14 DAY TRIAL // The California 9th Circuit Court of Appeals ruled yesterday that if a person uses a password willingly shared by someone else, it still constitutes a "hacking" offense in certain circumstances, according to the ancient CFAA (Computer Fraud and Abuse Act) law.
The court ruled on an appeal from a case that started in 2008, when David Nosal was charged with hacking offenses under the CFAA.
Nosal had specifically asked for access to his former company's network
According to the original indictment, Nosal, a former employee of Korn/Ferry, had left the company to create his own business.
After leaving the firm and having his access to the company's IT network revoked, Nosal asked his former secretary to provide him with her credentials to his former employer's network, which she did.
He also did the same thing with two other Korn/Ferry employees and even promised them jobs at his new company.
Korn/Ferry discovered what Nosal had done and filed a complaint with authorities. In 2008, a criminal charge was brought forward, and in 2013, Nosal was found guilty after a jury trial.
In early 2014, a US district court sentenced Nosal to a one year and one day prison sentence, along with paying a fine of $60,000.
Nosal had malicious intent, judges say
Nosal filed an appeal, arguing that authorities had misinterpreted the CFAA and that he did not perform any actual hacking.
In a decision released today, embedded below, the appeals court explains that the CFAA was put in place to prohibit and deter access without authorization, and not actual hacking acts.
Judge Reinhardt, one of the three judges who ruled on the case, said that this decision does not make criminals out of all the people who engage in password sharing, but only those who use such social engineering tricks to gain access to services to which their access rights were specifically revoked, as was Nosal's case.