Is It Ever Okay to Share Passwords?
If you’ve ever let your kids sign into your Netflix or HBO Go account, or given your marketing department access to your Twitter feed, you may be committing a federal crime, depending on how the Ninth Circuit rules on a case argued before it just last month.
The case, United States v. Nosal, is the latest chapter in a series of cases in which federal prosecutors have used a thirty-year-old anti-hacking statute to turn seemingly routine business disputes into federal felony cases. The statute, known as the Computer Fraud and Abuse Act (CFAA), contains broad prohibitions on accessing a computer system “without authorization” or in a way that “exceeds authorized access.” Though intended to prevent malicious hacking and espionage, those prohibitions have repeatedly been applied to disgruntled former employees who logged back into company databases to access proprietary information after their termination and when their authorization to access those files had been revoked.
However, the Nosal case goes a step further, and a ruling in favor of the United States threatens to criminalize password sharing of all kinds. Nosal was an executive at the recruiting firm Korn Ferry International (KFI). After he left the firm, he obtained the help of several former colleagues to obtain protected KFI data to start a competing business. Although several of the charges against Nosal were thrown out in an earlier case, he was still prosecuted for accessing KFI files using his former assistant’s login information, which she had given him willingly.
According to prosecutors, Nosal’s former assistant was not authorized to give him access to KFI’s systems under the company’s computer usage policy, and so his use of that password was “without authorization” by the proper authorities. Upholding that argument could have a broad reach because so many password-protected services have prohibitions against password sharing in their user agreements, including Netflix, LinkedIn, Facebook, and HBO Go, to name a few. For that reason, a ruling that the CFAA prohibits password sharing when not authorized by these agreements could turn us all into criminals.
Following argument, this case is difficult to handicap. Although Judge McKeown seemed particularly concerned with the fact that Nosal clearly had engaged in wrongful conduct when he knew his authorization had been revoked, Chief Judge Thomas and Judge Reinhardt clearly recognized the scope of the issue at stake, and all three panel members were concerned by the government’s apparent lack of a limiting principle.
A ruling can be expected in the next few months. Until then, all we can do is hold our breath, and hope that the court ensures that the next time we share an account with the others in our household, we won’t end up living an episode ofOrange is the New Black instead of just watching it.