back to article Chap fails to quash 'shared password' 'hacking' conviction

A man who used his colleagues' passwords to swipe confidential information from his employer has failed to overturn his computer hacking conviction. In a 2-1 decision [PDF] today, the California 9th Circuit Court of Appeals agreed with a lower court's judgment that David Nosal broke the Computer Fraud and Abuse Act (CFAA). In …

  1. Allan George Dyer
    Paris Hilton

    Hey, Judge Stephen Reinhardt...

    Can I share your bank card and PIN? Maybe it will help you learn how "harmless" this practice is.

    1. a_yank_lurker

      Re: Hey, Judge Stephen Reinhardt...

      The practice is actually stupid particularly sharing passwords with coworkers, family and friends is dim enough. The CFAA may be correct because most corporate policies I have seen do not allow workers to share their login credentials so he was an unauthorized user by definition.

      1. Mark 85

        Re: Hey, Judge Stephen Reinhardt...

        Usually, sharing passwords is a firing offense. If a user shares the password with a company support person, it's normally mandatory that they change the password when the session is over. But I think those days of techs getting the passwords are long gone in most places.

        Where I worked last, the user had to do the login's etc. A PITA many times when setting up a laptop in the shop and they had to be called in to login frequently. Before this policy, we had a couple of techs fired for using the password during testing to go "snoop".

  2. Anonymous Coward
    Anonymous Coward

    Serious note ... vendor portals ?

    I know of at least one "enterprise level" software supplier who can only give one login ID for their support portal.

    Try managing that in an organisation spread across 6 sites.

    They (surprisingly, *not* a US outfit) "can't see what's wrong with it ?". Clearly their in-house software is far shitter than the CMS system they are flogging (which *does* allow multiple IDs to access content).

    1. Valeyard

      Re: Serious note ... vendor portals ?

      yeah, the BT line test portal is the same, one generic password for all the call centres to use, it was useful when my line went down at home after i left, but i've forgotten it now, not that i remember it being too complex to guess

  3. Anonymous Coward
    Anonymous Coward

    > I know of at least one "enterprise level" software supplier who can only give one login ID for their support portal.

    That's different. If it's a role login, then the intention is that it is shared by authorized users.

    This article was about a *personal* login, tied to an individual, which had been revoked - so they circumvented it by using other peoples' logins.

    1. Anonymous Coward
      Anonymous Coward

      If it's a role login, then the intention is that it is shared by authorized users

      er, not on my watch ....

      One person=one login.

      Anything else is just storing up trouble when you have to dig through records of logins from 6 months ago, and have to tell the police "well, it could have been any one one of ten people".

      Sharing logins is a Bad Idea, in *any* language.

      1. Jay 2

        Re: If it's a role login, then the intention is that it is shared by authorized users

        Agreed. Am getting a bit fed up of being asked to look though logs to see who did what (when no-one owns up), only to find it was a service account that many people use. More annoying is that it's something that we inherited from our parent company and are unable to change. Though elsewhere I do frequently manage to lock things down more than they have been due to security/compliance/audit reasons.

        That's probably the only time I'm thankful for the increased regulations nowadays, as I'm a paranoid sys admin who is convinced that there's always a small subset of users who will try and subvert whatever you've implemented as they can't be bothered ti type their password or type a few extra characters.

  4. LosD

    I'm going to go with the dissenter here: As soon as it was willingly shared, it is "just" theft of confidential information.

    1. Don Dumb
      Facepalm

      Try again

      @LosD - "I'm going to go with the dissenter here: As soon as it was willingly shared, it is "just" theft of confidential information."

      It was NOT willingly shared by the organisation who owned the information and the computers that were infiltrated. In fact, it was specifically *against* their wishes as they had rules prohibiting the practice. That the employees were willing to share their logins does not constitute consent by the data owner.

      It was still unauthorised entry, regardless of how easy the employees (accomplices?) made it.

    2. Brewster's Angle Grinder Silver badge

      I guess the analogous situation is handing a key to someone you know to be a burglar.

    3. Doctor Syntax Silver badge

      "it was willingly shared"

      AFAICS it was not willingly shared by anyone authorised to share. Those who shared were also charged.

  5. BugabooSue

    The ever-increasing rigidity of The Law scares me...

    I can see what the Judge getting at as to how this could set a precedent. On one hand, the password-sharing was done for nefarious reasons, and that needs to be punished. On the other, it could have drastic repercussions for non-nefarious sharing...

    We (most of us on here) are but Human, and when it comes to being pressured by overbearing boss, spouse, moody teenagers, etc., quite a few of us will eventually buckle under the relentless onslaught. When/If we do share, we are likely to be on the hook for anything they get up to, like when you share an Internet connection with others for instance. Thankfully there are still a few sensible Judges out there - https://torrentfreak.com/judge-dismisses-movie-piracy-case-ip-address-doesnt-prove-anything-160627/

    Some people do/will share personal passwords no matter what the consequences. Full disclosure: I have shared a personal password, and probably will be stupid enough to do it again at some point.

    You can never be absolute when it comes to Justice, that's why Judges are given leeway in their sentencing, but the Precedent situation still scares the crud out of me - so much potential for misuse! At least one Judge seems cognisant of the down-side.

    1. Doctor Syntax Silver badge

      Re: The ever-increasing rigidity of The Law scares me...

      As the saying is, circumstances alter cases. If the sharing was contrary to the business's explicit rules then that's one circumstance. In the case of the overbearing boss that would be another - it would be quite reasonable to convict the boss and not the employee.

  6. This post has been deleted by its author

  7. Aodhhan

    Some judges are so ignorant...

    Judge Stephen Reinhardt is a technological idiot. Accounts and privileges provided to employees to access systems aren't owned by the employee, they are owned by the company. If an employee provides the keys to a building over to someone else and this person gains access with malicious intent, he will be prosecuted for trespassing among other things. So, why would turning over a password, as well as using another's password be any different?

    An employee isn't given permission to give access to an employer's assets (in this case, enterprise network) to another person.

    I'm sure if Judge Reinhardt's maid gave a copy of his house key to a friend, or even allowed the friend complete access to his property by opening the front door... he'd be rather upset.

    The 9th Circuit is infamous for it's far left-sided decisions and often doesn't read the intent of the legislative law as written. Reinhardt only looked at the possibility of something which is out of the scope for this act, as well as attempting to change the law by adding a possibility. Something judges aren't supposed to do, but have started to do so with alarming frequency.

  8. Herby

    So when??

    Will they prosecute the malware floggers that make spambots of unwilling computer users? Seems like a good place to start!!

    Oops, The FBI doesn't look into computer misuse, they say it is "careless", not criminal.

  9. HunterofSnarks

    The right decision here, but some caution required as the CFAA is still ripe for abuse. For example, have you ever copied contact information from Linked-In? You have technically violated the CFAA (at least if you are unfortunate enough to be in the US) because the LI terms of service say you cannot copy their data.. See

    https://www.aclu.org/cases/sandvig-v-lynch-challenge-cfaa-prohibition-uncovering-racial-discrimination-online

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like