Archive for the ‘Computer Fraud and Abuse (CFAA)’ Category

Using A Shared Password Is A Crime (9th Circuit, U.S. v. Nosal) Full Text of Opinion

Tuesday, July 5th, 2016

U.S. appeals court rejects challenge to anti-hacking law by Jonathan Stempel.

From the post:

A divided federal appeals court on Tuesday gave the U.S. Department of Justice broad leeway to police password theft under a 1984 anti-hacking law, upholding the conviction of a former Korn/Ferry International executive for stealing confidential client data.

The 9th U.S. Circuit Court of Appeals in San Francisco said David Nosal violated the Computer Fraud and Abuse Act in 2005 when he and two friends, who had also left Korn/Ferry, used an employee’s password to access the recruiting firm’s computers and obtain information to help start a new firm.

Writing for a 2-1 majority, Circuit Judge Margaret McKeown said Nosal acted “without authorization” even though the employee, his former secretary, had voluntarily provided her password.

The full text of the decision (plus dissent) in U.S. v. Nosal, No. 14-10037.

This case has a long history, which I won’t try to summarize now.

Avoiding Imperial (Computer Fraud and Abuse Act (CFAA)) Entanglement – Identification

Monday, May 30th, 2016

FBI raids dental software researcher who discovered private patient data on public server by Dissent Doe.

Dissent Doe summarizes the facts of this case saying:

…Shafer reported that Patterson Dental had left patient data on an unsecured FTP server, and then he called attention to another vulnerability in one post in February, and then again in a second post in March. And now, according to an FBI agent, Patterson Dental was allegedly claiming that in accessing their unsecured anonymous FTP server, Shafer had accessed it “without authorization” and should be charged criminally under CFAA.

Take these recent events with Shafer as an incentive to read up on the Andrew “weev” Auernheimer proceedings (reversed on venue grounds on appeal).

Non-lawyers may enjoy United States v. Auernheimer, and Why I Am Representing Auernheimer Pro Bono on Appeal Before the Third Circuit by Orin Kerr more than the legal briefs.

The legal briefs in Auernheimer are linked at the bottom of this post.

The briefs run five hundred and thirty-nine (539) pages.

That’s five hundred and thirty-nine (539) pages researched, written, edited and polished, all while Auernheimer was in jail.

While reading Orin’s much shorter account and/or the briefs, keep this question in mind:

What pre-condition must exists for the Auernheimer case?

There is one and while obvious, it is often assumed.

I like reading briefs, chasing down references, etc., but unlike Auernheimer was, I’m not sitting in jail, hoping that the appeals court will rule in my favor.

That’s a big difference to keep in mind when debating “great issues.” Some in the debate have more “skin in the game” than others.

I fully agree the poorly written and even more poorly applied Computer Fraud and Abuse Act (CFAA) should be reformed. Dissent Doe mentions a number of supporters for such reform in her post.

However, lots of things that should be true:

  • Robert Mugabe should no longer hold political power anywhere. So long as we are wishing, Mugabe should live long enough to pay for his many crimes. (A very long time.)
  • War criminals named in the Iraq Inquiry report should be extradited from their home countries and face war crimes tribunals in the Hague. This report is due out 6 July 2016.
  • Military spending in every country should be reduced to equal that of Laos.

You may have a different list of “things that should be true,” but aren’t.

While the Computer Fraud and Abuse Act (CFAA) should be re-written and sanely applied, it hasn’t been.

Accepting that, the question becomes how to avoid being snared by it?

Here’s a visual analogy for Shafer and Patterson/FBI:

nail-analogy-450

Can you guess which of the things depicted in this image is Shafer and which is the Patterson/FBI?

The precondition for the Auernheimer case?

A nail that can be distinguished from all the other nails.

Knowing there are lots of nails doesn’t result in any search or arrest warrants. Having a nail you can point to does.

You may feel like (as I do) that’s unfair, the law should be different (sane), etc. Cf. my list and your lists of things that should be true.

I freely admit the cause of intellectual freedom can use martyrs and if you want to be one, test the limits of Computer Fraud and Abuse Act (CFAA), etc., be my guest.

On the other hand, being free to land body blows (legal ones of course) on corrupt and inept government agencies, their agents and masters, serves the cause of intellectual freedom as well.

Dissent Doe captures where I think Shafer went wrong:


Shafer discovered the exposed patient data at the beginning of February and contacted DataBreaches.net to request help with the notification and responsible disclosure. Both DataBreaches.net and Shafer began attempting to notify Patterson and clients whose unencrypted patient information had been exposed for an unknown period of time. Over the next few days, we emailed or called Patterson; Timberlea Dental Clinic in Alberta, Canada; Dr. M Stemalschuk in Canada; Massachusetts General Hospital Dental Group; and Dr. Rob McCanon.

Only after Shafer determined that the patient data had been secured did he and DataBreaches.net disclose the incident publicly. As reported on DataBreaches.net, Shafer found that 22,000 patients had had their unencrypted sensitive health information at risk of access by others. It is not clear how long the publicly accessible FTP server was available, and Patterson Dental did not answer the questions DataBreaches.net asked of it on the matter. Shafer told the Daily Dot, however, that the FTP server had been unsecured for years. In an email statement, he wrote (typos corrected):

“Many IT guys in the dental industry know that the Patterson FTP site has been unsecured for many years. I actually remember them having a passworded FTP site back in 2006. To get the password you would call tech support at Eaglesoft\Patterson Dental and they would just give you the password to the FTP site if you wanted to download anything. It never changed. At some point they made the FTP site anonymous. I think around 2010.”

Shafer was waving a red flag to mark his location with “hit me” hand painted on the flag.

The result, so far, you know.

Even if the case goes no further, some other PR hungry Assistant United States Attorney (AUSA) could snatch someone else up for equally specious reasons.

If they wave a red flag with “hit me” hand painted on it.

The first step to avoiding entanglement in the Computer Fraud and Abuse Act (CFAA) is to not be identified with any of the acts that the EFF summarizes as:

There are seven types of criminal activity enumerated in the CFAA: obtaining national security information, compromising confidentiality, trespassing in a government computer, accessing to defraud and obtain value, damaging a computer or information, trafficking in passwords, and threatening to damage a computer. Attempts to commit these crimes are also criminally punishable.

If you are not identified with any acts arguably covered by Computer Fraud and Abuse Act (CFAA), your odds of being arrested for such acts is greatly diminished.

Take the present facts. Clearly insane to claim that access to public data is ever unauthorized.

Multiple Choice Question:

Who is in jail as a result of: an insane view of the law + complaining witness + ASUS = warrant for your arrest.

A. The ASUS?

B. The complaining witness?

C. You?

If by accessing a server (doesn’t matter whether public, private, arguable) and you discover medical records, without revealing your identity, notify plaintiff’s attorneys in the legal jurisdictions where patients live or where the potential defendants are located.

If that seems to lack the “bang” of public shaming, consider that setting plaintiffs lawyers on them makes terriers hunting rats look quite tame. (not for the faint of heart)

You accomplish your goal of darkening the day for some N number of wrong-doers, increasing (perhaps) the protection offered patients, at a greatly diminished risk. A diminished risk that enables you to continue to do good deeds.


There are no, repeat no legal systems that give a shit, if you and all of your friends on social media think it is “unfair.” I may well agree with you too but entanglement in any legal system, even if you “win,” you have lost. Time, money, stress, etc.

Non-identification, however you accomplish that, is one step towards avoiding such entanglements.

Think of non-identification as the red team side of topic maps. The blue team tries to identify subjects while the red team attempts to avoid identification. A number of practical and theoretical issues ensue.

Auernheimer Legal Briefs

Auernheimer’s (Appellant) Initial Brief

Amicus Curiae Brief of Security Researchers Supporting Appellant

Amicus Curiae Brief of Mozilla Foundation, Computer Scientists, and Privacy Experts in Support of Appellant and Reversal

Brief of Amicus Curiae Digital Media Law Project in Support of Defendant-Appellant

Amicus Curiae Brief of National Association of Criminal Defense Lawyers in Support of Appellant

Addendum of National Association of Criminal Defense Lawyers

Government’s Auernheimer Answering Brief

Auernheimer’s Reply Brief

Auernheimer’s Amended Reply Brief