×

Your password isn't yours to share, and here's why that's a problem

Netflix on a laptop screen
Jonathan Nackstrand | Getty Images
Netflix on a laptop screen

No, you're not going to get prosecuted for sharing your Netflix password — but somebody else could be charged or sued for it.

A new federal appeals court ruling has raised fears that the kind of password sharing that millions of Americans innocently engage in with family and friends — of social media sites, streaming video services and bank accounts — could leave them open to criminal prosecution.

A lawyer for the defendant in that 9th Circuit Court of Appeals case suggested to CNBC that those fears are overblown, at best.

"At some level, prosecutors are not complete idiots," said Ted Sampsell-Jones of the Mitchell Hamline School of Law in St. Paul, Minnesota. "Prosecutors are not going to run around prosecuting all of the 30 million people that share Netflix passwords."

But Sampsell-Jones warned that the decision against his client, David Nosal — which will be appealed — would enable prosecutors to use the controversial ruling to criminally charge people who they might be otherwise unable to indict for other conduct that they deem suspicious or criminal.

He also said that the ruling against executive recruiter Nosal, which relates to the Computer Fraud and Abuse Act, would give companies an unfair cudgel to use against former employees and competitors in civil disputes.

"It opens the door to a huge amount of lawsuits, and particularly retaliatory lawsuits," said Sampsell-Jones, noting that companies being sued for workplace discrimination or over consumer protection issues could turn around and countersue plaintiffs for having shared passwords.

"Suppose there's a class action against Netflix, or a lawsuit against Netflix for violating net neutrality," the lawyer said. "People [at Neflix] can say, 'We looked at your account and we see you shared the account with your brother.'"

He said the ruling is particularly problematic in the current cloud computing era where users of computer apps routinely grant those apps access to other accounts that they have from other companies.

Sampsell-Jones gave the example of himself, and his allowing his Yahoo account to access email from his Google account. If the current ruling is allowed to stand, he said, it would potentially lead to tech companies suing each other because customers they have in common allowed access between their online accounts.

His client, Nosal, was charged and convicted for conspiracy, theft of trade secrets and computer fraud. Nosal, a former employee of the executive headhunter firm Korn Ferry who was preparing to start a headhunter firm of his own, was accused along with other former co-workers of using the login credentials of a current Korn Ferry employee to gain access to the company's database of candidates.

Two of the three judges on the appeals panel ruled that Nosal, whose computer access credentials had been revoked by Korn Ferry, acted "without authorization" of the CFAA by gaining access to the database.

The two judges said the case was "not about password sharing." Those judges said the female worker who gave out her password had "no authority from Korn/Ferry to provide her password for former employees whose computer access had been revoked."

The judges also wrote that Nosal "knowingly, and with the intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access."

But in the very first sentence in his dissenting opinion, Judge Stephen Reinhardt wrote, "This case is about password sharing."

Reinhardt added, "People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it."

The judge said he did not believe the CFAA makes "the millions of people who engage in this ubiquitous, useful and generally harmless conduct into unwitting federal criminals."

Jamie Williams, a lawyer on the civil liberties team at the Electronic Frontier Foundation, said that although the majority of the appeals panel "says this isn't going to criminalize routine password sharing, its reasoning suggests that it would."

"The court's reasoning finding Nosal liable under the CFAA could apply to anyone who shares their password," said Williams, whose organization filed a friend-of-the-court brief supporting Nosal's appeal.

Asked how likely it is that prosecutors will use the decision to prosecute people for routine password sharing, such as for Facebook, HBO Go or Amazon Prime accounts, Williams said, "I don't think that's a question that matters.'"

"We should not be at the whim of a prosecutor," she said. "One of the biggest problems with the CFAA is that it's so vague and so broad and it gives prosecutors discretion, and this [decision] only exacerbates that."

Nosal's lawyers intend to ask the full 9th Circuit Court of Appeals to appoint an en banc panel of 11 circuit judges to rehear the case, and overturn the ruling. Such en banc reviews are rarely granted.

If Nosal isn't granted a review, or if he loses the rehearing, his last option would be to ask the U.S. Supreme Court to hear his appeal.

"We face long odds, but we'll give it our best shot," Sampsell-Jones said.

"It's completely crazy when you think about what the implications of the opinion are," he said.

Correction: Ted Sampsell-Jones is a professor at the Mitchell Hamline School of Law. An earlier version misstated the name of the school.