Don’t Pass Go: How Password Sharing Sent Someone to Jail
October 31, 2016Archives . Authors . Blog News . Feature . Feature Img . Recent Stories ArticleBy: Francis Cullo
Over the summer, the Ninth Circuit handed down an opinion in United States v. Nosal that generated several fear-mongering headlines. At first blush, the Ninth Circuit seemed to outlaw a common digital practice—password sharing. But are you really committing a federal crime if you use someone else’s password when you Netflix and chill?
The short answer is no. So what produced this flurry of headlines?
The Ninth Circuit wrestles with password sharing.
In United States v. Nosal the Ninth Circuit issued an opinion finding that an employee acted “without authorization” when he requested and used a former co-worker’s login despite having that co-worker’s permission. David Nosal was charged under the federal Computer Fraud and Abuse Act (CFAA). The CFAA is an anti-hacking statute. It creates a private right to action, allowing both private individuals and businesses to sue and recover damages when someone “intentionally accesses a computer without authorization or exceeds authorized access.”
In 2004, Nosal was a big-wig in Silicon Valley when he left his employer to start a rival executive recruiting company. Two other employees from his former employer joined him a year later at his new firm. After joining Nosal’s new company these employees convinced a friend still employed at the old firm to give them access to a database containing a list of names of top executives in Silicon Valley. In legal terms, Nosal was accessing trade secrets.
On appeal, the government had to show that Nosal acted “without authorization” or “exceed[ed] authorized access” when he accessed this database with the employee’s password. While the fact pattern in Nosal looks very different than the common practice of friends and family sharing an HBOGo account, there is a concern that this common behavior could be implicated as courts wrestle with how to interpret the “without authorization” requirement. Judge M. Margaret McKeown acknowledged this fear in the majority opinion stating “ill-defined terms” of the act could capture “password sharing among friends and family.” Judge McKeown was careful to couch the decision to Nosal’s particular fact pattern. She cautioned that the facts in Nosal were not similar enough to password sharing between friends and family to warrant an exception to the CFAA. Even still, Judge Stephen Reinhardt strongly dissented on the basis of the ubiquity of the practice of password sharing. While he acknowledged that Nosal’s conduct could violate trade secret law it was a mistake to indict him under the CFAA. He highlights that the majority opinion is missing a “workable line” that to distinguish between the password sharing in Nosal and consensual password sharing that millions of account holders do everyday.
The CFAA does not meet our digital reality.
Amended nine times since it was enacted in 1984, the CFAA certainly has its critics. Professor Tim Wu of Columbia Law School called the CFAA “the worst law in technology.” Famously, in 2011 Aaron Schwartz was accused of violating the CFAA by downloading millions of articles from JSTOR, an online database. Schwartz committed suicide during the lengthy legal battle. His suicide galvanized the tech industry to propose reforms to the CFAA with Aaron’s Law, which as of yet has not passed Congress.
Ultimately, the law does not align with how people live their digital lives. The law was designed to protect against computer hacking. In actuality using someone’s password for to a website does not constitute hacking (even if people misuse the word hacking all the time on Facebook).
Furthermore, the “without authorization” language provides only some murky guidance to courts and computer users alike.
First, it does not acknowledge the ubiquity of password sharing for both business and personal use. My family shares passwords for our Netflix and Hulu accounts, and we certainly aren’t unique. Millions of people share passwords. In fact, survey research found that users are more likely to share business passwords than personal ones. Nosal continues to muddy the difference between how the court looks at passwords and the way people design and use passwords.
Second, content creators, who actively create and publish original media content online, are not necessarily against the practice of password sharing. In a 2014 interview with Buzzfeed, HBO CEO Richard Plepler said he was in the business of “creating addicts,” and password sharing was a “terrific marketing vehicle” for hooking new viewers on his hit shows like Game of Thrones.
Where do we go from here?
So if the CFAA was meant to protect against hacking, consumers are going to do it anyway, and content creators don’t seem to mind—what was the decision in Nosal for?
Well, for one Nosal certainly acted in bad faith. He didn’t borrow his friend’s password to stream the second season of Narcos. He used a former co-worker’s password to access his competitor’s trade secrets and to gain a competitive edge in the industry. But, in an effort to indict him, prosecutors misconstrued the purposes of the CFAA and the Ninth Circuit over-interpreted its reach. Instead, the Court could have relied on intellectual property law and indicted Nosal solely on the trade secrets claim. Moving forward, Congress should work to redefine the CFAA’s “without authorization” language to better conform the statute to consumer expectations and data privacy concerns.
Until then, you should still be safe to Netflix and chill despite this Ninth Circuit ruling. Binge on.
You may also like
- April 2024
- March 2024
- February 2024
- November 2023
- October 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- November 2019
- October 2019
- September 2019
- April 2019
- February 2019
- December 2018
- November 2018
- October 2018
- September 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- May 2017
- April 2017
- March 2017
- February 2017
- December 2016
- November 2016
- October 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- August 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- June 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- April 2011
- March 2011
- November 2010
- October 2010
- September 2010