US court rules in favor of a new criminal act designed to counter cases of hacking, but decision may have consequences for ‘innocuous’ password sharers

This article is more than 4 years old

This article is more than 4 years old

Sharing passwords to access streaming sites such as Netflix, Amazon Prime and HBO Go could be a federal crime, according to a new ruling.

Three judges from the US court of appeals from the ninth circuit issued a ruling on Tuesday that such activity now constitutes a criminal act, under the Computer Fraud and Abuse Act (CFAA).

The ruling came from the ongoing United States v Nosal case, filed against David Nosal, a former employee of the recruitment firm Korn/Ferry. Nosal left the recruitment firm in 2004 to launch a competitor, and allegedly used a former co-worker’s password to access a work computer after his personal access was revoked.

Nolan was charged in 2008 with hacking under the CFAA and the court concluded that he acted “without authorization” in violation of the law.

According to the outcome of Nosal’s case, no person giving their password to someone else constitutes authorization – the company that issued it has to allow it.

Judge Margaret McKeown, in the majority opinion, stated that the “appeal is not about password sharing”, adding that it was about an employee who “accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed”.

However, Stephen Reinhardt, a judge in the case, noted that the decision “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens”, apparently including those who share passwords for streaming sites.

Despite the outcome, it’s unlikely that companies such as Netflix and Hulu will come after password-trading customers.

Technically, the majority consider password sharing a violation of their terms of service (HBO Go states that you must be a “subscriber with an account in good standing with an authorized distributor of HBO” to use the service). But both HBO and Netflix have gone on the record to say that their companies don’t see password sharing as a major cause for concern, even though Variety reports that the sector lost upwards of $500m worldwide due to the practice.

In 2014, HBO’s CEO, Richard Plepler, told BuzzFeed that the trading of information “has no impact on the business”, adding that it serves as a “terrific marketing vehicle for the next generation of viewers”.

Netflix’s CEO, Reed Hasting, said in January that the act is “a positive thing, not a negative thing”. Though as the Daily Dot points out, it’s unclear if his comments were aimed solely at family password sharing.