The California 9th Circuit Court of Appeals ruled yesterday that if a person uses a password willingly shared by someone else, that still constitutes a “hacking” offense in certain circumstances, according to the ancient CFAA (Computer Fraud and Abuse Act) law.
The court ruled on an appeal from a case that started in 2008 when David Nosal was charged with hacking offenses under the CFAA.
Nosal had specifically asked for access to his former company’s network
According to the original indictment, Nosal a former employee of Korn/Ferry had left the company to create his own business.
After leaving the firm and having his access to the company’s IT network revoked, Nosal had asked his former secretary to provide him with her credentials to his former employer’s network, which she did.
He also did the same thing with two other Korn/Ferry employees and had even promised them jobs at his new company.
Korn/Ferry discovered what Nosal had done and filed a complaint with authorities. In 2008, a criminal charge was brought forward, and in 2013 Nosal was found guilty after a jury trial.
In early 2014, a US district court sentenced Nosal to a one year and one day prison sentence, along with paying a fine of $60,000.
Nosal had malicious intent, judges say
Nosal filed an appeal, arguing that authorities had misinterpreted the CFAA and that he did not perform any actual hacking.
In a decision released today, embedded below, the appeals court says that the CFAA was put in place to prohibit and deter access without authorization, and not actual hacking acts.
Judge Reinhardt, one of the three judges that ruled over the case, said that this decision does not make criminals out of all the people that engage in password sharing, but only of those that use such social engineering tricks to gain access to services to which their access rights were specifically revoked, as was in Nosal’s case.