You may know someone who uses another person's password to watch Netflix or HBO GO. You may even do so yourself, even though you know it's something you could get in trouble for. Now a federal appeals court has reaffirmed that such password sharing can be considered a criminal offense under the Computer Fraud and Abuse Act (CFAA) a 30-year-old law designed to stop computer hacking.
The 2-1 ruling was issued by the Ninth Circuit Court of Appeals Tuesday (July 5) in U.S. v. Nosal, a long-running, convoluted case that involves corporate espionage, theft of proprietary information and charges of unauthorized access gained by using someone else's password.
It's not likely that HBO, Hulu or Netflix are going to use the ruling to come after you for using your grandmother's password to stream video. But the ruling does make it clear that doing so is illegal, whether or not your grandmother knows you're using her password.
"While risk of enforcement for the individual consumer is something approaching zero, it is not exactly zero," Mark Grossman, an attorney specializing in technology law, told Tom's Guide. "If someone wanted to make a point out, you've won the bad-luck lottery."
Nosal left the San Francisco office of global executive-search firm Korn/Ferry in 2004, and secretly started a competing head-hunting firm in violation of a no-compete agreement. He recruited two fellow Korn/Ferry employees, Becky Christian and Mark Jacobson, to join him, and the two began supplying Nosal with information from Korn/Ferry's database of current and potential clients while they still worked there. In early 2005, the two left Korn/Ferry to join Nosal's firm (which was set up under Christian's name), losing access to the Korn/Ferry client database.
However, Nosal's former assistant, Jacqueline Froehlich-L'Heureaux, continued to work at Korn/Ferry and had access to the database as part of her regular company-network access. Nosal instructed Christian to obtain more information from the database, and Christian asked Froehlich-L'Heureaux to share her Korn/Ferry company-network credentials, apparently without telling Froehlich-L'Heureaux the true reason her credentials were needed.
Froehlich-L'Heureaux shared her credentials with Christian, who twice used them to copy information from the Korn/Ferry database and pass it own to Nosal. Later, Jacobson did the same. By mid-2005, someone tipped off Korn/Ferry about the scheme, and Korn/Ferry called the police.
Nosal, Christian and Jacobson were all charged and indicted on various counts. But in 2012, charges against Christian and Jacobson were dropped after the Ninth Circuit ruled 9-2, in a rare full-bench decision, that the pair had not violated the CFAA when they used their own passwords to steal information for Nosal while they were still Korn/Ferry employees.
Charges against Nosal were refiled in early 2013, and he was quickly convicted on six counts, including three CFAA violations involving Froelich-L'Heureaux's password. In September 2013, Nosal was sentenced to a year and day in federal prison. The Ninth Circuit's ruling Tuesday affirms Nosal's conviction.
"The panel affirmed convictions for knowingly and with intent to defraud accessing a protected computer 'without authorization,' in violation of the Computer Fraud and Abuse Act (CFAA)," wrote Justice M. Margaret McKeown in the summary of the decision.
Arguably, that language could be applied to any unauthorized person who uses an authorized person's password to access a protected online service such as Netflix. Judge Stephen Reinhardt used that ambiguity to disagree with the decision.
"This case is about password sharing," Reinhardt wrote in his dissent, which emphasized the fact that Froelich-L'Heureaux willingly gave her credentials to Christian. "People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act ... does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals."
Attorneys for streaming services might disagree that password sharing is "generally harmless," as it could rob companies of paid dues. And McKeown's majority opinion countered that Reinhardt's view "would render meaningless the concept of authorization" and "would remove from the scope of the CFAA any hacking conspiracy with an inside person."
The Real-Life Impact
Netflix seemingly encourages potential customers to share passwords by offering multiple user accounts under a single subscription, but it may be alone among streaming services with such leniency. HBO sees it differently. In a 2015 interview, HBO CEO Richard Plepler said the company was monitoring HBO GO password sharing yet didn't believe it required action.
But, Plepler added, "Should it become a big number, we will deal with it" by changing "the number of concurrent streams that are available."
Georgetown University law professor Orin Kerr doesn't believe this case will lead to you and your parents getting prosecuted for sharing Hulu logins.
"I don't think this decision will lead to any users being prosecuted under the CFAA for password sharing," Kerr told Tom's Guide. "The court's opinion is limited to access by former employees who had their old accounts revoked."
Yet he reminded us that as widespread as login sharing may be, it's not recommended.
"Sharing passwords beyond what the service allows is a bad idea," Kerr said. "It can amount to criminal theft of service."
"When you conspire to do what you know is not authorized by the provider, there is exposure on your end," Grossman told Tom's Guide.
The CFAA has arguably been abused by prosecutors in the past. The best-known example is the case of Aaron Swartz, who broke into a utility closet at the Massachusetts Institute of Technology in an attempt to rapidly download, and then make public, millions of academic-journal articles from a paid online archive.
Federal prosecutors in Boston used the CFAA to slam Swartz with multiple charges that could have amounted to $1 million in fines and 35 years in prison, although Swartz rejected a plea deal that would have had him spend 6 months in jail. In early 2013, Swartz hanged himself in his Brooklyn apartment.
There's also a risk of lawsuits resulting from sharing passwords. A decade ago, the music industry spent, and won, a lot of money suing individuals randomly selected from the millions of people who were downloading MP3s illegally from file-sharing services. Because the CFAA can be used in civil as well as criminal cases, it's possible that a litigious streaming service could take the same approach with illegal video streamers.
It's hard to make a moral argument in favor of the defendants in the Nosal case. But it's not hard to argue that the CFAA's ambiguous language — for example, there's no clear-cut definition of a "protected computer" — should be rewritten to suit the technological developments of the past three decades. Yet we're not holding our breath for the law to change.