Is it a Crime to Borrow a Netflix Password?
The Ninth Circuit recently ruled that using someone else's password to get into a computer is a crime under the Computer Fraud and Abuse Act (“CFAA”).
Does that mean that the federal prisons will soon be full of people who use borrowed Netflix and HBO Go passwords?
Probably not — federal law enforcement officials have better things to do with their time.
But the decision illustrates how "borrowing" a password can violate the law.
Before leaving Korn/Ferry to form a competing firm, Nosal's colleagues downloaded confidential information from the Korn/Ferry database to use in their new business. This violated the firm's confidentiality and computer use policies, but the court found that taking data to which they had legitimate access wasn't actually a crime under the CFAA.
After he left Korn/Ferry, Nosal's password and login privileges were revoked. Nosal nevertheless provided his business associates with the login credentials of his former executive assistant so they could continue to get into the company's system.
A Year and a Day in Prison
A jury convicted Nosal of violating the CFAA. He was sentenced to a year and a day in prison and ordered to pay a $60,000 fine and $828,000 in restitution to Korn/Ferry. He appealed.
The CFAA imposes criminal penalties on a person who
knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value...
As Fortune reported,
the law was used to pursue Aaron Swartz, the young programmer who committed suicide after being charged with mass-downloading research papers from an MIT database, in violation of its terms of service—despite the fact that he was then a research fellow at MIT, with authorized access to the involved database.
The appeals court upheld Nosal's conviction, finding:
Nosal is charged with conspiring with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed. Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access. This access falls squarely within the CFAA’s prohibition on access “without authorization”...
One of the judges dissented, saying
This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.
The dissenting judge suggested that the decision "threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens" and argued that "consensual password sharing is not the kind of 'hacking' covered by the CFAA."
Will Netflix Seek Charges?
It will be interesting to see whether Netflix or any other online service provider will ask federal prosecutors to charge password-sharers with violating the CFAA, and whether law enforcement agencies would take them seriously if they did.
It seems doubtful, given the scope of harm. Whereas Nosal was found to have caused hundreds of thousands of dollars' worth of damage to his former employer, a Netflix streaming account only costs about $7.99 per month.