Thursday, August 25, 2016

Password (Sharing) Risks Persist for Fiduciaries and Family Members


In May, I posted about “Estate Planning in the Digital Age” and mentioned the practical limitations of shared passwords as a means of digital estate planning.  Recent cases suggest that relying only on password sharing, even if it works, is risky, both for family members and fiduciaries. Here’s why.

Trusts and estates lawyers regularly represent fiduciaries (executors, trustees, conservators), agents and family members who manage assets and pay bills for other people. These days, that often involves using someone else’s password, with their permission, to access an email or online account to obtain information necessary to handle business for someone, terminate a social media account, or perform another necessary task. If the information the fiduciary or family member accesses is on the user’s own hard drive or device, the user’s permission is all that is required.

Could you be committing a federal crime?

Unfortunately, if the information the fiduciary needs is stored in an online account, the fiduciary could be committing a federal crime when the fiduciary accesses the account with the password. Why? Most terms of service agreements, or “TOSA’s,” specify that passwords not be shared and that third parties not be allowed to access a user’s account.  Companies want to control the use of their services and servers, and some of them frown upon what they view as the impersonation of one of their users. Their TOSA’s reflect this by restricting use and prohibiting shared access.  

However, as we all know, almost no one reads TOSA’s when setting up their online accounts. A recent university study proves this: when researchers added provisions to a fake website’s TOSA disclosing that a user’s data would be shared with the NSA and that the user’s firstborn child would be taken as payment for using the site, 98% of the 543 unknowing users agreed.

However, as we all know, almost no one reads TOSA’s when setting up their online accounts.
The problem is that violating a computer owner’s TOSA technically violates federal and state anti-hacking laws, called Computer Fraud and Abuse Acts, or CFAA’s, which are quite vague. CFAA’s both criminalize and provide civil penalties for the unauthorized access of computers and data by penalizing those who obtain information from a computer involved in interstate commerce. Since most internet servers are located in a different state than an account user, internet use almost always implicates the CFAA. Unauthorized access can be the use of a computer without any authorization, or use that simply exceeds whatever authority that the user has been given.

The computer owner who might complain is not the account user that the fiduciary or family member is assisting, who shared the account password: instead, it is the owner of the computer service or account. That may be the user’s employer, or a company such as Facebook that provides a computer service.  Are these companies likely to ask that a friend or family member be prosecuted for using shared password? No. So, what’s the concern?
Examples of TOSA Violation Prosecutions
Federal courts have recently decided several cases involving prosecution for actions that technically violate a company’s TOSA but which break no other laws.  None of these cases involved a simple TOSA violation (such as a shared password) without additional unethical, and downright bad, behavior. The first set of TOSA violation cases seemed to indicate that a mere TOSA violation did not violate the CFAA. The most recent case, unfortunately, holds that a simple TOSA violation does violate the CFAA, and therefore is a federal crime.  As a result, it is still not clear whether or not a violation of an online account TOSA is a crime under the CFAA.  A quick summary of the major CFAA violation cases illustrates the problem.

The first case (“Nosal I”), was a 2012 one from the Ninth Circuit (covering California, Arizona, Hawaii and Alaska) involving an employee (Nosal) of an executive search firm who left the firm to compete with it. He then convinced his former coworkers to use their computer system credentials to download information for him from a confidential database on the former employer’s computer system.  The coworkers were authorized to access the former employer’s database, but not to disclose it to non-employees, such as Nosal.

  Nosal was originally charged with aiding and abetting his former coworkers who exceeded [their] authorized access when they violated the employer’s computer TOSA. The Ninth Circuit dismissed the indictment and ruled that the CFAA targeted hacking, not misusing information obtained with permission, so that simply violating the TOSA did not “exceed authorized access” under the CFAA.  Thus, the court narrowly interpreted the CFAA to avoid criminalizing technical TOSA violations: “[W]e hold that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions.”

The second case is a 2015 one from the Second Circuit (which covers New York, Connecticut and Vermont) Court of Appeals, involving a NYC police officer named Gilberto Valle (aka the “Cannibal Cop”). Officer Valle was a charming fellow who accessed the NYPD’s computer system to search for a high school friend, technically violating the NYPD’s computer use policy.  He was prosecuted not for that, but because he used the information he obtained from the NYPD computer system in online chat rooms where he discussed kidnapping and cannibalizing his old friend. He had not actually threatened anyone in those chats, and after his prosecution and conviction by a jury for the CFAA violation, the trial judge acquitted him, and the government appealed. The Court of Appeals upheld the judge’s acquittal, holding that the CFAA should be narrowly interpreted and could not support a conviction for a mere TOSA violation. So far, so good, at least in parts of the Northeast.

Officer Valle was a charming fellow who accessed the NYPD’s computer system to search for a high school friend, technically violating the NYPD’s computer use policy.
Unfortunately, other recent decisions have broadly interpreted the CFAA, and the CFAA decisions among the various court circuits conflict.  Back on the West Coast, in the Ninth Circuit, the government ultimately re-indicted Nosal using a new theory.  This time, the prosecution argued that after Nosal and his colleagues left the company, they had no underlying legal right to access the company’s computer network at all.  Because they lacked any legal rights to access the network, their use of a sympathetic current employee’s login credentials violated the CFAA’s ban on “access without authorization.”  This theory worked: Nosal was convicted, and thereafter a divided panel of appellate judges upheld (by a 2-1 vote) his conviction in Nosal II. The majority decided that Nosal could be convicted for accessing his former employer’s computer “without authorization” because the employer had revoked his credentials. 

(Remember, he nevertheless used the system through and with the permission of a sympathetic, still credentialed co-worker—so essentially, they shared a password.)The court’s reasoning is worrisome, because TOSA’s routinely prohibit password sharing and it can be difficult to know when access is prohibited by a TOSA, since no one reads them.

Soon after deciding this second Nosal decision broadly construing the CFAA, the same court  held in a civil case that a person who visits a website after being expressly and directly told not to do so by its owner also violates the CFAA.  In that case, called Facebook v. Vachani, the court held that after Facebook sent Mr. Vachani’s company, Power Ventures, a cease and desist letter demanding it stop accessing Facebook’s service and violating its TOSA by doing so, the company violated the CFAA by continuing to access Facebook’s service. The decision suggests that once a visitor is told by its owner to stay off the website and the owner’s servers, and it does so anyhow, the visitor violates the CFAA.

Recently, the defendant in the Power Ventures case asked the Ninth Circuit Court of Appeals to rehear the case “en banc”, meaning by all of the judges instead of a panel of three of them. The petition asks for rehearing to clarify when “visiting a website is a crime” under the CFAA, and argues that the Nosal II panel decision is irreconcilable with the “en banc” or full court’s  decision in Nosal I. The Petitioner is represented by one of the leading CFAA experts in the country, Professor Orin Kerr of GWU Law School, as co-counsel.  Several advocacy groups have filed a supporting brief.  The outcome of the defendant’s petition has yet to be determined.

Password sharing paranoia?  Maybe, or maybe not. After all, a Deputy Chief of the Department of Justice Computer Crime and Intellectual Property Section, Criminal Division, has testified before Congress that the CFAA should allow criminal prosecution for a TOSA violation.  To be sure, he claimed that “[t]he DOJ is in no way interested in bringing cases against the people who lie about their age on a dating site or anything of the sort. We don’t have time or resources to do that.”  The problem is that if prosecutors are permitted to charge defendants for TOSA violations under the CFAA, then it’s a crime to violate a TOSA, including the parts we have never read.

Otherwise law- abiding family members and fiduciaries probably don’t need to worry about criminal prosecution for sharing  e-mail and other account passwords. However, because it is difficult for professional fiduciaries to completely avoid business disputes and customer complaints, this is more than a theoretical concern for banks with trust departments. Until the federal courts sort out their views on the CFAA, the possibility remains of civil or criminal prosecution when a fiduciary’s conduct is questioned and the complaining customer discovers a TOSA violation.


No comments:

Post a Comment