Court Ruling Could Lead to Stricter Password-Sharing Laws in the Future

[MacRumors]

Earlier this month a federal appeals court decided that an employee "acted without authorization" after he used a former co-worker's password login without their permission, in order to gain access to a collection of their data. Concerning the case The United States of America v. David Nosal, this has led to a decision by the court to rule that password sharing is a federal crime under the Computer Fraud and Abuse Act, meaning that sharing your login among friends and family for accounts like Netflix and HBO Go could now be an illegal act (via TechCrunch).

Judge McKeown, who is close to the case and wrote its opinion, admitted that more innocent forms of password sharing "bears little resemblance" to the circumstances presented in the lawsuit that ignited the ruling. McKeown urged future judges and courts to consider how important "facts and context" are to each case, and craft rulings surrounding password-sharing lawsuits and their legality from there.

While the daily sharing of passwords has yet to be designated as a violation of federal law, some do see the new ruling as a slippery slope to a future where giving a friend your HBO Go login could land you in a heap of trouble. Judge Reinhardt took the dissenting opinion on the case, commenting that while David Nosal may have gotten into "criminal or civil" liabilities while logging into his co-worker's accounts, "he has not violated the CFAA."

This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act ("CFAA") does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA. -- Judge Stephen Reinhardt, Ninth Circuit Court of Appeals

An act so widely perpetrated is far less likely to incur major legal repercussions, even if it does become enacted on more of a wider scale, but there is still a possibility for the federal appeals court's decision to let companies decide on their own whether password sharing should be more strictly reprimanded or not. Comments by Netflix earlier this year at CES suggest the company won't be heading in that direction any time soon, as CEO Reed Hastings saw the expansive sharing of their services as "a positive thing."

Article Link: Court Ruling Could Lead to Stricter Password-Sharing Laws in the Future

 

[Glassed Silver]

That law shows very well how lobbying works under the radar.
Ah, it's just there to protect you! Except, when you actively share a password, at worst you're stupid, but at best it's intentional and with someone you trust with whatever the password unlocks.

Thank companies like Netflix for this mess existing.
This has nothing to do with security.
Might as well ban lending your car.
I mean, they could open the trunk with the key!!!! And who knows what you put in there!!!

Glassed Silver:mac

 

[12vElectronics]

I think this type of court case will never affect Netflix/Hulu etc.

 

[tann]

"I didn't give them my login, I logged in myself!"

Could this save someone? Or have I misunderstood.

 

[maflynn]

My company has a strict no sharing of passwords, yet in my job, in supporting the users, its quite evident that they still do. I think its a mindset that will be very hard to break.

 

[rdlink]

My company has a strict no sharing of passwords, yet in my job, in supporting the users, its quite evident that they still do. I think its a mindset that will be very hard to break.

We have had a long standing policy whereby if an IT person becomes aware that someone has shared their password, including with us we are to change it immediately, and set their account so that they are forced to change it again when they next log in. We can be terminated if we fail to do it.

 

[TurboPGT!]

I find it interesting how the article has absolutely NOTHING to do with Netflix, yet there it is as the center piece image, and gets a mention in the article.

Do people really share Netflix login information that much?? I know I've done this in the past, but I cut people off when Netflix started getting heavy handed about it, and I couldn't watch something when I wanted to.

Just find it interesting that its still so common. Seriously people, if you use the service, PAY for it. It's a drop in the bucket every month compared to the value it brings.

 

[EricTheHalfBee]

Good. If you share your details for a streaming service or online game then you are committing fraud. Plain and simple.

 

[KoolAid-Drink]

Really silly. Says a lot about how in America, it's all about the money at the expense of loss of personal freedom/decision.

 

[JRobinsonJr]

Really silly. Says a lot about how in America, it's all about the money at the expense of loss of personal freedom/decision.

Good. If you share your details for a streaming service or online game then you are committing fraud. Plain and simple.

I don't see this as either extreme. The reality is that some services (eg. cable ID based) are intended and priced for a single user/household, and it is not unreasonable for the provider to ask that you not expand usage beyond that audience. Other services (eg. Netflix) are priced for multiple users and can be used in that context. For example, I pay for the 4-stream 'family' plan on Netflix, and have no problem sharing that login within the family. Either way it is both reasonable and fair for the providers to ask that you respect the intent.

 

[oneMadRssn]

Good. If you share your details for a streaming service or online game then you are committing fraud. Plain and simple.

What fraud? At very worst it's a simple breach of contract.

 

[MikhailT]

Really silly. Says a lot about how in America, it's all about the money at the expense of loss of personal freedom/decision.

No, it isn't silly. What's silly is you turning this into some kind of freedom issue when it has nothing to do with it, especially since it doesn't impact the owner or the user. In addition, this case doesn't apply to everyone either, nor does it apply to Netflix. No federal laws has been established to rule password sharing is explicitly illegal _in all cases_. Netflix can say that you're allowed to share credentials but at the same time, they can also say it is not allowed and they can stop offering you the service if they find that you're breaching the contract. You, as a user, agreed to a contract that says you're the only one authorized to use the service.

In fact, Netflix and other services lose money each time a person watch a stream, so the fact that sharing credentials means that more users would be watching the same content at the same time means they lose money. Therefore, this isn't silly at all to limit the service to the authorized users. You do not own the content on Netflix.

If you want to share stuff, put it on your private network and share it with your friends and family members. You do not have the right to do the same thing on someone's else network that they have to pay for.

Also, in this specific case, the employee does not have any rights to the content nor do they own the computers. At work, you are not entitled to anything, everything you do is under the authorization of the company. The court said that the persons exceeded their authority and thus, they didn't have the right to download these company-owned docs to their personal computers.

 

[EricTheHalfBee]

What fraud? At very worst it's a simple breach of contract.

If you and some buddies, who aren't family, sign up for Spotify and split the family plan pricing between you, then it's fraud. Your intent is to avoid paying for a single user subscription by "pretending" you're family and at the same address.

 

[oneMadRssn]

If you and some buddies, who aren't family, sign up for Spotify and split the family plan pricing between you, then it's fraud. Your intent is to avoid paying for a single user subscription by "pretending" you're family and at the same address.

First, what you described would be against Spotify's Family Plan Terms and Conditions. This is a contract of adhesion essentially, and on point it only says "All account holders must reside at the same address to be eligible for the Spotify Family Plan." So it doesn't actually define family, nor require any lineal or blood relationship. In theory, a bunch of guys living in a frat house with a Spotify family account would not be a breach of this contract. Interestingly, Spotify's larger general Terms and Conditions do not address this at all.

Either way, if people were to do what you described above, it would be a violation of this contract. Spotify's Terms and Conditions discuss breach in a few sections. So Spotify does contemplate and foresee that some users will breach the contract. Should Spotify want, when they become aware of this breach, they can do a number of things including cancelling the contract and deleting the account. This is, simply, a breach of contract. Nothing more. As a party to a contract, you are allowed to breach it and suffer the consequences.

Second, your example fails as it isn't even an example of sharing login information. With Spotify family, each user uses their own login and password and otherwise keeps a wholly separate account. Being in the family plan just means one of the users is responsible for billing.

 

[EricTheHalfBee]

First, what you described would be against Spotify's Family Plan Terms and Conditions. This is a contract of adhesion essentially, and on point it only says "All account holders must reside at the same address to be eligible for the Spotify Family Plan." So it doesn't actually define family, nor require any lineal or blood relationship. In theory, a bunch of guys living in a frat house with a Spotify family account would not be a breach of this contract. Interestingly, Spotify's larger general Terms and Conditions do not address this at all.

Either way, if people were to do what you described above, it would be a violation of this contract. Spotify's Terms and Conditions discuss breach in a few sections. So Spotify does contemplate and foresee that some users will breach the contract. Should Spotify want, when they become aware of this breach, they can do a number of things including cancelling the contract and deleting the account. This is, simply, a breach of contract. Nothing more. As a party to a contract, you are allowed to breach it and suffer the consequences.

Second, your example fails as it isn't even an example of sharing login information. With Spotify family, each user uses their own login and password and otherwise keeps a wholly separate account. Being in the family plan just means one of the users is responsible for billing.

The intent is the same. To share a single account by several people in order to avoid paying full price.

 

[oneMadRssn]

The intent is the same. To share a single account by several people in order to avoid paying full price.

No, it's not sharing a single account. It's 6 distinct accounts. Spotify allows 6 people to each have a premium accounts for one monthly payment. It's allowed, it's advertised. It's not 2 or more people that are pretending to be one 1 person. It's 6 people being 6 people, exactly as contemplated by Spotify.

 

[rolsskk]

Gotta love the MR Clickbait Sensationalist conclusion. This has absolutely no bearing on Netflix/HBO, etc. This dealing with security at a company, not with any of those streaming services. Heck, you guys even have this in your article:

Judge McKeown, who is close to the case and wrote its opinion, admitted that more innocent forms of password sharing "bears little resemblance" to the circumstances presented in the lawsuit that ignited the ruling. McKeown urged future judges and courts to consider how important "facts and context" are to each case, and craft rulings surrounding password-sharing lawsuits and their legality from there.

 

[EricTheHalfBee]

No, it's not sharing a single account. It's 6 distinct accounts. Spotify allows 6 people to each have a premium accounts for one monthly payment. It's allowed, it's advertised. It's not 2 or more people that are pretending to be one 1 person. It's 6 people being 6 people, exactly as contemplated by Spotify.

Stop being pedantic. Sharing multiple accounts under a family plan or using a single account and sharing logins are both fraud, with the intent to get more people using a service without paying the full price individually.

 

[lederermc]

The fact that Netflix allows multiple Queues/profiles is a clue that sharing a Netflix password is sanctioned. The media is negligent in spewing this garbage.

 

[Analog Kid]

Stop being pedantic. Sharing multiple accounts under a family plan or using a single account and sharing logins are both fraud, with the intent to get more people using a service without paying the full price individually.

Law is nothing if not pedantic...

 

[rolsskk]

The fact that Netflix allows multiple Queues/profiles is a clue that sharing a Netflix password is sanctioned. The media is negligent in spewing this garbage.

Don't be silly, it's clear that profiles are meant for people under one roof. Not for Jimmy in Montana and Susan in Arkansas to use, while Bob in Arizona is the one who's paying the bill.

Additionally, it's MR spewing the garbage, I've not seen anyone else repeating this sky is falling nonsense.

 

[vooke]

The law makes perfect sense. 'Intent to defraud' ofttimes lead to fraud and loss of income.

 

[sudo1996]

LOL. I remember when I put the password to my own Facebook account (which had a fake name) on its wall after I found out that Facebook wouldn't let me close my account unless I got banned.

 

[shareef777]

Brace yourselves, incoming 'lawyers' are about to arrive.

 

[sudo1996]

Gotta love the MR Clickbait Sensationalist conclusion. This has absolutely no bearing on Netflix/HBO, etc. This dealing with security at a company, not with any of those streaming services. Heck, you guys even have this in your article:

Yeah... I'm moving on. Gotta find something else to read while I wait for disk I/O benchmarks to run.