On Tuesday, the Supreme Court let stand the novel hacking conviction of a man who did not hack a computer to gain unauthorized access.
The justices, without comment, turned away the appeal of David Nosal, who was convicted of three counts under the Computer Fraud and Abuse Act (CFAA) hacking statute.
Nosal’s conviction was based on a hacking conspiracy of sorts.
According to court documents, Nosal used to work at an executive search firm called Korn/Ferry. After quitting Korn/Ferry, Nosal urged a former colleague to give up her credentials to two other Korn/Ferry employees who were cooperating with Nosal. At Nosal’s urging, they downloaded proprietary Korn/Ferry information to help the trio start a competing firm. As his punishment for the conspiracy, Nosal was sentenced to a year in prison. He appealed and said the hacking statute did not apply to him.
In seeking the high court’s intervention, Nosal’s attorneys said (PDF) the San Francisco-based 9th US Circuit Court of Appeals’ approval of the conviction was problematic.
The 9th Circuit’s decision exposes a broad range of innocuous, day-to-day activity to criminal prosecution. If a computer’s owner has exclusive discretion to grant or revoke authorization, a person could violate the statute any time he logged in to a computer in violation of the owner’s policies or terms of service. Take, for example, a person who uses his spouse’s password to log into the family’s online banking account to pay a bill. Or an assistant who logs into an executive’s email account to print out a presentation. If the banking and email services prohibit password-sharing, the 9th Circuit’s reasoning would transform these quotidian acts into violations of the CFAA, punishable by a fine and up to a year in prison, even if the users had no criminal intent.
The hacking section at issue here is the one that punishes whoever “knowingly, and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access.”
The government, in urging the court to let Nosal’s convictions stand, said that Nosal and his co-conspirators broke the law.
“The court of appeals correctly determined that petitioner and his co-conspirators accessed Korn/Ferry’s computer system ‘without authorization’ within the meaning of 18 U.S.C. 1030 when they used someone else’s credentials to access that system after their own permission to access it had been specifically rescinded,” the government argued. (PDF)
The government suggested that Nosal’s counsel was being too dramatic when explaining the consequences of Nosal’s conviction.
Most of petitioner’s hypotheticals posit that a computer accountholder in the first instance shared the login credentials for his or her personal online account with a third party, and the third party then used those credentials to access the account with the accountholder’s permission but in violation of the relevant website’s terms of service. Nothing in the opinion below suggests that those fact patterns are CFAA violations…
The Electronic Frontier Foundation, in urging the Supreme Court to hear Nosal’s appeal, said the conviction “threatens to turn millions of ordinary computer users into criminals.”