Three judges from the United States Court of Appeals for the Ninth Circuit issued a ruling this week that will affect everyone from whistleblowers to your ex who is still, somehow, using your Netflix password to watch Jessica Jones. The court ruled that sharing passwords is a criminal act.
The opinion is the latest round of United States v. Nosal, a case that’s been bouncing around the courts for almost a decade. The case concerns David Nosal, a headhunter who used to work for a firm called Korn/Ferry. Nosal left the job in 2004 and recruited former colleagues who used the password of a person still with the company to download information from Korn/Ferry’s database for use at the new firm. For that, Nosal was charged in 2008 with hacking under the Computer Fraud and Abuse Act (CFAA), a.k.a “the Worst Law in Technology.”
Several charges against Nosal were tossed out by a 2011 decision from a full panel of Ninth Circuit judges, which reversed an earlier decision and said that an employee couldn’t be charged for simply violating their employer’s computer use policy. Despite this, Nosal was convicted of remaining charges by a federal jury in 2013, and was later sentenced to one year and one day in prison.
The new Ninth Circuit decision was decided 2-1 in the government’s favor. Judge M. Margaret McKeown, in the majority, insists that Nosal and his co-conspirators “accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed” putting the case “squarely within the CFAA’s prohibition on access “without authorization.””
But Judge Stephen Reinhardt disagreed, and as Motherboard points out, appears to have a better sense of what constitutes hacking, the purported purpose of the CFAA. Reinhardt expressed concern that that decision by the majority criminalizes all password-sharing, including your giving out your parent’s Netflix password to your friends. In a dissenting opinion, he writes:
This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.
He accused his colleagues’ decision “loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.” After all, in their terms of service, Netflix and especially HBO Go say only subscribers should be streaming their content. Via Forbes:
HBO Go’s TOS are strict; they say you must be a “subscriber with an account in good standing with an authorized distributor of HBO” to use the app. Netflix is far more lenient in its TOS recognizing that a “household” will share an account.Though it doesn’t define what a “household” means, it does say in all caps that its users can watch Netflix on six different devices, and stream shows on up to two of those devices at the same time.
For my money, Reinhardt is right (and nobody even knows my Netflix password). The way this opinion reads it’s possible that, if they wanted to, Netflix could go after users for sharing passwords unless they got explicit permission from the company.
Of course, a broader problem is that of course it’s not going to get used that way, unless there’s an ulterior reason. HBO Go and Netflix are unlikely to go after their customers for being too generous with their passwords. At least not in the near future.
But this is another case where an already overly broad, selectively-used CFAA will be read even more selectively and broadly. It allows the rule of law to be exercised vaguely, and at the discretion of private actors. That’s not the way the law should work.