When hundreds of thousands of people gleefully shared Kanye West’s absurdly easy-to-guess iPhone password after he entered it in front of cameras while visiting the White House — 000000, literally the easiest six-digit password to guess — they probably weren’t worried about cops knocking on their door.
But while the odds are extremely low that the government would ever prosecute any of them, the nature of the US’s primary hacking law, the Computer Fraud and Abuse Act, means that publicly sharing someone’s password without their permission could be considered a federal crime.
One of the many ways of violating the CFAA — which carries a maximum prison sentence of 10 years in prison per charge — is if someone “knowingly and with intent to defraud traffics in any password or similar information through which a computer may be accessed without authorization.”
“As a matter of intuitive, fundamental concepts of justice, we don’t think of those things that could be innocently shared but potentially lead to 10 years in prison,” Fred Jennings, a Brooklyn attorney who specializes in CFAA cases, told BuzzFeed News. “They probably would not prosecute something this absurd, but they have the ability to. Which means when something as factually absurd crosses some prosecutor’s desk, you’re at their mercy.”
Passed into law in 1986 after President Ronald Reagan watched the 1983 movie WarGames and demanded new legislation to keep hackers from triggering World War III, and only tangentially updated since then, the CFAA has long been criticized as being written so broadly that it gives the government the authority to prosecute computer activity as it sees fit.
One of the most infamous examples is Reddit cofounder Aaron Swartz, who in 2011 was charged with 11 CFAA violations after downloading articles from JSTOR, an academic library, to make them public. Fearing a decades-long sentence, Swartz hanged himself.
The best protection for the hundreds of thousands of people who tweeted and retweeted Kanye’s password is the phrase “intent to defraud,” given that most people on Twitter were clearly trying to mock West, and weren’t openly advising people close to the rapper to grab his phone and log in.
But still, Jennings said, intent to defraud is extremely easy for a prosecutor to charge, even if it’s hard to convict.
“You don’t need a clear, written statement saying ‘Yes, my intent is to extract money from this individual whose password I’m selling.’ You can infer it from facts and circumstances. As a practical matter, those are almost always taken in a pick-and-choose sense, in the worst possible context,” Jennings said.