Does your cousin use your Netflix account to watch "Orange is the New Black"? Did you give your boyfriend your HBO password so that he could catch up on "Game of Thrones"? If so, you might be considered a criminal under Computer Fraud and Abuse Act. But don’t worry – the good news is that Netflix doesn’t mind.
A decision on July 5 by the US Ninth Circuit Court of Appeals in United States v. David Nosal has broad implications that some say could impact unwitting internet users.
“People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it,” wrote Judge Stephen Reinhardt in his dissenting opinion on US v. David Nosal. “In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.”
Netflix doesn’t think so either. Both Netflix and competitor HBO GO have acknowledged that many of their users share passwords in order to avoid paying for multiple accounts within a family or group of friends.
Yet despite the fact that a study by Parks Associates last year found that subscription video on demand (VOD) services like Netflix stand to lose $500 million per year due to password sharing, VOD executives are enthusiastic about service sharing.
“We love people sharing Netflix whether they’re two people on a couch or 10 people on a couch,” Reed Hastings, Netflix chief executive officer, announced at the Consumer Electronics Show (CES) earlier this year. “That’s a positive thing, not a negative thing.”
In fact, Mr. Hastings doesn’t see password sharing as a way to lose customers, but as a way to gradually gain them. The reasoning, he says, is that young people share their parents’ passwords until they leave home or can afford their own subscription. By allowing password sharing, services like Netflix literally grow their subscriber base.
HBO has been less explicit about its own position on password sharing in recent years but in 2014, CEO Richard Plepler shared views similar to Hastings in a statement, saying password sharing is a “terrific marketing vehicle for the next generation of viewers.”
Besides, most sharing seems to take place at the familial level. An IBM Cloud Video's Clearleap study conducted in April found that just 4 percent of VOD subscribers share their password with non family members, according to the Chicago Tribune.
The fact that most sharing occurs between parents and children, or with others within a family, makes it even more difficult to say that password sharers are engaging in a criminal act.
The case that led Judge Reinhardt to express concerns that the majority’s decision made Netflix and HBO GO password sharers into “unwitting federal criminals” actually has little to do with entertainment.
The defendant, David Nosal, was a contractor (and former full employee) at an international headhunting firm called Korn/Ferry International when he began to formulate plans to create his own firm. Nosal and several others used login information that belonged to Nosal’s former assistant to access a Korn/Ferry database.
Nosal was eventually convicted under the Criminal Fraud and Abuse Act, which is mainly intended to apply to hackers. The court applied one clause of the CFAA in particular, which makes it illegal to “knowingly and with intent to defraud, accesses a protected computer without authorization.”
“We conclude that “without authorization” is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission,” wrote Justice Margaret McKeown in the opinion. “This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party.”
In his dissent, Reinhardt expressed concern that this decision will begin a slippery slope towards the prosecution of innocuous civilian behaviors such as password sharing.