wednesday, 6 july of 2016

Appeals Court: Using Shared Password to Steal Company Secrets is Hacking

A federal appeals court has affirmed the computer-hacking conviction of a former executive at a recruiting firm accused of using a shared password to steal headhunting leads from the company’s internal network after he left his job to launch a rival business.

The case decided Tuesday is the latest to throw a spotlight on the Computer Fraud and Abuse Act – the 1986 law outlawing "unauthorized access" to Internet-connected computers – and to question the statute’s scope.

Critics of the prosecution, including a dissenting appellate judge, said the conviction sets a precedent for criminalizing password sharing.

Reports Reuters:

The 9th U.S. Circuit Court of Appeals in San Francisco said David Nosal violated the Computer Fraud and Abuse Act in 2005 when he and two friends, who had also left Korn/Ferry, used an employee’s password to access the recruiting firm’s computers and obtain information to help start a new firm...

The defendant had by then been working as an independent contractor for Korn/Ferry. Nosal and his friends had previously had their own log-in credentials revoked

In a 2-1 decision written by Judge M. Margaret McKeown, the majority held that Mr. Nosal acted "without authorization" in violation of the CFAA when he used login credentials shared by his assistant to gain access to the company’s network after his own credentials had been revoked.

Judge Stephen Reinhardt, who dissented from his colleagues on the panel, said he was troubled by the ruling’s implications:

People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals...

[The majority] loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.

Judge McKeown, in her opinion, said Judge Reinhardt was minimizing the cyber-security stakes, saying the circumstances at issue couldn’t be applied to innocuous scenarios, like "asking a spouse to log in to an email account to print a boarding pass."

Without such enforcement, she wrote, "an employee could willy nilly give out passwords to anyone outside the company—former employees whose access had been revoked, competitors, industrious hackers, or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery."

The Ninth Circuit, looking at the same case in 2012, held that former colleagues who helped Mr. Nosal get the list of recruitment leads weren’t culpable under the hacking law.

While upholding his one-year sentence, the Ninth Circuit panel Tuesday said the more than $800,000 in restitution he was ordered to pay his old employer was unreasonable and asked a lower court recalculate it. The judges took issue with the fact that about $600,000 of the restitution was reimbursement for attorneys' fees.

The appeals court also affirmed Mr. Nosal’s conviction of trade-secret theft in violation of the Economic Espionage Act. Mr. Nosal disputed that what he allegedly stole was valuable or secret enough to constitute a trade secret.

Mr. Nosal's attorney, Dennis Riordan, said he would ask the full Ninth Circuit to review the panel’s ruling, saying he's "confident that today’s opinion will not be the final word."

A spokesman for the San Francisco U.S. Attorney’s office declined to comment.

(Published by The Wall Street Journal - July 5, 2016)

latest top stories

subscribe |  contact us |  sponsors |  migalhas in portuguese |  migalhas latinoamérica