization. In the usual case, Bob would lack an intent to access the account without authorization.

As I said, this is tentative. One thing I'm unsure of is whether it should make a difference if the account holder is merely a paying customer who has paid to access a service. In the case of the Netflix example, for example, it seems a little weird to think of Bob as "hacking in" to the account. Bob may be guilty of theft of service, but it seems odd to say that he is committing a computer trespass. After all, the account holder, Ann, has given Bob permission. But I'm not entirely sure what implications I should be drawing from my these instincts about what 'seems a little weird.' Is the idea that the test isn't really agency but something else? Access within the scope of agency seems lawful, but I'm less sure about when access beyond the agency relationship should be. Or maybe these should count as trespasses, but cases like access to a Netflix account are so trivial that they are de minimis offenses unlikely to be prosecuted?

I'm not sure. Tricky issues, I think.

The Fourth Circuit had a recent case that raised similar issues, United States v. Rich, but the Fourth Circuit affirmed the conviction in July without reaching them. Hopefully I'll settle my own thoughts before my draft is due at the law review in a few weeks. And hopefully the Ninth Circuit will have some good answers, too.