Netflix users beware: a federal appeals court ruled last week that sharing passwords to a company’s website violates federal law.
The United States Court of Appeals for the Ninth Circuit ruled last week in favor of the government’s use of the Computer Fraud and Abuse Act (CFAA) to put away David Nosal, a headhunter who left his job at the firm Korn/Ferry to start his own firm. After leaving, Nosal persuaded a former co-worker still employed by Korn/Ferry to share his login credentials for a database he used for research without the firm’s permission.
When CFAA was first enacted in 1984, it was a relatively narrow piece of legislation aimed to stop hackers from stealing credit card numbers or other valuable information from companies, but now the government has been using it as a catch-all to punish anyone who is using the Internet to do bad (or not so bad) things.
As Tim Wu explained in an article for The New Yorker, CFAA is vague as hell. It “bans ‘unauthorized access’ of computers,” which apparently the Ninth Circuit has determined includes sharing passwords.
Yet Judge Margaret McKeown, who ruled in favor of the government’s use of the CFAA to prosecute Nosal, wrote for the majority that “unauthorized access” was “an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.”
McKeown goes on to explain that by ruling in favor of the government, the court isn’t trying to criminalize password sharing — they’re merely punishing Nosal and his friends for using a “back door” (the former co-worker’s login info) to access a database they were denied access to after leaving the firm.
Her opinion leaves a lot of questions unanswered, such as: what is the difference between what Nosal and his backstabbing colleagues did and what my family does with our Amazon Prime subscription?
In his dissenting opinion, Judge Stephen Reinhardt pointed out the trouble of ambiguous phrases like “unauthorized access” is that it could be interpreted to criminalize the actions of millions of Americans who might share their Netflix passwords.
The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.
The ruling seems to establish some vaguely worded precedent that could open the door for government to prosecute behavior that may be ethically questionable, but is certainly non-criminal. While it’s unlikely the Department of Justice will start going after people who share access with others to their HBO GO accounts, it does open a door for the government to make normal things illegal, which is a scary thing indeed.