A recent decision from the Ninth Circuit Court of Appeals could mean sharing your Netflix password is a federal crime. At least that’s the interpretation of the dissenting judge in the case of United States v. Nosal. In Nosal, the Ninth Circuit was tasked to determine whether the accessing of computer data with someone else’s username and password was unlawful under the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. §1030). In Nosal, the defendant’s access to his former employer’s computer program had been revoked, but he was able to access its program by using another employee’s username and password with that employee’s permission.
The Ninth Circuit determined this activity fell squarely within the CFAA’s prohibition, noting
“once authorization to access a computer has been affirmatively revoked, the user cannot
sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door.”
The dissenting Judge, Stephen Reinhardt, however, was concerned with the scope of the Court’s ruling. Judge Reinhardt wrote the majority’s decision focuses on the “culpable behavior of the defendant,” and loses sight of the “anti-hacking purpose of the CFAA.” The opinion out of the Ninth Circuit, warns Judge Reinhardt, “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens,” including password sharing for access to sites like Netflix and Facebook – activities in which “millions of people” engage and which is “ubiquitous, useful, and generally harmless conduct.” Now, with this opinion, millions of people have been turned into “unwitting federal criminals.”
The problem, explains Judge Reinhardt, is the majority’s interpretation of the “without authorization” portion of the CFAA. The majority determined it meant “accessing a protected computer without permission.” Because a “protected computer” includes any “internet-enabled device” from laptops to iPads to even some thermostats, Judge Reinhardt cautioned that “without authorization” must be interpreted more narrowly, or the statute criminalized everything from actual computer hacking, as it is understood in the traditional sense, to innocuous behavior such as logging into a friend’s Facebook account even with that friend’s permission.
Therefore, according to Judge Reinhardt, “without authorization” should be interpreted narrowly to include accessing the protected device “without having the permission of either the system owner or a legitimate account holder.” Otherwise, the sweep of the CFAA could now mean you (and the person with whom you share it) are guilty of a federal crime if you share your password to Netflix, HBO, or Facebook with friends or family members.
This is a very interesting opinion with potentially far-reaching ramifications. If you have any questions about this, or any other issue, please feel free to call Melissa Hedrick at 405-361-7844.