Court Ruling Could Lead to Stricter Password-Sharing Laws in the Future

[oneMadRssn]

Stop being pedantic. Sharing multiple accounts under a family plan or using a single account and sharing logins are both fraud, with the intent to get more people using a service without paying the full price individually.

You think lawyers or judges wouldn't be "pedantic" in this analysis? You keep asserting this is fraud without any analysis or support.

Fact 1: Spotify allows and advertises a way to have 6 people have premium accounts under one bill.
Fact 2: $15/month is the advertised "full" price of a family share account, that allows 6 accounts to have premium access.
Fact 3: Spotify does not define "family" in its terms and conditions.
Fact 4: Spotify terms and conditions say that "All members must reside at the same address."
Fact 5: Spotify terms and conditions anticipate that some users will breach various parts of the contract.
Fact 6: Spotify has no mechanism for checking whether all members reside at the same address, despite the fact that doing so on a token level would be quite easy. Spotify does not try to check whether all members reside at the same address.

My argument: Your assumption that the comparison is to all people paying for individual accounts of flawed. It is purely speculative that all 6 members of a family account would have paid the full price but for the existence of the family account. Thus, the assertion that Spotify is suffering a loss is purely speculative as well. I argue that the 6 members of a family account only agreed to the $15/month price, and would not pay otherwise. Thus, Spotify is actually getting more than it would otherwise. The facts above support this.

My other argument: You keep talking about "intent." What is Spotify's intent? As the facts above show, Spotify has no intent in enforcing the residency requirement. Indeed, according to every investor document and press release, Spotify only cares about premium subscriber numbers right now and pretty much nothing else.

 

[2010mini]

No, it isn't silly. What's silly is you turning this into some kind of freedom issue when it has nothing to do with it, especially since it doesn't impact the owner or the user. In addition, this case doesn't apply to everyone either, nor does it apply to Netflix. No federal laws has been established to rule password sharing is explicitly illegal _in all cases_. Netflix can say that you're allowed to share credentials but at the same time, they can also say it is not allowed and they can stop offering you the service if they find that you're breaching the contract. You, as a user, agreed to a contract that says you're the only one authorized to use the service.

In fact, Netflix and other services lose money each time a person watch a stream, so the fact that sharing credentials means that more users would be watching the same content at the same time means they lose money. Therefore, this isn't silly at all to limit the service to the authorized users. You do not own the content on Netflix.

If you want to share stuff, put it on your private network and share it with your friends and family members. You do not have the right to do the same thing on someone's else network that they have to pay for.

Also, in this specific case, the employee does not have any rights to the content nor do they own the computers. At work, you are not entitled to anything, everything you do is under the authorization of the company. The court said that the persons exceeded their authority and thus, they didn't have the right to download these company-owned docs to their personal computers.

For those who think this is a "rights" issue. Please read the bolded section.

 

[Waxhead138]

I don't see this as either extreme. The reality is that some services (eg. cable ID based) are intended and priced for a single user/household, and it is not unreasonable for the provider to ask that you not expand usage beyond that audience. Other services (eg. Netflix) are priced for multiple users and can be used in that context. For example, I pay for the 4-stream 'family' plan on Netflix, and have no problem sharing that login within the family. Either way it is both reasonable and fair for the providers to ask that you respect the intent.

You stated this point more succinctly than I could, so thanks. I'm also glad the judge that wrote the opinion of this case had the sense to share that he knew just now narrowly a decision like this could be interpreted in future application. As for the poster that mentioned sharing login info being fraud...while technically correct...it also opens up a door of ridiculous interpretation and application later on. For instance: I pay for a Netflix two screen plan...and have a roommate. The roommate does not my login info, but certainly uses my account to watch what he pleases when I'm not using the living room tv. Some would consider that fraud and demand he pay for his own account.

I know common sense mostly wins out in the example I just gave...but things can get narrowly interpreted quickly by some.

 

[Glassed Silver]

What fraud? At very worst it's a simple breach of contract.

Thou shall not insult the holy EULA, for it it is the Godsend that blesses you with what the honorable streaming service deems you are worth of receiving.

And don't watch DVDs with friends, unless every of your people posesses one themselves.

Fight the leechers or else your culture shall fall apart and the first to go are the holy publishers and studios.

God bless the EULA.

Glassed Silver:ios

 

[dwaltwhit]

i think that netflix and hulu et al would be well within their rights to protect their revenue streams. I think this is easily fixed with tiered pricing based on devices. Base membership includes 2 devices, plus is 4, premium is 6, family is 8 or whatever. When that additional device attempts to log in, a dialog comes up offering to upgrade for $x. These companies are in the content delivery business, not the free and easy transfer of knowledge business.They have costs like content acquisition and server upkeep. Why shouldn't they make more revenue on more people using their services?

 

[sbailey4]

An Man! So I can't go to Moms and login to my Netflix acct on her SmartTV and watch movies while there anymore without the FBI interrupting my movie, bummer! If I move back home so my address is the same as hers I guess it would be ok? Wait........... the FBI is not that interested in my Netflix password or where its used if they could care less about classified emails being available to anyone with no security clearance. Guess all is ok then!!

 

[Amazing Iceman]

That law shows very well how lobbying works under the radar.
Ah, it's just there to protect you! Except, when you actively share a password, at worst you're stupid, but at best it's intentional and with someone you trust with whatever the password unlocks.

Thank companies like Netflix for this mess existing.
This has nothing to do with security.
Might as well ban lending your car.
I mean, they could open the trunk with the key!!!! And who knows what you put in there!!!

Glassed Silver:mac

Yeah, remember what happen in "The 'Burbs" when someone opened the trunk of their car?
[doublepost=1468348398][/doublepost]

An Man! So I can't go to Moms and login to my Netflix acct on her SmartTV and watch movies while there anymore without the FBI interrupting my movie, bummer! If I move back home so my address is the same as hers I guess it would be ok? Wait........... the FBI is not that interested in my Netflix password or where its used if they could care less about classified emails being available to anyone with no security clearance. Guess all is ok then!!

They will put you and your Momma behind bars for watching a movie together.

 

[JRobinsonJr]

i think that netflix and hulu et al would be well within their rights to protect their revenue streams. I think this is easily fixed with tiered pricing based on devices. Base membership includes 2 devices, plus is 4, premium is 6, family is 8 or whatever. When that additional device attempts to log in, a dialog comes up offering to upgrade for $x. These companies are in the content delivery business, not the free and easy transfer of knowledge business.They have costs like content acquisition and server upkeep. Why shouldn't they make more revenue on more people using their services?

Ultraviolet does a variation of this but STILL permits the 'sharing' of content.

That said, the per-device model does not exactly align with real-world usage patterns. I live alone but have 2 smart TV's, 2 Apple TV devices, 2 iPads, 4 computers and an iPhone... each with the capability of logging into Netflix. The reality is that both Apple TV's, iPads and my phone are logged in and could thus count as a device. That's 5. Would I seriously need a 'family' plan just to watch Netflix when the reality is that I will - with very few exceptions - use only one device at a time?

Netflix solves this in a particularly good way using active streams. I can login to as many devices as I wish but am limited to a maximum number of concurrent streams.

Problem solved.

 

[macduke]

So could this make 1Password illegal?

I hope not. When you're married you have to share a crapload of passwords. Amazon, Netflix, Hulu, Dropbox, Angie's List, Verizon, HomeKit accessories such as the Ecobee, bank accounts, credit cards, investment accounts, mortgage, WiFi, local grocery orders, ISP account logins, tax prep logins, insurance logins—it just goes on and on!

 

[AlexH]

I think this type of court case will never affect Netflix/Hulu etc.

If there's money left on the table, never say never.

 

[tennisproha]

Fact of the matter is, it's usually prohibited in the T&C yet people do it anyway. Companies just haven't been cracking down.

 

[pokerplayer73]

i think that netflix and hulu et al would be well within their rights to protect their revenue streams. I think this is easily fixed with tiered pricing based on devices. Base membership includes 2 devices, plus is 4, premium is 6, family is 8 or whatever. When that additional device attempts to log in, a dialog comes up offering to upgrade for $x. These companies are in the content delivery business, not the free and easy transfer of knowledge business.They have costs like content acquisition and server upkeep. Why shouldn't they make more revenue on more people using their services?

The 2 device plan means 2 devices at the same time. does not state that they need to be under the same roof. PersonA can watch from 8-10 in Florida and PersonB can watch in Arizona at the same time. No issues there or atleast that they don't care right now. Only if there is a 3rd device used during this time period that there will be an issue.
I believe HBO or Time Warner CEO was asked about concurrent users/streams issue and he said that they know about it and they are okay with it. They can always start cracking down, but would probably notify the violating users before taking any action.

 

[milo]

The fact that Netflix allows multiple Queues/profiles is a clue that sharing a Netflix password is sanctioned. The media is negligent in spewing this garbage.

That's not what it's intended for. It's for multiple family members, who are allowed under the same account. We use multiple queues on a single device (now if they only added support on our Roku...).

 

[PinkyMacGodess]

That law shows very well how lobbying works under the radar.
Ah, it's just there to protect you! Except, when you actively share a password, at worst you're stupid, but at best it's intentional and with someone you trust with whatever the password unlocks.

Thank companies like Netflix for this mess existing.
This has nothing to do with security.
Might as well ban lending your car.
I mean, they could open the trunk with the key!!!! And who knows what you put in there!!!

Glassed Silver:mac

Yeah. What are these companies going to do? Start suing people dumb enough to have easy passwords? Dumb enough to rely on their 'loose lipped' kids for support? They can try. They can also see their business dry up faster than a banana in Death Valley...
[doublepost=1468358479][/doublepost]

The fact that Netflix allows multiple Queues/profiles is a clue that sharing a Netflix password is sanctioned. The media is negligent in spewing this garbage.

But imagine a day when your account is locked to one IP address, or one MAC address. That sounds like the bull crap TPM chips. (I still don't know anyone that uses the damned things. Talk about dancing with the devil. Your MB dies, and it's totally 'Bye Bye Data')

The support calls alone from befuddled users of those services would swamp whatever call centers they have. It would be a disaster!

 

[dwaltwhit]

Ultraviolet does a variation of this but STILL permits the 'sharing' of content.

That said, the per-device model does not exactly align with real-world usage patterns. I live alone but have 2 smart TV's, 2 Apple TV devices, 2 iPads, 4 computers and an iPhone... each with the capability of logging into Netflix. The reality is that both Apple TV's, iPads and my phone are logged in and could thus count as a device. That's 5. Would I seriously need a 'family' plan just to watch Netflix when the reality is that I will - with very few exceptions - use only one device at a time?

Netflix solves this in a particularly good way using active streams. I can login to as many devices as I wish but am limited to a maximum number of concurrent streams.

Problem solved.

My apologies for not making that clear. That's what I had in mind. I have a phone, ipad, laptop, desktop, work conputer, 2 apple tvs and my wife had a few devices too. I was thinking the concurrent streams. 2 streams vs 3 vs 4 etc.

 

[Sevendaymelee]

If I can share my DVDs and Blu-rays, I should be able to share my passwords as well. Anything less than that and I simply won't subscribe.

 

[Jaykob]

Isn't a password supposed to be like a key in the real world? Can I share my car or apartment keys with my family and friends or can a government forbid it? I don't think so.
Luckily I don't live in the US where a government / judge seriously considers something ridiculous like this. And if I would live there I would happily just give a sh**

 

[PinkyMacGodess]

Isn't a password supposed to be like a key in the real world? Can I share my car or apartment keys with my family and friends or can a government forbid it? I don't think so.
Luckily I don't live in the US where a government / judge seriously considers something ridiculous like this. And if I would live there I would happily just give a sh**

Ahh, but America (Land Of The Free) was the birthplace of the decomposing DVD discs*, and the idea of having CD and DVD drives 'brand' content discs to 'lock' them to that one device.

YES! That was an actual proposed bill in Congress, ladies and gentleman! Really!

In that day, you go to the local store and buy a physical CD, and can't wait to listen to the booty... You quickly unwrap the disc and pop it in your car player, and sit in bliss as the music envelops you. It's everything that you wanted, and more.

Excitedly, you wheel into the garage, and can't wait to get the disc out of the drive in your car to pop it into the player in the living room, as you call for your spouse/partner/whatever to come and be enraptured by the new tracks, only to get a message on your player 'CONTENTS NOT LICENSED TO PLAY ON THIS DEVICE'.

YES, music fan, you have screwed yourself. That disc has been kissed by the player in your car and from now on will only play in that device.

Think this is far fetched? Add in the need for everyone to purchase 'compliant' devices to play, and 'mark' that content, and you have spawned two huge industries. One to make the 'compliant devices' and the other of caffeine driven hackers trying to find a way around the bizarre and Byzantine scheme. But imagine the 'studios' and 'labels' rolling in the dough because you would have to buy a different disc for every player you own. No more reselling discs, no more sharing discs. They could even control the ripping of 'content' by refusing to allow computer accessory drive manufacture.

Land of the free?

BULL!!!

* The decomposing DVD's were the brain child of Circuit City, or someone tied to them. You open the pack, like opening gum, and the disc started to decompose. After a certain number of hours, the disc clouds up and you had better have hoped you watched it enough. Great idea, huh. I wondered if the disc 'rotted' faster in the heat and humidity of the deep south.

 

[jettredmont]

We have had a long standing policy whereby if an IT person becomes aware that someone has shared their password, including with us we are to change it immediately, and set their account so that they are forced to change it again when they next log in. We can be terminated if we fail to do it.

In my experience, the only reason people share passwords is that it is easier to get a password from a coworker than to go through the hoops necessary to get even temporary access to a resource through the legitimate channels.

If you are finding that this is an issue in your company, you should take that as a cue to revisit your authorization policies and make sure that most authorizations are very easy for a legitimate user to get (as well as logged etc).

This isn't really hard. Yet I see a lot of large companies doing it very very wrong. When my current company was a part of an international mega corporation, trying to get access to a shared drive took at least multiple days and often weeks, requiring busy-work "approvals" from managers up the requestor's chain and back down the system-owner's chain. This led to people setting up access tunnels and similar so they could share the contents of a "secured" drive with the people on their teams, etc. Now that we don't have a braindead IT organization to battle with, the process is much simpler: request access to an IT-managed resource and you have it within five minutes almost universally (only specific resources obviously need someone else's approval). No more tunnels, and no more password sharing.

 

[2457282]

I find it interesting how the article has absolutely NOTHING to do with Netflix, yet there it is as the center piece image, and gets a mention in the article.

Do people really share Netflix login information that much?? I know I've done this in the past, but I cut people off when Netflix started getting heavy handed about it, and I couldn't watch something when I wanted to.

Just find it interesting that its still so common. Seriously people, if you use the service, PAY for it. It's a drop in the bucket every month compared to the value it brings.

I logged my daughter into my Netflix account. By policy it says I can use my login on four devices. Currently I have two apple TV and an Ipad at home and the apple TV at my daughters. I don't think I have done anything wrong.

As to this case, my understanding is that it all boiled down to Section (a)(4) of the CFAA which makes liable anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value." IF Netflix, or anyone else, says that I can have up to x number of devices usings the same password, then as long as I do not exceed the number of devices, I have not exceeded my authorized access or done anything to defraud or otherwise obtain anything of value.

Let's hope the courts will clarify this.

 

[rhett7660]

My company has a strict no sharing of passwords, yet in my job, in supporting the users, its quite evident that they still do. I think its a mindset that will be very hard to break.

Yup mine too, heck if you are caught using someone password, whether they gave it to you to use or not, it is a fire able offense and it has happened on more than one occasion.

 

[jettredmont]

Isn't a password supposed to be like a key in the real world? Can I share my car or apartment keys with my family and friends or can a government forbid it? I don't think so.
Luckily I don't live in the US where a government / judge seriously considers something ridiculous like this. And if I would live there I would happily just give a sh**

Nothing in this ruling says otherwise. I think the MacRumors article above, along with the other media sources it cites, is misreading this. This is, in the words of the ruling, what this case is about:

Put simply, we are asked to decide whether the “without authorization” prohibition of the CFAA extends to a former employee whose computer access credentials have been rescinded but who, disregarding the revocation, accesses the computer by other means.

This is not about password sharing, but rather if authorization which is specifically rescinded, then "gotten around" by password sharing, is a violation of the CFAA.

Making it even clearer, the next paragraph:

Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing. Nor is it about violating a company’s internal computer-use policies. The conduct at issue is that of Nosal and his co-conspirators, which is covered by the
plain language of the statute. Nosal is charged with conspiring with former Korn/Ferry employees whose user accounts had been terminated, but who nonetheless accessed trade secrets in a proprietary database through the back door when the front door had been firmly closed. Nosal knowingly and with intent to defraud Korn/Ferry blatantly circumvented the affirmative revocation of his computer system access. This access falls squarely within the CFAA’s prohibition on access “without authorization,” and thus we affirm Nosal’s conviction for violations of § 1030(a)(4) of the CFAA.

"Affirmative revocation" is key to this case and is the reason why this ruling went the way it did in including CFAA. The affirmative revocation of access is what makes this fraudulent.

Later:

And, pertinent here, [the defendant's arguments] would remove from the scope of the CFAA any hacking conspiracy with an inside person. That surely was not Congress’s intent.

Remember: the Court's job is to follow the letter of the law, with the small gaps filled in by reasonable interpolation of Congress's intent in passing the law. Clearly Congress intended for an inside trade secrets divulging attack like this to be covered by the CFAA. It is not clear (and not discussed in this case other than in the "slippery slope" arguments made by the defendants) that Congress also intended to prohibit sharing of, ex, Netflix passwords etc.

At this point, this ruling has no pertinence to the situation which the defendants brought up. The law is still exactly what it was before; the ruling has just filled in the details on corporate insider hacking where authorization had been specifically revoked by the owner of the data.
[doublepost=1468437973][/doublepost]

i think that netflix and hulu et al would be well within their rights to protect their revenue streams. I think this is easily fixed with tiered pricing based on devices. Base membership includes 2 devices, plus is 4, premium is 6, family is 8 or whatever. When that additional device attempts to log in, a dialog comes up offering to upgrade for $x. These companies are in the content delivery business, not the free and easy transfer of knowledge business.They have costs like content acquisition and server upkeep. Why shouldn't they make more revenue on more people using their services?

Tiering is already available, in the form of simultaneous streams.

Hulu allows one (1!!!) stream at a time from an account. You can stream multiple "non-Plus" content streams, but only one subscribed content stream. This is why it is silly to pay for, ex, Showtime through Hulu (pay the same price directly to Showtime and you can stream to three devices at once). Hulu's "tiering" is "You want another stream? Subscribe again!" (which is user-hostile and insane, but whatever).

Netflix offers multiple tiers, based on the number of simultaneous streams. I believe the low-end offering is 2 simultaneous, and goes up from there.

Amazon Prime I believe has a hard cap of 3 simultaneous streams per account.

Cable providers, on the other hand, don't seem to have this type of coordination going on.

 

[mijail]

That law shows very well how lobbying works under the radar.
Ah, it's just there to protect you! Except, when you actively share a password, at worst you're stupid, but at best it's intentional and with someone you trust with whatever the password unlocks.

Thank companies like Netflix for this mess existing.
This has nothing to do with security.
Might as well ban lending your car.
I mean, they could open the trunk with the key!!!! And who knows what you put in there!!!

Glassed Silver:mac

Did you try reading the article? Netflix has nothing to do with the case.
[doublepost=1468482415][/doublepost]

No, it isn't silly. What's silly is you turning this into some kind of freedom issue when it has nothing to do with it, especially since it doesn't impact the owner or the user. In addition, this case doesn't apply to everyone either, nor does it apply to Netflix. No federal laws has been established to rule password sharing is explicitly illegal _in all cases_. "

Yep, but now we're suddenly close to that. And note that it's NOT the company but the government vs Nosal. No way that would ever end badly, right?
"EFF has filed three separate amicus briefs in this criminal case, explaining why the government’s repeatedly expansive interpretation of the Computer Fraud and Abuse Act (CFAA) threatens people engaging in innocent behavior with criminal liability."

"Netflix can say that you're allowed to share credentials but at the same time, they can also say it is not allowed and they can stop offering you the service if they find that you're breaching the contract. You, as a user, agreed to a contract that says you're the only one authorized to use the service.

And that's exactly why one of the judges dissented: something as changeable as that should not be basis for criminalizing anyone.

In fact, Netflix and other services lose money each time a person watch a stream, so the fact that sharing credentials means that more users would be watching the same content at the same time means they lose money. Therefore, this isn't silly at all to limit the service to the authorized users. You do not own the content on Netflix.

If you RTFA, you'll find this: "Comments by Netflix earlier this year at CES suggest the company won't be heading in that direction any time soon, as CEO Reed Hastings saw the expansive sharing of their services as "a positive thing.""

So the CEO of Netflix disagrees with you. Maybe they know that actually by allowing the sharing they get more users? (families, for example)

 

[Glassed Silver]

Did you try reading the article? Netflix has nothing to do with the case.
[doublepost=1468482415][/doublepost]

Yep, but now we're suddenly close to that. And note that it's NOT the company but the government vs Nosal. No way that would ever end badly, right?
"EFF has filed three separate amicus briefs in this criminal case, explaining why the government’s repeatedly expansive interpretation of the Computer Fraud and Abuse Act (CFAA) threatens people engaging in innocent behavior with criminal liability."



And that's exactly why one of the judges dissented: something as changeable as that should not be basis for criminalizing anyone.



If you RTFA, you'll find this: "Comments by Netflix earlier this year at CES suggest the company won't be heading in that direction any time soon, as CEO Reed Hastings saw the expansive sharing of their services as "a positive thing.""

So the CEO of Netflix disagrees with you. Maybe they know that actually by allowing the sharing they get more users? (families, for example)

You should look up the term salami tactics.
I did read the article, but I don't believe everything a CEO says just because.
If he's really not into this and his successors aren't as well, great, but then others might be.
And I'm still wondering why the **** the US needs such a ridiculous law, I see no good reasoning other than lobbying.
I'm really open to debate, but I just don't see it, many months after its introduction.

Glassed Silver:mac

 

[kiwipeso1]

I did the first mass video streaming event in 1993, and I don't use streaming services at all, as I prefer to download things rather than put up with inferior implementations of streaming.