By Amela Zukic
You can relax for now. Sharing your Netflix password probably won’t get you in trouble anytime soon. Though you may have had some anxiety this past summer following the Ninth Circuit’s decision in United States v. Nosal, in which the appellate court, in a 2-1 decision, held that the sharing of passwords could be found to be a federal crime under the Computer Fraud and Abuse Act (CFAA). Social media went into frenzy over the possible implications of its decision regarding the legality of sharing Netflix passwords. While this decision is unlikely to have an immediate effect on users of streaming services such as Netflix, HBO Go, Hulu, etc., the long-term repercussions remain unclear.
The CFAA, also known as the “worst law in technology,” renders unauthorized access of computers a federal crime. Under the CFAA, anyone who, “knowingly and with intent to defraud, accesses a protected computer without authorization” can be convicted. Yet, “unauthorized access” is not defined within the scope of the CFAA. This, therefore, leaves judges with the utmost discretion when interpreting the meaning of “unauthorized access.” The CFAA was initially drafted to criminalize the activities of hackers, but it is now increasingly being used to criminalize activities the public would consider normal – such as password sharing.
What’s more, Nosal wasn’t even about Netflix, despite all the headlines. It involved David Nosal, a former employee of Korn/Ferry International research firm, who used the login credentials of his former assistant to continue accessing the online database of his former firm. In the original 2012 decision, the Ninth Circuit ruled that Nosal did not violate the CFAA when he had two Korn/Ferry employees use their own credentials to download the firm’s information. This is because the employees simply used their own legitimate logins. However, the current case focused on Nosal asking a third employee to share her credentials. Hence the concern that the appellate court’s decision implicates the sharing of passwords.
In his dissent to the 2016 decision, Judge Reinhardt expressed his worry over the majority’s decision by writing, “[that] [t]he CFAA should not be interpreted to criminalize the ordinary conduct of millions of citizens applies equally strongly here… I would hold that consensual password sharing is not the kind of ‘hacking’ covered by the CFAA.” Luckily for users of streaming services, the executives of those companies seem to side with the dissent.
Netflix CEO Reed Hastings reassured users that they would not be forced into paying for their own account for now. During the company’s third-quarter earnings webcast, Hastings said: “In terms of [password sharing], no plans on making any changes there … password sharing is something you have to learn to live with, because there’s so much legitimate password sharing, like you sharing with your spouse, with your kids … so there’s no bright line, and we’re doing fine as is.” HBO’s President, Richard Plepler’s also agreed with this stance, noting that sharing account information is a “terrific marketing vehicle.” The executives are thus focused on increasing profits. Of course, this could change at any time depending of the terms of service these companies put forth and the effect that password sharing continues to have on their bottom line. For now, the difficulty of enforcement and the potential to scare away future customers is enough for these streaming services to look the other way when it comes to password sharing.
While people probably overreacted following the decision this past summer, it was not without reason. With the court’s decision, the ambiguity of the CFAA, and the ability of streaming service providers to change their policies, users are not fully in the clear. Until the CFAA is amended, courts are likely to interpret it broadly without consensus, negatively affecting the public good.
For further information on the CFAA look to Orin S. Kerr’s article, Norms of Computer Trespass.