“Is it a crime to share your Netflix password?”
If you’ve logged into any social media sites in the past few days, you might have seen headlines like this suggesting it is a criminal act to share a password to a protected website or service. An article titled “Sharing Passwords Can Now Be a Federal Crime, Appeals Court Rules” even appeared online in Fortune. The worry has been spreading following a recent ruling in U.S. v. Nosal, a case involving the Computer Fraud and Abuse Act (CFAA), shared passwords, and unauthorized access to computers.
Contrary to the popular headlines, this was not a case of Netflix or HBO and friends sharing account information to save money. This was a case of current and former employees sharing work-related login credentials to share, access, and download sensitive company information for a competitor business.
Although Nosal dealt with an employment and trade secrets scenario, the ruling has broader potential to shape how we all think about the CFAA and what behaviors it criminalizes.
David Nosal “was a high-level regional director at the global executive search firm Korn/Ferry International.” He resigned his employment but stayed on for a time as a contractor “subject to a blanket non-competition agreement.” United States v. Nosal, Nos. 14-10037, 14-10275, 2016 U.S. App. LEXIS 12382 (9th Cir. July 5, 2016).
While working as a contractor, Mr. Nosal and several other employees began their own search firm which was in competition with Korn/Ferry. Korn/Ferry eventually revoked Mr. Nosal’s access to its computers and related systems, even though Mr. Nosal continued to do contract work.
Korn/Ferry used an “an internal database of information on over one million executives, including contact information, employment history, salaries, biographies and resumes, all compiled since 1995.” It gave each of its employees a unique set of login credentials, a username and password, for its computer systems but not for the database separately. The company’s employee confidentiality agreements prohibited employees from sharing their passwords.
This is how the courts came to examine a password-sharing situation.
While Mr. Nosal and a few other employees still worked with Korn/Ferry, they used their own passwords to download database information for their own business. When Mr. Nosal became a contractor, he lost his access to the system, however. When his colleagues stopped working with the company, they too lost their access to the company systems, so they asked for and received the system password information of another employee, Mr. Nosal’s former assistant. They used the assistant’s password and user name to download information and lists on a few different occasions.
Was that hacking? And is it illegal to share your Netflix password?
As the Ninth Circuit quoted in Nosal, the CFAA was originally aimed at “hackers who accessed computers to steal information to disrupt or destroy computer functionality.” LVRC Holdings LLC v. Brekka, 581 F.3d 1127 at 1130-31 (9th Cir. 2009). In Brekka, the Ninth Circuit explained the CFAA “prohibits a number of different computer crimes, the majority of which involve accessing computers without authorization or in excess of authorization, and then taking specified forbidden actions, ranging from obtaining information to damaging a computer or computer data.” Id.
Mr. Nosal didn’t break into any computer systems or install malware that disabled the systems. But his convictions were upheld after the Court of Appeals was “asked to decide whether the ‘without authorization’ prohibition of the CFAA extends to a former employee whose computer access credentials have been rescinded but who, disregarding the revocation, accesses the computer by other means.”
From a narrow reading of the opinion language, it would seem the Nosal decision had little to do with password sharing. The majority writing the Nosal opinion stated the case “is not about password sharing.” The dissenting judge, however, stated, “This case is about password sharing.”
Read in its proper context, Mr. Nosal’s convictions were upheld, in part, because he used someone else’s password, freely given, to access proprietary company information outside of what he was authorized to access. We know that particular set of behaviors is illegal and can result in criminal convictions and liability for money damages.
The case does not clearly answer whether the CFAA prohibits you sharing your Netflix password or using someone else’s password to watch Game of Thrones on HBO Go. It raises several questions and concerns about what rises to the level of criminal conduct under the CFAA. We will need to pay close attention in the near future to how law enforcement agencies and courts apply the principles of the Nosal decision to facts and circumstances outside the workplace.
By Alexandra Tracy-Ramirez, HopkinsWay PLLC. | © HopkinsWay PLLC 2016. All rights reserved.