Sharing passwords on Netflix, HBO Go & Facebook would now be counted as a violation of the Computer Fraud and Abuse Act.
The Ninth Circuit Court of Appeals issued a ruling this week that officially considers sharing passwords counts as a violation of the Computer Fraud and Abuse Act (CFAA). Both Netflix and HBO Go passwords fall into this category. Also, if you are not careful, getting caught sharing these passwords could result in jail time.
This new law was set up as a catch-all for hacking has been widely used to prosecute behaviour that bears no resemblance to hacking. This ruling specifically references the case of David Nosal, a former employee of the International research firm Korn/Ferry, who used a co-worker’s password to access a computer after his access was revoked.
The decision is a nightmare scenario for civil liberties groups, who claim that such a broad interpretation of the CFAA means millions of Americans are violating the federal law every time they share account information in regards to sites such as Facebook, Spotify and the many other popular streaming services, which also include Amazon Prime and Hulu. Judge Stephen Reinhardt, who presided over this latest ruling noted the following.
“[This ruling] threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”
Judge Margaret McKeown, who was in the majority vote, had this to say about the unprecedented ruling.
“Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.”
McKeown’s viewpoint is that the issue is not about password sharing per se, but that it’s about the one employee who had no authority from the firm to give her password to any former employees, which plays into the CFAA’s language that states it’s illegal to access a computer system “without authorization.” McKeown fully believes that phrasing is concrete and without wiggle room, according to Motherboard.
McKeown goes onto state the following.
“Without authorization [is] an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.”
The big question this raises is, ‘Who gives the authorization?’ While Nosal wasn’t granted authorization by Korn/Ferry to use the password, he was authorized the use of the password by the friend in charge of maintaining the password for security purposes. What the ruling declares in the long run is that we are no longer authorized to give a friend or loved one our Netflix or Facebook password. Only Netflix or Facebook as a company can specifically authorize who gets to use the password beyond the person who is assigned to the account. Once you share that password without getting an ok from the source company, you are in direct violation of breaking federal law.
However, Judge Stephen Reinhardt disagreed, who appears to be an authority on hacking. Reinhardt expressed concern that decision by the majority criminalizes all password-sharing, including giving out your parent’s Netflix password to your friends. In a dissenting opinion, he writes:
“This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.
“In the everyday situation that should concern us all, a friend or colleague accessing an account with a shared password would most certainly believe-and with good reason-that his access had been ‘authorized’ by the account holder who shared his password with him. The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.”
He accused his colleagues’ decision “loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.” After all, in their terms of service, Netflix and especially HBO Go say only subscribers should be streaming their content. It was also noted that each of the 50 states have their own, more narrow rules and laws when it comes to computer trespassing. It is Reinhardt’s belief that this particular case would have been better suited for civil, not criminal, proceedings.
This ruling in the long run is unlikely to affect anyone who is currently sharing their social media or streaming passwords, unless HBO and Netflix unexpectedly decide that they want to indict millions of their customers. At this point, neither company has made a move to do so. But an example has been set, and should get anyone thinking about sharing their password with a third party pause.