There’s been a furor the last couple of days over a recent court ruling that appeared to outlaw password sharing. Would sharing your Netflix password with a friend, an all too common practice, land you in jail? No, but the legality around password sharing isn’t exactly clear either.
On July 5 the 9th U.S. Circuit Court of Appeals in San Francisco ruled against an ex-employee of a company who managed to use a co-worker’s password to access his former employer’s’ customer data without authorization. The judge panel ruled that the ex-employee violated the Computer Fraud and Abuse Act.
The ruling was often wrongly interpreted and reported as deeming password sharing to be a federal crime, using Netflix as an easy go-to example, which wasn’t really the case.
Granted, one of the judges on the panel expressed some concern that the new ruling might lead to tricky cases in the future when it comes to more innocuous forms of password sharing. However the case at the center of this ruling is much more specific. For example, the ex-employee’s company had its staff sign confidentiality agreements that forbade sharing their login details.
So if you shared your Netflix password with your spouse, the cops aren’t coming for you any time soon.
Where you may get in trouble though is if you sell your password and account details. A spokesperson for Netflix told Business Insider that “as long as they aren’t selling them, members can use their passwords however they please.”
In the past HBO CEO Richard Plepler has even said that password sharing is not a problem that the company is trying to solve.
But as streaming services vie for market share and more customers, the likes of Netflix, HBO and Hulu may turn their attention to password sharing. It’s much more likely that at some point in the future Netflix itself will be more of a threat to password sharing than any law ever will be. As the streaming service and others like it attempt to maximize subscriber numbers, they may seek ways to restrict multiple people using the one account.
All that said, password sharing and unauthorized access can still be muddy and this is where things get interesting.
This week a former executive at the St. Louis Cardinals, Christopher Correa, was sentenced to 46 months in prison for guessing the password for a confidential database belonging to a rival team, the Houston Astros.
An employee at the Cardinals left the team to go to the Astros. When they handed in their work devices before leaving, Correa was able to use data from the devices to guess the password for the Astros database later on. This ultimately meant that he violated the Computer Fraud and Abuse Act, which has become a notoriously debated, largely due to the fact it was passed in ‘80s and is in need of a rethink.
Correa’s actions were malicious in their intent—accessing a competitor’s private data without consent—but it is food for thought on password sharing and guessing.
In another infamous journalist Matthew Keys was sentenced to two years in prison for sharing login details for the content management system (CMS) of KTXL Fox 40 with members of Anonymous. He allegedly told them to “fuck some shit up”. In the end, the same login info was used to access the CMS of the Los Angeles Times, which like KTXL Fox 40 is owned by Tribune Media. A webpage on the LA Times’ site was defaced and went uncorrected for 40 minutes.
While Keys wasn’t the one responsible for the vandalism of the site, he is the one paying the cost now.