Digital Rights Groups Blast Ruling That Could Criminalize Password Sharing

Digital rights groups are asking a federal appellate court to reconsider its recent ruling that the defunct aggregation service Power Ventures violated a federal hacking law by accessing Facebook's site.

The decision has "far-reaching consequences," including that it could result in the criminal prosecution of users for password-sharing and other common online activity, the ACLU and Electronic Frontier Foundation write in papers filed late last week with the 9th Circuit Court of Appeals.

The ruling, issued last month by a three-judge panel of the 9th Circuit, stems from a 2008 lawsuit by Facebook against Power Ventures.

Power aggregated data from different social networking sites, enabling people with accounts through MySpace, LinkedIn, Twitter and other services to access all of their information from one portal. To accomplish this, Power asked users to provide log-in information for their social networking sites and then imported people's information.

In late 2008, Facebook sent a letter to Power demanding that it cease and desist accessing the site. Power allegedly continued to draw on the passwords that users had provided in order to access their information.

The appeals court ruled last month that Power violated the Computer Fraud and Abuse Act by continuing to access Facebook after receiving the cease-and-desist letter. That law, which provides for private lawsuits as well as criminal penalties, prohibits anyone from accessing computers without authorization.

"Facebook’s cease and desist letter informed Power that it had violated Facebook’s terms of use and demanded that Power stop soliciting Facebook users’ information, using Facebook content, or otherwise interacting with Facebook through automated scripts," the appellate panel wrote. "The record shows unequivocally that Power knew that it no longer had authorization to access Facebook’s computers, but continued to do so anyway."

Power recently asked the appellate court to reconsider that ruling. The EFF and ACLU are backing that request.

Those organizations say Power never "broke into" Facebook's computers, because users voluntarily gave their passwords to Power.

"Power’s access came from Facebook users whose valid accounts allowed them access to Facebook. Because these users wanted to more easily manage multiple social media accounts, they employed the services of a social media aggregator, Power," the digital rights groups write. "Importantly, Facebook never did the one thing that would have enforced its terms of service on Power: it never revoked the login credentials of any of the Facebook/Power users."

The groups add that the decision is written so broadly that it could result in liability for activity like password-sharing.

"At root, the panel fails to tie its decision back to any alleged computer break-in, losing sight of the CFAA’s intended purpose," the organizations argue. "In so doing, the decision threatens to turn innocent Internet users into criminals on the basis of password sharing -- something that individuals across the country do every day."

Next story loading loading..