By Siemny Kim, KIRO 7
By now you’ve probably seen that a new federal court ruling could make sharing passwords for subscription services, like Netflix and HBO GO, a federal crime.
The Ninth Circuit Court of Appeals issued the ruling last week. It had to do with a trade-secrets which found that sharing passwords are prosecutable under the Computer Fraud and Abuse Act (CFAA).
The case involved David Nosal, who left his company Korn/Ferry and used the password for an employee to access the company’s database. He was convicted of hacking charges in 2013 and sentenced to a year and one day in prison.
The appeals court upheld the conviction by 2-1.
Judge Stephen Reinhardt, wrote the dissenting opinion and said that the ruling jeopardizes password sharing for the general public.
If that’s the case, it could make users who share their passwords for streaming sites like Netflix and HBO GO considered criminals and open to federal prosecution.
KIRO 7 wanted to find out what it means for you at home. So anchor Siemny Kim turned to Mark Saku, a Seattle-based based intellectual property attorney who focuses on international intellectual property issues involving copyright and trademark law and the protection of intellectual property in the entertainment and new media industries.
1. What’s this ruling mean for me?
Saku: This ruling has a very specific fact-pattern that does not really relate to the lay-consumer of internet media. This case involves particular individuals that were involved in a conspiracy to remove confidential material from their former employers. However, this is still an important ruling that sheds a light on a serious law available to prosecute persons involved in circumventing unauthorized access to proprietary or government data.
2. Am I breaking the law if I share my password? Does it matter if we live in the same house, like family members who live in my household?
Saku: By itself, no. This is where the specific facts of a particular case matter. The Computer Fraud and Abuse Act (CFAA) and the Economic Espionage Act (EEA), are laws targeting the theft of trade secrets, government data and financial records. “The act was aimed at hackers who accessed computers to steal information or to disrupt or destroy computer functionality . . . .” pg. 12. Sharing your password with family or other household members to access material that you already have permission to access is not the type of conduct covered under this law. This case however does open the door to a debate about whether “authorized access” can be freely given. The majority in this case seems to believe that this decision rests with the system owner alone. Many, as the dissenting opinion does, would argue to the contrary.
3. What if I have their permission to use their account and password? Say, my best friend gave it to me?
Saku: Again, this really depends on the system you are accessing. If it’s your personal email account, its probably fine – but a proprietary work database, maybe not so much. And again, this depends on your permission levels and what you intend to do with the information, This case means particular trouble if you have had your access previously revoked and you try and circumvent those preventions.
4. Will companies like Netflix or HBO GO come after me?
Saku: This is not likely. Policing this conduct among users, especially within households is wholly impractical. I would suggest checking the sites Terms and Conditions to see if there is a specific reference to password sharing. If it is strictly forbidden, like the dissent references with Facebook, there is a technical violation that could warrant the suspension of access privileges. Again, we need to always keep in mind that the severity of conduct and intention of the parties involved. Giving my password to my sister to post her pictures of my trip to NY will not likely result in Facebook kicking me off their site.
5. If I get in trouble, will I get a warning or will I go to jail? What’s the likelihood the federal government will prosecute people for this?
Saku: The CFAA carries a fine and/or imprisonment of up to 20 years for multiple offenses. I cannot speak to the likelihood or methods of prosecution, but I don’t see the feds using this law to prosecute individuals for password sharing, save for other escalating factors.
6. When signing up for a subscription service like this, am I signing up for myself or my household?
Saku: I cannot answer this question based on the language of this ruling, as the case does not speak to whether innocuous “password sharing” is considered “authorization” under the CFAA or EEA. However, the majority does note in this case, that this defendant, had “no possible source of authorization,” which leads me to believe that subscription services for the household should fall outside the purview of the CFAA and EEA.
7. Should I stop sharing my password? Even with my grandma?
Saku: Again, I don’t think this case applies to password sharing. Here, I will include a quote from the majority opinion on page 23:
We are mindful of the examples noted in Nosal I—and reiterated by Nosal and various amici—that ill-defined terms may capture arguably innocuous conduct, such as password sharing among friends and family, inadvertently “mak[ing] criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” Nosal I, 676 F.3d at 859. But the circumstance here — former employees whose computer access was categorically revoked and who surreptitiously
accessed data owned by their former employer — bears little resemblance to asking a spouse to log in to an email account to print a boarding pass. The charges at issue in this appeal do not stem from the ambiguous language of Nosal I…but instead relate to a common, unambiguous term. (here, the term being “without authorization”).
So I would still be cautious with password sharing, but this case seems to only apply to persons who have already had their access specifically revoked, and are continuing to circumvent their unauthorized access.