In May, I posted about “Estate Planning in the
Digital Age” and mentioned the practical limitations of shared
passwords as a means of digital estate planning. Recent cases suggest
that relying only on password sharing, even if it works, is risky, both for
family members and fiduciaries. Here’s why.
Trusts and estates lawyers
regularly represent fiduciaries (executors, trustees, conservators), agents and
family members who manage assets and pay bills for other people. These days,
that often involves using someone else’s password, with their permission, to
access an email or online account to obtain information necessary to handle
business for someone, terminate a social media account, or perform another
necessary task. If the information the fiduciary or family member accesses is
on the user’s own hard drive or device, the user’s permission is all that is
required.
Could you be committing a federal crime?
Unfortunately, if the
information the fiduciary needs is stored in an online account, the fiduciary
could be committing a federal crime when the fiduciary accesses the account
with the password. Why? Most terms of service agreements, or “TOSA’s,”
specify that passwords not be shared and that third parties not be allowed to
access a user’s account. Companies want to control the use of their
services and servers, and some of them frown upon what they view as the
impersonation of one of their users. Their TOSA’s reflect this by restricting
use and prohibiting shared access.
However, as we all know, almost no one
reads TOSA’s when setting up their online accounts. A recent university study proves this: when
researchers added provisions to a fake website’s TOSA disclosing that a user’s
data would be shared with the NSA and that the user’s firstborn child would be
taken as payment for using the site, 98% of the 543 unknowing users agreed.
However, as we
all know, almost no one reads TOSA’s when setting up their online accounts.
The problem is that violating
a computer owner’s TOSA technically violates federal and state anti-hacking laws,
called Computer Fraud and Abuse Acts, or CFAA’s, which are quite vague. CFAA’s
both criminalize and provide civil penalties for the unauthorized access of
computers and data by penalizing those who obtain information from a computer
involved in interstate commerce. Since most internet servers are located in a
different state than an account user, internet use almost always implicates the
CFAA. Unauthorized access can be the use of a computer without any
authorization, or use that simply exceeds whatever authority that the user has
been given.
The computer owner who might
complain is not the account user that the fiduciary or family member is
assisting, who shared the account password: instead, it is the owner of the
computer service or account. That may be the user’s employer, or a company such
as Facebook that provides a computer service. Are these companies likely to
ask that a friend or family member be prosecuted for using shared password? No.
So, what’s the concern?
Examples of TOSA Violation Prosecutions
Federal courts have recently
decided several cases involving prosecution for actions that technically
violate a company’s TOSA but which break no other laws. None of these
cases involved a simple TOSA violation (such as a shared password) without
additional unethical, and downright bad, behavior. The first set of TOSA
violation cases seemed to indicate that a mere TOSA violation did not violate
the CFAA. The most recent case, unfortunately, holds that a simple TOSA
violation does violate the CFAA, and therefore is a federal crime. As a
result, it is still not clear whether or not a violation of an online account
TOSA is a crime under the CFAA. A quick summary of the major CFAA
violation cases illustrates the problem.
The first case (“Nosal I”), was a 2012 one from the
Ninth Circuit (covering California, Arizona, Hawaii and Alaska) involving an
employee (Nosal) of an executive search firm who left the firm to compete with
it. He then convinced his former coworkers to use their computer system
credentials to download information for him from a confidential database on the
former employer’s computer system. The coworkers were authorized to
access the former employer’s database, but not to disclose it to non-employees,
such as Nosal.
Nosal was originally charged with aiding and abetting his
former coworkers who exceeded [their] authorized access when they violated the
employer’s computer TOSA. The Ninth Circuit dismissed the indictment and ruled
that the CFAA targeted hacking, not misusing information obtained with
permission, so that simply violating the TOSA did not “exceed authorized
access” under the CFAA. Thus, the court narrowly interpreted the CFAA to
avoid criminalizing technical TOSA violations: “[W]e hold that the phrase
“exceeds authorized access” in the CFAA does not extend to violations of use
restrictions.”
The second case is a 2015 one from the
Second Circuit (which covers New York, Connecticut and Vermont) Court of
Appeals, involving a NYC police officer named Gilberto Valle (aka the “Cannibal
Cop”). Officer Valle was a charming fellow who accessed the NYPD’s computer
system to search for a high school friend, technically violating the NYPD’s
computer use policy. He was prosecuted not for that, but because he used
the information he obtained from the NYPD computer system in online chat rooms
where he discussed kidnapping and cannibalizing his old friend. He had not
actually threatened anyone in those chats, and after his prosecution and
conviction by a jury for the CFAA violation, the trial judge acquitted him, and
the government appealed. The Court of Appeals upheld the judge’s acquittal,
holding that the CFAA should be narrowly interpreted and could not support a
conviction for a mere TOSA violation. So far, so good, at least in parts of the
Northeast.
Officer Valle was
a charming fellow who accessed the NYPD’s computer system to search for a high
school friend, technically violating the NYPD’s computer use policy.
Unfortunately, other recent
decisions have broadly interpreted the CFAA, and the CFAA decisions among the
various court circuits conflict. Back on the West Coast, in the Ninth
Circuit, the government ultimately re-indicted Nosal using a new theory.
This time, the prosecution argued that after Nosal and his colleagues left the
company, they had no underlying legal right to access the company’s computer
network at all. Because they lacked any legal rights to access the
network, their use of a sympathetic current employee’s login credentials
violated the CFAA’s ban on “access without authorization.” This theory
worked: Nosal was convicted, and thereafter a divided panel of appellate judges
upheld (by a 2-1 vote) his conviction in Nosal II. The majority decided that
Nosal could be convicted for accessing his former employer’s computer “without
authorization” because the employer had revoked his credentials.
(Remember, he
nevertheless used the system through and with the permission of a sympathetic,
still credentialed co-worker—so essentially, they shared a password.)The
court’s reasoning is worrisome, because TOSA’s routinely prohibit password
sharing and it can be difficult to know when access is prohibited by a TOSA,
since no one reads them.
Soon after deciding this
second Nosal decision broadly construing the CFAA, the same court held in
a civil case that a person who visits
a website after being expressly and directly told not to do so by its owner
also violates the CFAA. In that case, called Facebook v. Vachani, the
court held that after Facebook sent Mr. Vachani’s company, Power Ventures, a
cease and desist letter demanding it stop accessing Facebook’s service and
violating its TOSA by doing so, the company violated the CFAA by continuing to
access Facebook’s service. The decision suggests that once a visitor is told by
its owner to stay off the website and the owner’s servers, and it does so anyhow,
the visitor violates the CFAA.
Recently, the defendant in the
Power Ventures case asked the Ninth Circuit Court of Appeals to rehear the case
“en banc”, meaning by all of the judges instead of a panel of three of them.
The petition asks for rehearing to
clarify when “visiting a website is a crime” under the CFAA, and argues that
the Nosal II panel decision is irreconcilable with the “en banc” or full
court’s decision in Nosal I. The Petitioner is represented by one of the
leading CFAA experts in the country, Professor Orin Kerr of GWU Law School, as
co-counsel. Several advocacy groups have filed a supporting brief. The outcome of the
defendant’s petition has yet to be determined.
Password sharing paranoia? Maybe, or maybe
not. After all, a Deputy Chief of the Department of Justice Computer Crime and
Intellectual Property Section, Criminal Division, has testified before Congress that the
CFAA should allow criminal prosecution for a TOSA violation. To be sure,
he claimed that “[t]he DOJ is in no way interested in bringing cases against the
people who lie about their age on a dating site or anything of the sort. We
don’t have time or resources to do that.” The problem is that if
prosecutors are permitted to charge defendants for TOSA violations under the
CFAA, then it’s a crime to violate a TOSA, including the parts we have never
read.
Otherwise law- abiding family
members and fiduciaries probably don’t need to worry about criminal prosecution
for sharing e-mail and other account passwords. However, because it is
difficult for professional fiduciaries to completely avoid business disputes
and customer complaints, this is more than a theoretical concern for banks with
trust departments. Until the federal courts sort out their views on the CFAA,
the possibility remains of civil or criminal prosecution when a fiduciary’s
conduct is questioned and the complaining customer discovers a TOSA violation.
No comments:
Post a Comment