You may have seen it on Facebook or from other media outlet saying that a “new law” has just made sharing your Netflix password a federal crime.
There is no new law. However, a federal appeals court ruling has lawyers debating whether an interpretation of the Computer Fraud and Abuse Act (CFAA) will have a impact on future court cases dealing with passwords and access.
The Ninth Circuit Court of Appeals found that David Nosal violated the CFAA in a 2-1 ruling in the case of United States v. Nosal. Nosal, a former employee of an executive recruiting firm, used the password of a current employee, with her permission, to access a company database. This occurred after the company revoked Nosal’s login credentials to prevent him from accessing the database.
From this decision, a number of articles reported that a new law or ruling made sharing Netflix passwords a federal crime. Most of these articles cited the opinion of the dissenting judge, Stephen Reinhardt.
Judge Reinhardt wrote:
“This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA.”
However, Circuit Judge M. Margaret McKeown with Chief Judge Sidney R. Thomas called this line of thinking “hypotheticals about the dire consequences of criminalizing password sharing.”
In the majority opinion, Judge McKeown wrote:
“Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing. Nor is it about violating a company’s internal computer-use policies. The conduct at issue is that of Nosal and his co-conspirators, which is covered by the plain language of the statute. Nosal is charged with conspiring with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed. Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access. This access falls squarely within the CFAA’s prohibition on access “without authorization,” and thus we affirm Nosal’s conviction for violations of § 1030(a)(4) of the CFAA.”
According to the Electronic Frontier Foundation, the problem is CFAA and the definition of “unauthorized access” to a computer. The EFF believes that the ruling gives the power to grant access to the owner of the computer and not the account holder. The EFF believes that this interpretation of the CFAA prevents people from giving access to their accounts to systems like Netflix, HBO GO, Hulu, etc. without the authorization of the company that owns the system.
This does not mean that sharing your Netflix password is now a federal crime. It does mean that one of the judges and advocacy groups believe that the ruling may impact future cases.
Judge McKeown attempts to clarify the scope of their ruling:
“We are mindful of the examples noted in Nosal I — and reiterated by Nosal and various amici — that ill-defined terms may capture arguably innocuous conduct, such as password sharing among friends and family, inadvertently “mak[ing] criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” Nosal I, 676 F.3d at 859. But the circumstance here — former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer — bears little resemblance to asking a spouse to log in to an email account to print a boarding pass. The charges at issue in this appeal do not stem from the ambiguous language of Nosal I — “exceeds authorized access” — but instead relate to a common, unambiguous term. The reality is that facts and context matter in applying the term “without authorization.””
You may wonder what does Netflix and HBO think about password sharing. Back in January 16, 2014, HBO Chairman and Chief Executive Richard Piepler toldBuzzfeed password sharing wasn’t encouraged, but they saw it as a “terrific marketing vehicle for the next generation of viewers.” Netflix CEO Reed Hastings took it a step further earlier this year at the Consumer Electronics Show saying that he saw people sharing their Netflix accounts as a positive thing.
“We love people sharing Netflix. That’s a positive thing, not a negative thing.” CEO Reed Hastings
Of course in both cases they were talking about friends and family.
Just don’t share your passwords in Tennessee. In 2011, their state passed a law that made it a crime for anyone other than account holders to log into services like Netflix, Hulu Plus, Rdio, or Rhapsody.