ast week, a federal appeals court issued a ruling that has been widely reported to imply that sharing your password for Netflix of HBO Go is a federal crime that could get you locked up in federal prison. However, looking at the actual case involved in this ruling, it’s more than a bit of a stretch to apply this decision to the common practice of sharing login info.
In USA v David Nosal [PDF], the defendant was accused of violating the Computer Fraud and Abuse Act for using ill-obtained login credentials to access data stored on computers owned by his former employer.
To the majority of the three-judge appeals panel, it’s a pretty clear-cut manner. The CFAA imposes criminal penalties on anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization.” The defendant, Mr. Nosal, had his access to these computers revoked and then used someone else’s login info to access data he had no right to obtain.
“[O]nce authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party,” explains the appeals panel. “Unequivocal revocation of computer access closes both the front door and the back door.”
This is actually the second time that the Ninth Circuit has reviewed questions about the CFAA and its application to this case. In 2012, the court ruled [PDF] that the former co-workers who aided Nosal by accessing and downloading proprietary data for him were not in violation of the CFAA because they had not accessed the computer without authorization.
Those employees were in violation of the company’s policies, and possibly of other laws, but that’s different from accessing the computer without authorization.
Think of it like this: If I break into a Burger King to steal a pallet of hamburger buns, that’s not just theft, but also breaking and entering. If an employee at the BK, while on the job, takes that pallet of buns outside for me to take, they did not have to break and enter to commit their crime.
The case before the Ninth Circuit this time involved the use of another employee’s credentials to illegally access the former employer’s computers.
“This appeal is not about password sharing,” notes the majority. “Nor is it about violating a company’s internal computer-use policies. The conduct at issue is that of Nosal and his co-conspirators, which is covered by the plain language of the statute.”
The panel found that Nosal “knowingly and with intent to defraud” his former employer “blatantly circumvented the affirmative revocation of his computer system access.”
In spite of the majority’s assertion that this ruling is “not about password sharing,” the lone dissenting judge argued in his response to that this case is indeed “about password sharing.”
“People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it,” writes Judge Stephen Reinhardt in his dissent. “In my view, the [CFAA] does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA.”
Pointing to the previous Nosal decision in 2012, Reinhardt notes that the Ninth Circuit — and two subsequent federal appeals courts — had “emphatically refused to turn violations of use restrictions imposed by employers or websites into crimes under the CFAA.”
Reinhardt says the panel’s application of the CFAA in this case “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”
He contends that the CFAA, which was created in the pre-internet era to combat the then-new problem of computer hacking, isn’t about violations as simple as passing off your password to another person.
In his view, the employee whose credentials were used had authorized access to the computer network. Thus, using her login info — with her permission — to access the computer was not a violation of the CFAA.
“The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders,” writes Reinhardt, “which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.”
In response to the dissent, the majority contends that Reinhardt is wrongfully transferring the employee’s network access authority to the co-conspirators. Viewing authority in that light “would render meaningless the concept of authorization” writes the majority, and “would remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.”
Under Reinhardt’s approach, argues the majority, “an employee could willy nilly give out passwords to anyone outside the company — former employees whose access had been revoked, competitors, industrious hackers, or bank robbers who find it less risky and more convenient to access accounts via the Internet rather than through armed robbery.”
The majority concludes that the circumstances of the Nosal case “bears little resemblance to asking a spouse to log in to an email account to print a boarding pass… The reality is that facts and context matter in applying the term ‘without authorization.’”
While Reinhardt’s dissent contends that the ruling opens the door to more generous applications of CFAA prosecutions, a dissent does not create precedent. His argument against possible future uses of the law don’t mean that sharing your Netflix account password is a federal crime.
As the L.A. Times’ Jessica Roy points out, sharing services like HBO Go/Now and Netflix have acknowledged that some of their users share login information. Even if they could push for criminal charges against these people, it would likely be bad for business; you don’t want paying subscribers worried that they could go to jail because their deadbeat brother-in-law swiped the password to binge-watch Bojack Horseman.