A new federal court ruling could make sharing your passwords for subscription services -- covering everything from Netflix to HBO GO -- a federal crime punishable by prison time, according to a judge who opposed the decision.
The ruling, issued by the Ninth Circuit Court of Appeals last week, pertained to a trade-secrets case and found that certain instances of sharing passwords are prosecutable under the Computer Fraud and Abuse Act (CFAA) – legislation predominantly concerned with hacking.
The case involved David Nosal, a headhunter who left his former company Korn/Ferry and then used the password of an employee to access the company’s database and use that information at his new firm. According to Fusion, the defendant was convicted of hacking charges in 2013 and sentenced to one year and one day in prison. The appeals court upheld the conviction by 2-1.
“This access falls squarely within the CFAA’s prohibition on access 'without authorization,' and thus we affirm Nosal’s conviction for violations of ... the CFAA,” Judge M. Margaret McKeown said in the opinion.
However, Judge Stephen Reinhardt, writing in his dissent, argued that the case was not about hacking but password sharing. Consequently, he argued, the ruling jeopardizes password sharing for the general public.
“[The ruling] loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens,” he wrote.
“The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing,” he argued.
If Reinhardt is right, it could make users of popular streaming sites like HBO GO and Netflix who share their passwords in breach of the CPAA -- and open to federal prosecution.
McKeown disagreed with Reinhardt’s interpretation, saying the conduct in the case was very different from password sharing, and pointed to the specifics of the case.
“Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case,” she wrote.
"Nosal is charged with conspiring with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed," she said.