July 12, 2016

Password sharing criminalized by federal court


A federal court decision has made millions of people unwitting criminals... Your crime? Sharing your Netflix, HBO GO, Hulu or any online service password.

The decision was issued by the Ninth Circuit Court of Appeals in the case of David Nosal. Nosal used to work for a head-hunting firm in California and decided to open a competing firm. He left and continued to work as an independent contractor for a while, and had his former assistant continue working there so he could use her login information to access the company’s database.

The case hinged on the term “without authorization” in the Computer Fraud and Abuse Act. The court ruled that sharing passwords did amount to unauthorized access, but dissenting Judge Stephen Reinhardt said it would make “millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.”

“It (the majority opinion) loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens,” Reinhardt wrote.

Reinhardt wrote that “consensual password sharing” should not qualify as hacking under the CFAA.

But Judge M. Margaret McKeown, the author of the majority opinion, wrote that Reinhardt was taking the decision too far. She said the assistant had no authority to share the password with Nosal.

“The dissent would render meaningless the concept of authorization,” McKeown wrote. “And, pertinent here, it would remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.”

Regardless of the interpretation of the decision, Netflix and HBO GO account holders shouldn’t expect any changes. Netflix CEO Reed Hastings and HBO CEO Richard Plepler are well aware that people share passwords and both publicly said it isn’t an issue.

No comments: