Though there are likely to be future decisions that limit the ramifications of this one, a three-judge panel on the 9th Circuit Court of Appeals last week ruled that without specific authorization from a company, sharing personal passwords that access that company's information is now a federal crime. The case, United States v. Nosal, which as Fusion says has "been bouncing around the courts for almost a decade," goes back to the prosecution of a former employee of the Korn/Ferry International research firm who with a couple of other co-conspirators launched his own executive search firm by illegally accessing his former company's database using a current employee's credentials. Civil liberties advocates have leapt on the case over the years as one that directly criminalizing password sharing, though the circumstances here appear to have more to do with an employer's right to keep private data secure from all but authorized users.
At issue is the case's use of the much maligned "hacker law," the Computer Fraud and Abuse Act (CFAA), which the New Yorker referred to in 2013 as the "worst law in technology" because of the ways in which it's been invoked to prosecute people who are not hackers.
In writing the majority opinion in this appeal, as Motherboard points out, Judge Margaret McKeown says, "This appeal is not about password sharing," focusing on how defendant David Nosal was no longer authorized to access his employer's system, so he gained access through another employee's password.
The question remains, if he was given authorization by that employee, this makes both of them culpable, and more broadly, anyone who shares a password with anyone else without a content provider's permission.
Writing his dissent, Judge Stephen Reinhardt argues:
This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.
Unfortunately, the language of the CFAA, written in 1996, is open to wide interpretation when it comes to accessing a "protected computer" system "without authorization," and the law itself is an amendment to a law that originally written in 1986, and which previously only made it an offense to hack into a "federal interest computer."
Reinhardt writes that we must reign in "the government’s boundless interpretation of the CFAA," saying that as it stands, "There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing." And he says this case should have more appropriately been tried in civil court, not in a criminal one.
Netflix, for their part, has maintained a pretty consumer-friendly view on password sharing, however, as TechCrunch reminds us by way of stopping this new panic. Though CEO Reed Hastings has mostly only spoken of parents sharing passwords with children who then leave home and open accounts of their own, he made statements earlier this year suggesting that sharing passwords was seen by the company as more of a marketing tool than anything.
That position, of course, could change, now that a crackdown could come with the warning that what you're doing when you let your roommate catch up on House of Cards while on vacation is now officially a crime.