Last week the U.S. Ninth Circuit Court of Appeals issued an opinion that an employee acted “without authorization” when he used a former co-worker’s login (with their permission) to gain access to “computer data owned by the former employer.” This led to the court upholding a decision that the employee violated the Computer Fraud and Abuse Act (CFAA), a federal law traditionally used to prevent computer-related fraud.
Facts and context matter
Judge McKeown, who write the majority opinion, acknowledged that this ruling could turn innocent conduct like “password sharing among friends and family” into a federal crime.
However, she also said that the circumstances in the case “bears little resemblance” to more innocent forms of password sharing — like sharing a Netflix password, or giving your friend your Gmail password so they could download a document. Judge McKeown added that “the reality is that facts and context matter in applying the term ‘without authorization.'”
Essentially, the court did agree that password sharing (in this specific case) violated federal law, but empowered future courts to consider the “facts and context” when determining if password sharing violates the CFAA.
However, one of the judges on the court was slightly more concerned with the precedent it would set. In the opening paragraph of his dissent below, Judge Reinhardt explained the potential repercussions of the court’s decision:
This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA. — Judge Stephen Reinhardt, Ninth Circuit Court of Appeals
Clearly, Judge Reinhardt is concerned that his decision could open up the possibility of friends sharing Netflix or HBO GO passwords could constitute a federal crime. He continues, noting that his fellow judges claim that they do not have to address the effect of their decision on the wider population because Nosal’s infelicitous conduct “bears little resemblance” to everyday password sharing.
Continuing on, Reinhardt concludes that the majority decision from the two other judges “does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners.”
What does it mean for you?
According to this ruling, it seems that anyone sharing a password “without authorization” could potentially be convinced of violating the CFAA.
That being said, don’t expect the FBI to come knocking next time you stream on your boyfriend’s account. There remains some vagueness in what “without authorization” means. While providers like Netflix and HBO GO officially say that logins shouldn’t be shared, some, including Netflix, have publicly stated that account sharing is OK, a statement that would presumably kill any “without authorization” argument if for some reason someone was prosecuted for sharing their Netflix account.
Plus, this assumes that the government or a company would prosecute or sue a user for sharing passwords in the first place. The odds that you would face any legal repercussions right now for password sharing is extremely slim, especially because entertainment providers have taken a laissez-faire approach to password-sharing enforcement.
That being said, a small possibility remains that down the line one company may want to make an example out of someone, similar to how a select few individuals were sued for pirating music. But until that happens, it’s safe to assume that you won’t find yourself in a federal court for giving your girlfriend your HBO GO login.