Subscribe to DSC Newsletter

Password Sharing Is a Federal Crime, Appeals Court Rules

This article was written by Jason Koebler.

Sharing your Netflix or HBO password technically violates one of America's worst tech laws, the Ninth Circuit has ruled.

One of the nation's most powerful appeals courts ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all "hacking" law that has been widely used to prosecute behavior that bears no resemblance to hacking.

In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal's use of a former coworker's password to access one of the firm's databases was an "unauthorized" use of a computer system under the CFAA.

The decision is a nightmare scenario for civil liberties groups, who say that such a broad interpretation of the CFAA means that millions of Americans are unwittingly violating federal law by sharing accounts on things like Netflix, HBO, Spotify, and Facebook. Stephen Reinhardt, the dissenting judge in the case, noted that the decision "threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens."

In the majority opinion, Judge Margaret McKeown wrote that "Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing." She then went on to describe a thoroughly run-of-the-mill password sharing scenario—her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore, so he got a password from a friend—that happens millions of times daily in the United States, leaving little doubt about the thrust of the case.

The argument McKeown made is that the employee who shared the password with Nosal "had no authority from Korn/Ferry to provide her password to former employees."

At issue is language in the CFAA that makes it illegal to access a computer system "without authorization." McKeown said that "without authorization" is "an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission." The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who? 

To read the original article click here.

DSC Resources

Views: 1103

Comment

You need to be a member of Data Science Central to add comments!

Join Data Science Central

Comment by Richard Fowler on April 2, 2018 at 4:58am

I was hoping to read something new about this case.  It was decided back in June 2016.  The Supreme Court decided to deny the appeal in October 2017, so the lower court decision stands.  I guess it's a good reminder, but let's focus on newer stories in the future.

Videos

  • Add Videos
  • View All

© 2019   Data Science Central ®   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service