Password Sharing Is Now a Crime

In a truly terrible ruling, the US 9th Circuit Court ruled that using someone else's password with their permission but without the permission of the site owner is a federal crime.

The argument McKeown made is that the employee who shared the password with Nosal "had no authority from Korn/Ferry to provide her password to former employees."

At issue is language in the CFAA that makes it illegal to access a computer system "without authorization." McKeown said that "without authorization" is "an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission." The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?

Reinhardt argues that Nosal's use of the database was unauthorized by the firm, but was authorized by the former employee who shared it with him. For you and me, this case means that unless Netflix specifically authorizes you to share your password with your friend, you're breaking federal law.

The EFF:

While the majority opinion said that the facts of this case "bear little resemblance" to the kind of password sharing that people often do, Judge Reinhardt's dissent notes that it fails to provide an explanation of why that is. Using an analogy in which a woman uses her husband's user credentials to access his bank account to pay bills, Judge Reinhardt noted: "So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates." As a result, although the majority says otherwise, the court turned anyone who has ever used someone else's password without the approval of the computer owner into a potential felon.

The Computer Fraud and Abuse Act has been a disaster for many reasons, this being one of them. There will be an appeal of this ruling.

Posted on July 13, 2016 at 11:07 AM • 54 Comments

Comments

AndrewJuly 13, 2016 11:21 AM

If they are out of ideas:

Not carrying your smartphone - a crime.
Not declaring social accounts - a crime.
Using encryption - a crime.

Vesselin BontchevJuly 13, 2016 11:30 AM

That's not quite correct. The crime is not sharing your password - the crime is accessing a network to which you're clearly denied access, even if you do it by using a password that a legitimate user has voluntarily given you.

um?July 13, 2016 11:38 AM

Sorry Officer, it would be a crime for me to give you that password. As the site owner of my phone/laptop/server, I do not authorize your use of my password. By the way, are you reaching for your handcuffs or your baton?

neil lopezJuly 13, 2016 11:42 AM

Though sharing passwords is now technically a federal crime, companies like Netflix Inc. and HBO are still all but shrugging off friends, family and significant others using each other’s accounts.

EricJuly 13, 2016 11:44 AM


Anyway, sharing your password is prohibited by most terms of service (including Netflix), so isn't it already considered a crime by CFAA?

That's only for the sharer, I guess, who accepted the terms of service. Good to know that CFAA also covers the guy who misuses the shared password.

DanielJuly 13, 2016 11:52 AM

Actually, it gets even worse as the 9th decided a follow-up case to Nosal II involving Facebook.

https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/12/9th-circuit-its-a-federal-crime-to-visit-a-website-after-being-told-not-to-visit-it/

Using the logic in Nosal II the 9th has now ruled that visiting a website is also a crime even if you have the passwords to access the site so long as the company told you not to. The company doesn't have to take any steps to restrict your access such as revoking the passwords, they just have to send you a strongly worded letter and if you ignore the letter you have committed a federal crime.
----------

Back when Bruce first started talking about "the feudal internet" I was under the impression that this balkinization of the internet would primary be driven by technology and that it would be law and culture that would overcome it. Now i think that feudalism will be imposed on the internet by our law and culture and that technology must save it.


rJuly 13, 2016 12:07 PM

@um?,

From what I recall reading when I posted that to the squid, the password may have been shared prior to the employees dismissal. It still constitutes access fraud, and therein lies the complaints. People smoked weed for thousands years, it's still illegal to smoke mostly but some people still do it. That's federal, if a law is unjust it's our obligation to stand up break and say so. Seeing some of the ways password sharing is used though, Netflix in particular you can see why this is enforceable. Also note, that the bank argument may be moot. In the state that I live in (Michigan) a wife can own property the husband can't own while the husband can't disavow the wife access from his.

David DonahueJuly 13, 2016 12:12 PM

@Um has a good point.

No longer can a court compel me to disclose my password/passphrase- They cannot compel me to commit a federal crime. Until the site owners of wherever i used that password give me explicit permission to do so, i shouldn't be compelled to comply.

It's a bad ruling not only for citizens but also for the government.

Bob FencesJuly 13, 2016 12:12 PM

So ... this has clearly nothing to do with information/computer security at all. On the one hand I thought it was big government in tow with big business (sell more licenses), but that ain't necessarily so given comments from the likes of Netflix etc. So ... have there been situations where court cases have fallen whereby people claim that fraudulent activities where conducted with their account, but not by them personally, thus making it difficult to result in a conviction? Possibly, just possibly .....

Leaving all that aside, I just point blankly refuse to share passwords for any account. :-)

rJuly 13, 2016 12:13 PM

@um?,

That's an interesting scenario, there may be exemptions for officers of the state. Do you mind if I cc: that to the sniper_vs_DallasPD thread?

rrrJuly 13, 2016 12:18 PM

Shouldn't Netflix be bound to civil arbitration? is there a federal civil court system??

ZJuly 13, 2016 12:18 PM

I have to give the decision a more thorough read but this precedent seems like it would only further confuse issues involving law enforcement. In a world in which everything is constantly connecting to company servers, it's hard to see how opening another persons phone wouldn't immediately result in several violations of the CFAA. And since this would be a violation against the company, not individual, do they now need a warrant for every company with an app running in the background?

Edward SargissonJuly 13, 2016 12:41 PM

Serious question: without a ruling like this, how should companies protect their access?

The company withdrew the employee's access. If the ruling had gone the other way then the principle would have been something like, "if you get a password from anybody then you can have access again."

That seems odd - why would you want it that way?

I think the decision was written to attempt to be narrowly focussed (see the Snopes summary) - somebody may try to bring an action relying on it to criminalize sharing Netflix, etc. passwords but I'm not sure they'd succeed.

ChristianJuly 13, 2016 1:22 PM

Funny. In Germany there has just been a ruling into the other direction.

Banks were forbidden to forbid their customers to give out access to their account.

There is a service where the payment basically works by giving your password and a TAN to perform the transaction to a paymentprovdier. Therefore getting instant confirmation. This "sofortueberweisung.de" won and defended their businessmodel against security concerns of banks...

JimFIveJuly 13, 2016 1:32 PM

I think the fact of being an employee is probably relevant to the decision. In addition, the summary doesn't indicate whether this is a private system for employee use or a system for use by customers/the public.

If a bank employee gives me a password to access a bank's internal systems that seems like it should be illegal both for the employee and for me, if I use the password. However, if my spouse gives me her banking password so that I can use the bank's public facing system to make an account transfer for her that shouldn't be illegal.

Glenn HyattJuly 13, 2016 1:36 PM

@Tracy Reed: Thank you for that link to Snopes.

Somewhere beyond sharing your Netflix account's password but short of sharing the password to your account at your former employer is the case of businesses built on the use of shared passwords: financial information aggregators like mint.com.

Users of these aggregators disclose to the aggregator the IDs and passwords for their accounts at other financial institutions. The aggregator uses those credentials to retrieve the user's financial information from the various financial institutions, then presents a combined financial picture to the user.

The financial institutions from which the financial information is gathered object to this practice: http://www.reuters.com/article/us-column-weston-banks-idUSKCN0SY2GC20151109

I wonder if the financial aggregators are violating US law with this practice.

DanielJuly 13, 2016 1:56 PM

@Eric

Serious question: without a ruling like this, how should companies protect their access?

In my view the heart of this debate is a difference of opinion on what it means to have access/authorization. You say that the company withdrew access and in one sense that is true, it withdrew access in a formal sense. In another sense it did not withdraw access because the passwords still worked to allow people to get into an account.

So the debate then boils down to a debate to what a company has to do to prevent access before a crime is committed. In the eyes of the court, it is simply enough for the company to waggle its finger and go "no no no" at a person and if that person accesses the computer anyway its a crime. In the eyes of others however, this is much too company friendly. If a company wants to stop people from accessing the account it has an much more direct option than finger waggling--it can simply ban the account. In my view that is what withdrawing access should mean, the company banned the account. If the company hasn't actually banned the account then it has no basis to complain about unauthorized access....at least in the situation where password swapping is concerned.

Richard SmithJuly 13, 2016 2:05 PM

If this prohibition is real, this would seem to interfere with the business model of "Quicken Loans" which is reported to ask for your bank password as part of their online approval process. That sounded like a really bad idea to me, although of course you could probably change it after they're done scanning it.

im corneredJuly 13, 2016 2:13 PM

WAR IS PEACE
FREEDOM IS SLAVERY
IGNORANCE IS STRENGTH
DOWN WITH BIG BROTHER

Jan WillemJuly 13, 2016 2:22 PM

In this situation I agree with the judge. You as employee are given access and not somebody else. It is system of a company and that determines who should get access to its data or apps. They can't put a guard behind every employee; so they trust that you use your key with care.
It is different when you give the password of your bank account to your wife, husband, boyfriend or who you want; because it is your own money which is at stake; not the money of the bank.
In a large organisation here in the Netherlands there was once a problem with a system and the system admin was not in the office; he gave his password to someone else to solve the problem. Both were fired and I think that was correct. The system admin was checked for his credentials; the other guy not.

DanielJuly 13, 2016 2:44 PM

@Jan

"They can't put a guard behind every employee; so they trust that you use your key with care."

Oh those poor companies! I admit that heart bleeds for them. It must be such a struggle to find trustworthy employees while only paying $8 an hour. We must do something to stop this terrible reality. I know, rather than increasing wages and offering better benefits what we can do is if they share their password with anyone we will put the person they shared the password with into prison. That'll teach 'em.

TreyJuly 13, 2016 2:55 PM

It's not a terrible ruling. It's an accurate ruling on a terrible law. The courts can't make up new law because the law is terrible. They just have the responsibility of applying what the law says to real life.

65535July 13, 2016 4:47 PM

@ um?
“Sorry Officer, it would be a crime for me to give you that password.”

Good point. This would seem to negate police and the TSA [plus others] from accessing your account without a proper court order.

The problem in this situation is the “court” legislating from the bench. Another problem is jurisdiction. This is a can of worms.

Can a Netflix user share passwords with somebody out side of the 9th district court area? Is this decision retroactive? When can it be enforced and how? Can this case be run up the ladder to the Supreme Court?

blakeJuly 13, 2016 5:51 PM

Sorry, website. I do not authorise you to access other 3rd party websites from my machine.

Okay, now to find a website that uses cross-site requests, sue them for initiation unauthorised access to my machine, and cash in on the implications of this new ruling.

JordanJuly 13, 2016 9:44 PM

With respect to the case in point... I haven't looked at the original materials, but based on what's written here and on Snopes, it seems straightforward.

Let's move to the real world.

Employee A's employment was terminated. He had to return his keys to the building.
Employee B lent his keys to A.
A entered the building.

Isn't this straightforwardly trespassing?

In the real world, if I give you a key to my house, there's some level of implicit permission to enter my house. If I then tell you not to, *even if I don't get the key back and don't change the locks*, and you again enter my house, that too is straightforwardly trespassing.

I don't think there's anything deeply wrong here. It's unauthorized access, and in the real world that's a crime.

With respect to Netflix... their TOS says "for your personal and non-commercial use only"... I'd be willing to extend that to a household, but beyond that I'd call it theft of services or, in current terminology, piracy.

curiousJuly 14, 2016 3:56 AM

Slightly off topic but WHY are there 85 year old judges still in function in the US?

CuriousJuly 14, 2016 4:57 AM

@Jordan

"Isn't this straightforwardly trespassing?"
(About someone having second hand access to something, as I understand it.)

Trespassing as an idea, would be (ought to be) different than the idea of something being deemed criminal, because they would be two different aspects I think to a subject like "trespassing". One aspect pertain to "behavior" (trespassing as an idea within a "legal" framework, more categorical and less objective, conceptual and non referential), and the other to the evident action (trespassing as a phenomena in the world, more objective, references back to real things).

There is also the subjective/objective dichotomy I guess (thought of as being mutually exclusive things): you yourself might have an opinion about some particular set of circumstances pertaining to an instance of trespassing (more idiotic), and culture/institutions might have a different opinion (more authoritative).

So, I think the general idea of "trespassing" would necessarily have to be different than the idea of "punishable crime", and any third layer to this, with say an idea of treating any case for trespassing as being subject to sanctions (anything really) would probably just be something pragmatic in order to try work within a legal framework (or abuse it), and (with a modest amount of cynicism) not be something based on a principal understanding, as if "trespassing" as such was an observable "thing" in the real world.

I also think that 'trespassing' could easily become a word used for things one normally wouldn't use the "trespassing" for, like resting ones hand on someone's else's body part.

The word 'trespassing is, not so much a fact of reality, as functioning as an accusation I think. Alternatively, 'trespassing' can take on a metaphorical meaning by which "trespassing" becomes a negatively charged word that works with relying on conceptual metaphors (simply pretending something being wrong, illegal, or criminal), in which one associate the word trespassing to something criminal or otherwise something deemed a bad and/or wrongful thing.

All in all, this in turn makes me think of 'logocentrism', something I haven't really read directly about until now, but I suspect it might offer anyone an alternate explanation to the meaning of words in language, with 'words' being nothing but 'names' that are used habitually or by conveniance.

I think 'trespassing' is as meaningful (or meaningless) of a word as the word 'privacy'. The words would be important in various ways, and it sort of depends on BOTH ones understanding of life/reality in general AND the arguments in which such words are used, but never one or the other.

Yet, it is not so much that the meaning of things are strictly relativistic to peoples point of view (their arguments), but that meaning about things can be said to come about from culture (broadly speaking), and also, that institutionalized thinking probably get away with being authoritative, because a lot of people simply are employed in various ways to enforce the practices of institutionalized authorities.

paulJuly 14, 2016 8:56 AM

So what does this decision do to security researchers checking whether information is exposed via obfuscated but non-passworded URLs? They know that the company hosting the information doesn't want them to access (that part of) the site, but they're doing it anyway.

Once you define "unauthorized" as "something the owner doesn't want you to do" rather than "something the owner has taken positive steps to prevent you from doing" then the concept is almost infinitely expandable. Sure, no judge would rule that way. Until they do.

Andrew ShermanJuly 14, 2016 9:30 AM

One thing that makes this case different from Netflix, at least on the surface, is that the owner of the database DID take affirmative action to deny access to the former employee by revoking her or her credentials at the time of separation. Therefore the current employee didn't really have the authority to authorize usage by the ex-employee.

Whether or not that is properly the subject of criminal or civil law is a different discussion, but the case is quite different from family sharing of Netflix or financial accounts.

SofaJuly 14, 2016 10:57 AM

I don't understand why Bruce is promoting this case this way.

If I am legally given the password by a relative/friend/boss then I am an acting as an agent for that person with consent to access the network on their behalf.

This case is about accessing a network without consent and NOT as an agent for the master account holder.

If you don't have consent it is not no longer password sharing but password stealing/theft/hacking. The two actions are mutually exclusive you cannot both share and steal a password simultaneously. Either you have permission (sharing) or you don't (stealing/theft/hacking).

IANAL so what part of agency law and theory am I misinterpreting here with my rudimentary understanding of the law?

John FaughnanJuly 14, 2016 11:07 AM

I'm writing a book on supporting special needs children and adults as they move to independence using smartphones as a support tool (http://www.sphone4all.com/).

The essence of this support is being able to use their credentials to manage email, messaging, calendars, notes, facebook and so on. Only the most independent Explorers have knowledge of their own credentials much less independent use.

This is an astoundingly poorly structured decision. I'm looking forward to my time in federal penitentiary.

BobJuly 14, 2016 2:59 PM

@paul

"So what does this decision do to security researchers checking whether information is exposed via obfuscated but non-passworded URLs? They know that the company hosting the information doesn't want them to access (that part of) the site, but they're doing it anyway."

You mean like they did with weev?

Sweating_in_BrazilJuly 14, 2016 2:59 PM

Alright. Wife uses Husband-approved banking account. Now there's a felon [wife] and a co-conspirator [husband]. Children institutionalized as parents serve time.

Great! So much for Justice.

LolaFTPJuly 15, 2016 6:55 AM

@Sweating_in_Brazil Pursuant to your train of thought, what about military spouses? They usually have to access their servicemember's accounts to pay for bills etc. Are these people all criminals for doing so?

Note that I see ways around this such as joint accounts and the servicemember setting up autopay on all bills.

Also, we can generalize the affected group to include anyone who works at any job with abnormal hours in which they have sporadic access to cellphones or PCs.

AnonJuly 15, 2016 9:40 AM

I'm surprised more companies don't include a clause in the contract between the company and employee that explicitly states that they are not permitted to share their credentials with anyone. That immediately deals with an employee sharing credentials with ex-employees (for example).

JBu92July 15, 2016 8:44 PM

I think that the thing people are missing here is the "with intent to defraud." This phrasing is what differentiates this sort of obviously illegal activity from sharing your bank password with your wife (as is one of the examples floating around), and to an extent the act of sharing the password for a paid service (this is more of a grey area, however is covered by later language in the same provision - "unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period").

This language means that this ruling simply does not apply to the day-to-day sharing of credentials. Given that context, I don't know anyone that would consider the use of someone else's credentials to access a restricted system (whether freely given by the authorized user or not), with the intent to commit fraud, an okay thing to do.

CuriousJuly 17, 2016 4:21 AM

I am not sure if JBu92 perhaps misspelled anything or not, though I am not convinced that the phrase "with intent to defraud" is necessarily very meaningful, because "with intent to defraud" seems to rely on two elements of what I like to call 'prescriptive' words: "intent" and "defraud" (think something authoritative, and, as if working only within a legal framework).

This particular phrase as a whole sounds more like an accusation than anything else. The phrase could have been referencing back to 'an intent' (instead of just 'intent'), but it doesn't.

One problem is that "defraud" seem like being a conceptual idea and not a reference to something real, probably being a reference of sorts to the idea of like someone willfully selecting and targeting someone else in a way that is thought of as being fraudulent behavior (whatever entails "fraud"). So I am inclined to think that 'defraud' here probably doesn't refer to a real event, but is instead accusatory, as if being an element to something criminal where things are deemed as being worse if a crime has been been premeditated, as if planned.

The other problem I have with this, is that "with intent to defraud" seem something like a tautological statement to me, because of how both the meaning of 'intent' and 'defraud' ends up being similar, obviously referring to an understanding of some-one's intent.

I think such a phrase in this exact form is unfortunate, because I can only imagine two uses in a strictly meaningful way: one being a generalized problem, in which the crudeness of the statement wouldn't work in a legal framework (because it wouldn't be entirely clear what the accusation is, is it about fraud or premeditation or both?), or, as a specific statement in a legal framework, that functions like an accusation against somebody, not only *about* having planned fraud (but not quite), but also for *about* having committed fraud (but perhaps not quite).

If criminalizing intent, generally speaking, I suspect a prosecution could accuse someone *based on* evidence of fraudulent behavior (something authoritative, and not necessarily reflecting reality if being imaginative) and then try to criminalize someones expressed or suspected intent, even if something is thought as merely being planned, but not acted on, OR, a prosecution could accuse someone of having an intent to commit a crime, maybe based on an imaginative understanding of someone else's expressed intent.

The phrase "with intent to defraud" sounds as dubious to me as something else I commented on previously on this blog: the idea/notion of "having discretion". Both being about intent and choice, but not really being about anything. I haven't checked and I wonder if maybe Fbi Comey ever used the phrase "with intent to defraud" at any time vs Hillary Clinton, maybe in a negative and apologetic way, like "not with intent to defraud"? I can at least imagine that by clouding an accusation this way, one can easily refute it once it becomes as *self reflexive* question regarding someones else morals and goodwill ("Is Hillary Clinton just a criminal? Nah"), because it then is not about what is possible, or evident, but more about wishful thinking again.

CuriousJuly 17, 2016 4:33 AM

To add to what I wrote above:

I think *if* Fbi Comey did something which I described just above, he ought to be fired, at least, for being deceptive to law enforcement or for being incompetent in the way he expressed himself.

rJuly 17, 2016 5:57 AM

@Curious,

I feel what you're saying I think, but I don't think it applies in this case.

Specifically, "intent to defraud" is generally a financial term the way I understand it.
Further more, it is not exclusive in it's use against the phrase...

This is an instance of "access fraud" "with the intent to defraud" by stealing said companies clients.

It is most definately access fraud, with a major financial motivation.

rJuly 17, 2016 6:02 AM

@Curious, all

The next question would be,

Can the same rule be applied to someone who tries to login to a system in the same office with someone elses credentials?

What are the networking aspects required of this to make it federal?

Are all networks federal?

Is it really as I suspected: is it because of the commerse clause and why?

What if said company only sells hotdogs make in new york to new york?
This is what I'm curious about, we already know selling hotdogs would be vulnerable to commerse clause because hotdogs 'are a interstate commerse' so you'd be vulnerable,

(They may not be a good example)

But I hope you guys see what I'm getting at here.

CuriousJuly 17, 2016 6:29 AM

@r

"I feel what you're saying I think, but I don't think it applies in this case."
I don't know what that means, and I don't understand what the point of that might be.

The problem with 'words', is that they are often not just work like words, but also work like *names*, with names being this thing in our reality that makes ideas great, either for remembering them, or for understanding them (for better and for worse) disregarding any specific context. That is why I often find language problematic, because the use of language stir up emotion in people and whenever one have to guess at what something means, it would be unfortunate if one is all too happy extrapolating meaning to suit your own points of view.

"Specifically, "intent to defraud" is generally a financial term (...)"
I also don't know what this means. The words "a financial term" is surely already something generalized, so I find no point in what you wrote here, and so I don't understand what you mean even when you say "the way I understand it".

"This is an instance of "access fraud" "with the intent to defraud" by stealing said companies clients."
I think insofar as one generalize to make a problem about something, you can do no wrong here alluding to things that otherwise isn't explicitly pointed out, though it leads to another problem of not really understanding what you might have meant when being unclear about things.

"It is most definately access fraud, with a major financial motivation."
Says who? You? As if definitely?

I find it overly difficult following your line of reasoning here.

rJuly 17, 2016 6:56 AM

Here, to save myself a headache explaining all this because I don't think I'm equipped or capable to compete with your challenge (currently, or likely ever).

http://fortune.com/2016/07/10/sharing-netflix-password-crime/

I'm pretty sure that the motherboard article is not the one I saw originally and in my defense, it sounds very alarmist (possibly with good reason).

But please, look at the circumstances of this case.

rJuly 17, 2016 7:14 AM

@Curious,

The washingpost article is the original one I saw. I have issues with the ruling too but I don't really see it as being outrageous, especially if the requirement of damages > $5000 is accurate.

It's pretty clear cut that the ex-employees after having their permissions revoked (see Brekka reference) were commiting access fraud.

There are previous rulings that "access" is non-transferable. (see: "your" account and "your" password, pretty obvious if you ask me. (which you didn't.))

Their intent was to defraud financially. (this is a point you are having trouble with, why?)

Does it matter how they got into the system after they were disallowed? (This is the question about the 'hacking statute of CFAA') (Keylogger? Conspiracy?? Brute Force???)

I don't believe that it does, all three are "access fraud" if you use someone elses password to login.

rJuly 17, 2016 8:25 AM

@Curious,

There are problems with "access fraud" as you're eluding to also.
Take jail-breaking, rooting or geohot's "access" to playstation3's signing keys via the subsystem.

Those are not "intended access", so I understand the call for clarification but I'm not really sure this is the case to be doing it with.

In the case of geohot, anyone using the signing keys would be trespassing on in the ps3 subsystem "fraudulently".

PhilJuly 21, 2016 5:13 AM

It would be about password sharing if the current employee whose credentials were used was also convicted as an accomplice, which is not the case.

The only defendant here is the ex-employee that hacked into his former employer servers with the intent to get a copy of their client database for the competitor he was creating.

This case is all about having been explicitly denied access (he was an ex-employee and his credentials had been revoked) and impersonating someone else to gain access fraudulently.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.