A federal court has ruled that sharing your Netflix password – in fact, sharing any password, is a federal crime under the Computer Fraud and Abuse Act (CFAA).
No, we’re not joking.
According to a report from Fortune, the decision, by the U.S. Ninth Circuit Court of Appeals, found in part that sharing of passwords is a prosecutable offense. And while the ruling isn’t directly related to streaming services or online services in general, it absolutely will be able to be applied to them.
The decision comes, as Fusion reports, as part of the ongoing United States v. David Nosal case. An employee at executive search firm Korn/Ferry International, Nosal left the company in 2004 after being denied promotion. After leaving, he recruited other former coworkers for a new headhunting firm he was setting up – and using the password of someone still employed by Korn/Ferry International, downloaded a significant amount of “highly confidential and proprietary” information from their database to help give his new venture a leg up – including source lists, names, and contact information for executives.
Fast-forward to June 26, 2008, when Nosal and his three colleagues were indicted by the federal government under the CFAA, the government alleging that they “knowingly and with intent to defraud” violated the Act (which is sometimes better known as “The Worst Law In Technology”.)
In 2011, a full panel of Ninth Circuit judges threw out some of the charges, concluding that an individual couldn’t be charged under federal law for simply violating their employer’s computer use policies, but Nosal was still convicted of the remaining charges by a full jury in 2013 and sentenced to serve a year and a day in prison.
The new decision passed the Ninth Circuit Court 2-1 in the government’s favor, with Judge M. Margaret McKeown stating that the conspirators “accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed,” making it “squarely within the CFAA’s prohibition on access ‘without authorization.'”
Fellow Judge (and sole dissenter) Stephen Reinhardt disagreed, pointing out the potential for abuse of the decision.
“This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.”
“[This decision] loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”
Unfortunately, the decision passed against Reinhardt’s wishes and appears to have done exactly what he was afraid of – made millions into unwitting federal criminals.
Of course, as Fusion also notes, Netflix probably isn’t about to go making criminal complaints against their customers under the CFAA for using their services. But the worrying part is that the Act can be used that way at all. It has already been accused of being much too broad and far-reaching, written into law at a time when no lawmakers really understood “computer fraud and abuse” at all (and many still don’t) – the CFAA was enacted in 1986, and hasn’t been amended an awful lot since.
Whatever ends up happening, this case would seem to highlight the fact that it’s definitely time for an overhaul of the CFAA – and how woefully unprepared many sitting judges are for the legal issues of the information age.
[Photo by Pascal Le Segretain/Getty Images]