{"id":2136,"date":"2016-10-31T17:18:25","date_gmt":"2016-10-31T17:18:25","guid":{"rendered":"https:\/\/live-journal-of-law-and-public-policy.pantheonsite.io\/?p=2136"},"modified":"2016-10-31T17:18:25","modified_gmt":"2016-10-31T17:18:25","slug":"dont-pass-go-how-password-sharing-sent-someone-to-jail","status":"publish","type":"post","link":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/2016\/10\/31\/dont-pass-go-how-password-sharing-sent-someone-to-jail\/","title":{"rendered":"Don\u2019t Pass Go: How Password Sharing Sent Someone to Jail"},"content":{"rendered":"By: Francis Cullo\n\nOver the summer, the Ninth Circuit handed down an opinion in United States v. Nosal<\/em><\/a> that generated several<\/a> fear-mongering<\/a> headlines<\/a>. At first blush, the Ninth Circuit seemed to outlaw a common digital practice\u2014password sharing. But are you really committing a federal crime if you use someone else\u2019s password when you Netflix and chill<\/a>?\n\nThe short answer is no. So what produced this flurry of headlines?\n\nThe Ninth Circuit wrestles with password sharing.<\/em>\n\nIn United States<\/em> v. Nosal<\/em> the Ninth Circuit issued an opinion finding that an employee acted \u201cwithout authorization\u201d when he requested and used a former co-worker\u2019s login despite<\/em> having that co-worker\u2019s permission. David Nosal was charged under the federal Computer Fraud and Abuse Act<\/a> (CFAA). The CFAA is an anti-hacking statute. It creates a private right to action, allowing both private individuals and businesses to sue and recover damages when someone \u201cintentionally accesses a computer without authorization or exceeds authorized access.\u201d\n\nIn 2004<\/a>, Nosal was a big-wig in Silicon Valley when he left his employer to start a rival executive recruiting company. Two other employees<\/a> from his former employer joined him a year later at his new firm. After joining Nosal\u2019s new company these employees convinced a friend still employed at the old firm to give them access to a database containing a list of names of top executives in Silicon Valley. In legal terms, Nosal was accessing trade secrets<\/a>.\n\nOn appeal, the government had to show that Nosal acted \u201cwithout authorization\u201d<\/a> or \u201cexceed[ed] authorized access\u201d when he accessed this database with the employee\u2019s password. While the fact pattern in Nosal <\/em>looks very different than the common practice of friends and family sharing an HBOGo account, there is a concern that this common behavior could be implicated as courts wrestle with how to interpret the \u201cwithout authorization\u201d requirement. Judge M. Margaret McKeown<\/a> acknowledged this fear in the majority opinion stating \u201cill-defined terms\u201d of the act could capture \u201cpassword sharing among friends and family<\/a>.\u201d Judge McKeown was careful to couch the decision to Nosal\u2019<\/em>s particular fact pattern. She cautioned that the facts in Nosal<\/em> were not similar enough to password sharing between friends and family to warrant an exception to the CFAA. Even still, Judge Stephen Reinhardt<\/a> strongly dissented on the basis of the ubiquity of the practice of password sharing. While he acknowledged that Nosal\u2019s conduct could violate trade secret law it was a mistake to indict him under the CFAA. He highlights that the majority opinion is missing a \u201cworkable line<\/a>\u201d that to distinguish between the password sharing in Nosal<\/em> and consensual password sharing that millions of account holders do everyday.\n\nThe CFAA does not meet our digital reality.<\/em>\n\nAmended nine times since it was enacted in 1984, the CFAA certainly has its critics. Professor Tim Wu<\/a> of Columbia Law School called the CFAA \u201cthe worst law in technology<\/a>.\u201d Famously, in 2011 Aaron Schwartz<\/a> was accused of violating the CFAA by downloading millions of articles<\/a> from JSTOR<\/a>, an online database. Schwartz committed suicide during the lengthy legal battle. His suicide galvanized the tech industry to propose reforms to the CFAA with Aaron\u2019s Law<\/a>, which as of yet has not passed Congress.\n\nUltimately, the law does not align with how people live their digital lives. The law was designed to protect against computer hacking. In actuality using someone\u2019s password for to a website does not constitute hacking<\/a> (even if people misuse the word hacking<\/a> all the time on Facebook).\n\nFurthermore, the \u201cwithout authorization\u201d<\/a> language provides only some murky guidance to courts and computer users alike.\n\nFirst, it does not acknowledge the ubiquity of password sharing for both business and personal<\/a> use. My family shares passwords for our Netflix and Hulu accounts, and we certainly aren\u2019t unique. Millions of people<\/a> share passwords<\/a>. In fact, survey research<\/a> found that users are more likely to share business passwords than personal ones. Nosal<\/em> continues to muddy the difference between how the court looks at passwords<\/a> and the way people design and use passwords<\/a>.\n\nSecond, content creators, who actively create and publish original media content online, are not necessarily <\/em>against the practice of password sharing. In a 2014 interview<\/a> with Buzzfeed, HBO CEO Richard Plepler<\/a> said he was in the business of \u201ccreating addicts,\u201d and password sharing was a \u201cterrific marketing vehicle\u201d for hooking new viewers on his hit shows like Game of Thrones<\/em>.\n\nWhere do we go from here?<\/em>\n\nSo if the CFAA was meant to protect against hacking, consumers are going to do it anyway, and content creators don\u2019t seem to mind\u2014what was the decision in Nosal<\/em> for?\n\nWell, for one Nosal certainly acted in bad faith. He didn\u2019t borrow his friend\u2019s password to stream the second season of Narcos<\/em>. He used a former co-worker\u2019s password to access his competitor\u2019s trade secrets and to gain a competitive edge in the industry. But, in an effort to indict him, prosecutors misconstrued the purposes of the CFAA and the Ninth Circuit over-interpreted its reach. Instead, the Court could have relied on intellectual property law<\/a> and indicted Nosal <\/em>solely on the trade secrets<\/a> claim. Moving forward, Congress should work to redefine the CFAA\u2019s \u201cwithout authorization\u201d language to better conform the statute to consumer expectations and data privacy concerns.\n\nUntil then, you should still be safe to Netflix and chill despite this Ninth Circuit ruling. Binge on.\n\n <\/em>\n\n ","protected":false},"excerpt":{"rendered":"

By: Francis Cullo Over the summer, the Ninth Circuit handed down an opinion in United States v. Nosal that generated several fear-mongering headlines. At first blush, the Ninth Circuit seemed to outlaw a common digital practice\u2014password sharing. But are you really committing a federal crime if you use someone else\u2019s password when you Netflix and…<\/p>\n","protected":false},"author":1,"featured_media":2137,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[14,15,16,18,19,27],"tags":[32,79,80,287,348,349,763,1083,1109,1158,1159,1545,1601],"class_list":["post-2136","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-archives","category-authors","category-blog-news","category-feature","category-feature-img","category-recent-stories","tag-without-authorization","tag-aaron-schwartz","tag-aarons-law","tag-cfaa","tag-computer-fraud-and-abuse-act","tag-computer-passwords","tag-hbo-password-sharing","tag-netflix-sharing","tag-nosal","tag-password-sharing","tag-passwords","tag-trade-secrets","tag-united-states-v-nosal"],"acf":[],"_links":{"self":[{"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/posts\/2136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/comments?post=2136"}],"version-history":[{"count":0,"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/posts\/2136\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/media\/2137"}],"wp:attachment":[{"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/media?parent=2136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/categories?post=2136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/publications.lawschool.cornell.edu\/jlpp\/wp-json\/wp\/v2\/tags?post=2136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}