When is it a crime — punishable with time behind bars — for citizens to access a company's database with someone else's password? For years, the U.S. Court of Appeals for the 9th Circuit has wrestled with that question. This month, a three-judge panel ruled that under a 1986 federal law, using other people's work passwords with their permission, but not their employers' authorization, could land you in prison.
The Computer Fraud and Abuse Act, Judge Margaret McKeown wrote, "does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals." In a dissenting opinion, Judge Stephen Reinhardt submitted that if the court does not overturn the conviction of headhunter David Nosal for using other employees to tap into his former firm's database, then the federal government will have criminalized a practice used by spouses and friends everywhere.
Why should you care? Legal fellow Jamie Lee Williams of the Electronic Frontier Foundation believes the ruling "is so broad it could apply to all types of password sharing." McKeown would counter that the conviction is based on specific behavior expressly prohibited. Nosal deliberately used others to siphon information from his old perch, San Francisco recruiting giant Korn/Ferry.
"We're not here to defend the conduct," is what defense attorney Dennis Riordan told me he told jurors in opening remarks. Whatever they think of Nosal's behavior, "it's not a crime."
The feds used the act, which was written to deal with hackers, to punish someone for a practice common in modern families. If you trust the government not to go overboard, there's no problem there. But this whole story reeks of prosecutorial overreach. The government began looking at this case in 2005. It's like a Moby Dick quest to bag a catfish.
When I first read about this case, my initial reaction was: Why is the government even charging Nosal with a crime? Isn't this the sort of dispute that is the stuff of civil lawsuits, with legal teams charging the other side of engaging in civil torts or wrongdoing?
If Nosal did break contractual obligations or computer-use policies, let Korn/Ferry's corporate attorneys squeeze him dry. But now, if the conviction is upheld, Nosal will have to serve his one-year-and-one-day sentence in federal prison, followed by three years of supervised release. He also would have to pay $828,000 in restitution to Korn/Ferry.
In his dissent, Reinhardt stipulated he found Nosal's conduct "unscrupulous." I usually disagree with the very left-leaning Reinhardt, but here I share his distrust of the methods used to put this case in the hands of federal lawmen.
Korn/Ferry brought on ex-FBI agents to tail employees suspected of helping Nosal. The firm also hired "a leading international corporate law firm consisting of over 600 lawyers, O'Melveny and Myers."
An O'Melveny attorney who had worked in the U.S. attorney's office referred the case to her former colleagues: "Undertaking such third-party financed cases which a U.S. Attorney might not have prosecuted otherwise gives the appearance of well-financed business interests obtaining the services of the prosecutorial branch of government to accomplish their own private purposes" — a luxury most small businesses cannot afford.
Call it crony crime fighting. And then try to trust the federal government not to overreach when people get cute with passwords.
Photo credit: Matthias Ripp