It looks like bad news for most of us.
Last week, the U.S. Ninth Circuit Court of Appeals ruled password sharing is a crime — leading to mass panic from everyone who has either shared or freeloaded off of someone else’s Netflix account. (So, everyone).
The decision came after David Nosal, a former employee of the executive search firm Korn/Ferry International, used another employee’s login information to continue using a company research database after he resigned from his job.
Nosal was using the data to launch his own competing firm, and was charged with violating the Computer Fraud and Abuse Act (CFAA) clause that prohibits anyone from accessing a protected computer without authorization.
Although this sounds pretty straightforward, the 30-year-old law has been criticized numerous times for its ambiguity, and has resulted in the criminalization of many minor offenses over the years, such as violating “Terms of Service” agreements.
In his analysis of the case, law professor Orin Kerr argued that when someone shares a password with a third-party, it should be legal for that person to use that password — as long as they act in accordance with the best interests of the account holder.
“An agency test accurately reflects the underlying delegation of authority,” he said. “If the account holder shares a user name and password with an agent, and the agent accesses the account on the account holder’s behalf, the agent is acting in the place of the account holder. The agent should have the same authorization rights as the account holder. On the other hand, a third party who uses a password in pursuit of his own ends stands in the same place as a third party who has guessed or stolen the password.”
In other words, respect the password you have been given.
Unfortunately, the latest ruling doesn’t offer much clarity as to when it’s ok to share a password and when it is not.
The majority opinion of the court said warnings of “dire consequences of criminalizing password sharing” miss the mark, and the appeal was not about password sharing, but rather the CFAA’s prohibition of access “without authorization.”
However, Judge Stephen Reinhardt complicated things with his dissenting opinion, where he wrote that the decision failed to draw a line between what happened in Nosal’s case and the “consensual password sharing of millions of legitimate account holders.”
“In my view, the Computer Fraud and Abuse Act does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals,” Reinhardt said.
Let’s hope not.
