Don’t Pass Go: How Password Sharing Sent Someone to Jail

By: Francis Cullo

Over the summer, the Ninth Circuit handed down an opinion in United States v. Nosal that generated several fear-mongering headlines. At first blush, the Ninth Circuit seemed to outlaw a common digital practice—password sharing. But are you really committing a federal crime if you use someone else’s password when you Netflix and chill?

The short answer is no. So what produced this flurry of headlines?

The Ninth Circuit wrestles with password sharing.

In United States v. Nosal the Ninth Circuit issued an opinion finding that an employee acted “without authorization” when he requested and used a former co-worker’s login despite having that co-worker’s permission. David Nosal was charged under the federal Computer Fraud and Abuse Act (CFAA). The CFAA is an anti-hacking statute. It creates a private right to action, allowing both private individuals and businesses to sue and recover damages when someone “intentionally accesses a computer without authorization or exceeds authorized access.”

In 2004, Nosal was a big-wig in Silicon Valley when he left his employer to start a rival executive recruiting company. Two other employees from his former employer joined him a year later at his new firm. After joining Nosal’s new company these employees convinced a friend still employed at the old firm to give them access to a database containing a list of names of top executives in Silicon Valley. In legal terms, Nosal was accessing trade secrets.

On appeal, the government had to show that Nosal acted “without authorization” or “exceed[ed] authorized access” when he accessed this database with the employee’s password. While the fact pattern in Nosal looks very different than the common practice of friends and family sharing an HBOGo account, there is a concern that this common behavior could be implicated as courts wrestle with how to interpret the “without authorization” requirement. Judge M. Margaret McKeown acknowledged this fear in the majority opinion stating “ill-defined terms” of the act could capture “password sharing among friends and family.” Judge McKeown was careful to couch the decision to Nosal’s particular fact pattern. She cautioned that the facts in Nosal were not similar enough to password sharing between friends and family to warrant an exception to the CFAA. Even still, Judge Stephen Reinhardt strongly dissented on the basis of the ubiquity of the practice of password sharing. While he acknowledged that Nosal’s conduct could violate trade secret law it was a mistake to indict him under the CFAA. He highlights that the majority opinion is missing a “workable line” that to distinguish between the password sharing in Nosal and consensual password sharing that millions of account holders do everyday.

The CFAA does not meet our digital reality.

Amended nine times since it was enacted in 1984, the CFAA certainly has its critics. Professor Tim Wu of Columbia Law School called the CFAA “the worst law in technology.” Famously, in 2011 Aaron Schwartz was accused of violating the CFAA by downloading millions of articles from JSTOR, an online database. Schwartz committed suicide during the lengthy legal battle. His suicide galvanized the tech industry to propose reforms to the CFAA with Aaron’s Law, which as of yet has not passed Congress.

Ultimately, the law does not align with how people live their digital lives. The law was designed to protect against computer hacking. In actuality using someone’s password for to a website does not constitute hacking (even if people misuse the word hacking all the time on Facebook).

Furthermore, the “without authorization” language provides only some murky guidance to courts and computer users alike.

First, it does not acknowledge the ubiquity of password sharing for both business and personal use. My family shares passwords for our Netflix and Hulu accounts, and we certainly aren’t unique. Millions of people share passwords. In fact, survey research found that users are more likely to share business passwords than personal ones. Nosal continues to muddy the difference between how the court looks at passwords and the way people design and use passwords.

Second, content creators, who actively create and publish original media content online, are not necessarily against the practice of password sharing. In a 2014 interview with Buzzfeed, HBO CEO Richard Plepler said he was in the business of “creating addicts,” and password sharing was a “terrific marketing vehicle” for hooking new viewers on his hit shows like Game of Thrones.

Where do we go from here?

So if the CFAA was meant to protect against hacking, consumers are going to do it anyway, and content creators don’t seem to mind—what was the decision in Nosal for?

Well, for one Nosal certainly acted in bad faith. He didn’t borrow his friend’s password to stream the second season of Narcos. He used a former co-worker’s password to access his competitor’s trade secrets and to gain a competitive edge in the industry. But, in an effort to indict him, prosecutors misconstrued the purposes of the CFAA and the Ninth Circuit over-interpreted its reach. Instead, the Court could have relied on intellectual property law and indicted Nosal solely on the trade secrets claim. Moving forward, Congress should work to redefine the CFAA’s “without authorization” language to better conform the statute to consumer expectations and data privacy concerns.

Until then, you should still be safe to Netflix and chill despite this Ninth Circuit ruling. Binge on.