Who Authorizes Access? Is Tech Support Potentially Criminal?
Unfortunately, the Computer Fraud and Abuse Act (CFAA) provides ample room for judicial ambiguity and abuse. A recent ruling by the US Ninth Circuit depended upon the concept of "unauthorized access", which is not well defined in the CFAA.
At issue in this case is that a former employee, who had his access revoked, used credentials of an employee, who had access, to retrieve information from a database. The credentials were not stolen or hacked. The employee with access freely gave their functional credentials (username and password) to the former employee. The former employee then used these credentials to access the database.
The Ninth Circuit ruled that system users
, such as the employee, cannot transfer or allow access rights to others. Instead, that permission must come from the system owner
. So, even with legitimate credentials, an individual is violating access rights if they have not specifically been given that permission by the system owner
In this case, it may not seem like a significant deal. The guy did malicious things with the access. He transferred trade secrets for his personal usage. The problem is that the situation is hardly uncommon outside of criminal actions.
Consider what occurs when a person calls upon tech support, whether that is family, friend, or professionals. That tech support technician often needs to interact with the malfunctioning system. When that malfunctioning system is your computer or device, you are the system owner
. However, when that malfunctioning system is a third-party or cloud system, you are a system user
. So, if a user needs assistance with their Gmail, Office 360, or Pandora they generally have the tech support technician troubleshoot the issue for them by granting the technician access to their account.
With the Ninth Circuit's ruling, the legality of this is in question. If a user can no longer authorize access to others then those actions become "unauthorized access", per the Ninth Circuit ruling.
Helpful individuals, such as +Lauren Weinstein
, who provide a lot of long distance tech support may find themselves outside the law since the client cannot authorize access, if the help is with cloud services or in situations where system ownership is a third party.
Perhaps the defining demarcation should be the scope of the access. In this case, the access was to a company-wide database, which - in my opinion - should require system owner permission. However, in the case of tech support, the scope of access is generally going to be limited to a user's data only. In the case of only the specific user's data, it seems prudent to allow them the right to determine access. For perspective, this is the difference between allowing someone access to the entire mail server (former) versus a single mailbox (latter).
I am not a lawyer, so do not take my opinion as legally sound. I am merely considering the possible issues with restricting system permissions to the owner, and the ambiguity.
For more updates, follow +Electronic Frontier Foundation