Using a Colleague’s Willingly Shared Password To Be Considered “Hacking” in the United States
Countries come up with quaint rules all the time. Especially for Internet. If you have read this article, you will know what I am talking about. Continuing the legacy of quaint rules, a judge of United States has ruled that you will be considered a ‘hacker’ if you use a Wi-Fi password willingly shared by your colleague.
This absurd ruling was made by a judge from California 9th Circuit Court of Appeals yesterday. The Judge ruled that if a person uses a password willingly shared by someone else, it still constitutes a “hacking” offense in certain circumstances. The judge was interpreting law in accordance with the antiquated CFAA (Computer Fraud and Abuse Act) law.
This quaint judgement came in a case from 2008 where the accused, David Nosal was charged with hacking offenses under the CFAA. According to the original indictment of 2008, Nosal, a former employee of Korn/Ferry, had left the company to create his own business. After leaving the firm and having his access to the company’s IT network revoked, Nosal asked his former secretary to provide him with her credentials to his former employer’s network, which she did. He also did the same thing with two other Korn/Ferry employees and even promised them jobs at his new company.
Korn/Ferry found out about Nosal’s misdemeanors with company credentials and filed a police complaint. In 2008, a criminal charge was brought forward, and in 2013, Nosal was found guilty after a jury trial. In early 2014, a US district court sentenced Nosal for one year and one day prison sentence, along with paying a fine of $60,000.
Nosal filed an appeal and the matter came up for hearing yesterday. Nosal argued through his lawyers that the misinterpreted CFAA as he did not perform any actual hacking of Korn/Ferry computers.
In a decision released today, the appeals court explains that the CFAA was put in place to prohibit and deter access without authorization, and not actual hacking acts.
Writing for a 2-1 majority, Circuit Judge Margaret McKeown said Nosal acted “without authorization” even though the employee, his former secretary, had voluntarily provided her password. Circuit Judge Stephen Reinhardt dissented with the popular verdict. He said the majority’s reasoning could cover the sharing of passwords to devices such as smartphones, laptops and iPads, and transform “millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.”