When is sharing a password a federal crime? And when isn’t it?

By Carole McNall

Korn-Ferry_Hay-Group.jpgI glanced at the sexy headline: Sharing your Netflix password is now a federal crime, court rules.

Intrigued, I read the story. Then I read the court case, United States v. Nosal.

I discovered, within a page and a half, that the headline writer had created his or her own legal precedent. The blunt statement that made a sexy headline was far less nuanced and far more definitive than the actual decision.

The story I read was bylined, which I always take to mean a reporter actually does something to gather the information. But for many reporters, “gathering information” for this story seemed to mean finding it on another website and doing a little rewrite.

So let me offer some context for evaluating the sexy headline.

Who was sharing passwords and why? The password sharing happened when David Nosal and two others decided to leave the executive search firm Korn/Ferry. Before they left, they began downloading information from Korn/Ferry’s confidential database of search candidates. Even after their access to the system was revoked, they continued downloading, using the freely given password of someone still working at Korn/Ferry.

The firm emphasized the confidentiality of the database through messages ranging from a required agreement for all new employees to a pop-up message every time someone did a custom search.

Eventually, Korn/Ferry discovered the access and criminal charges were filed. This month’s decision was the second appeal of Nosal’s conviction on those charges to the Ninth Circuit Court of Appeals.

OK, there’s the federal crime. But what law did they violate?

Nosal and the others were charged with violations of the 1986 Computer Fraud and Abuse Act. (They were also charged with violating another federal law, but it’s not pertinent here.)

The CFAA includes a provision making it illegal “knowingly and with intent to defraud” to access a protected computer without authorization or in excess of authorization the user had received. The statute doesn’t define what it would mean to have no authorization or to have exceeded authorization.

If the statute doesn’t define “authorization,” who created the definition? Federal courts, for the most part. Justice M. Margaret McKeown, who wrote the majority decision, noted most circuit courts agree on the meaning: “accessing a protected computer without permission.”

But who has the authority to give that permission? Dissenting Justice Stephen Reinhardt sees that as a major question here. He believes the employee who shared her password effectively provided permission. The majority disagrees.

Is this case about casual password sharing? Justice McKeown rejects the idea. For her, the case is about accessing a protected computer after an affirmative action: the employer telling a former employee his password has been revoked. For Justice Reinhardt, this decision threatens to turn casual password sharing (think Netflix) into a federal crime, something he says Congress clearly did not intend.

Consider again the law’s age. When the CFAA was first passed, no one worried about sharing passwords for services we hadn’t even conceived of.

Lawyerly observation here: This case involves accessing a workplace computer. I suspect that would become an important distinction. Workplace computers, especially ones which contain confidential information, and entertainment services are not likely to be seen as fully equivalent. As Justice McKeown writes, “…facts and context matter in applying the term ‘without authorization.’”

netflix_logoLawyerly observation no. 2: Korn/Ferry made it clear unauthorized users were not welcome to access their computer. Netflix suggests not sharing passwords, but in language which sounds more like a “here is your best practice” advisory:

“… to maintain exclusive control, the Account Owner should not reveal the password to anyone. In addition, if the Account Owner wishes to prohibit others from contacting Netflix Customer Service and potentially altering the Account Owner’s control, the Account Owner should not reveal the Payment Method details …”

Would that put a Netflix user on notice that she or he absolutely could not reveal the account password? Would, for example, college students even think twice about giving their roommates the password to watch a movie they wanted to see?

Consider also the difference in damages. Nosal and the others were taking material Korn/Ferry had spent considerable time and effort developing. Someone sharing a Netflix password is making it easier to see a movie the account holder has paid for.

This isn’t the first time lawyers have collided over the CFAA’s terms. A federal judge actually overturned a conviction of a Missouri woman charged under the act in 2008. Lori Drew had created a fake profile on MySpace. Comments posted on that profile led to the suicide of a teenager. Because MySpace’s terms of service required users to give their real names, a federal prosecutor argued Drew had accessed its system without authorization and in excess of authorization.

A jury found Drew guilty only of a misdemeanor violation. The judge eventually threw out the verdict, explaining he was uncomfortable allowing a website’s terms of service to define criminal conduct.

Is Congress considering updating the law? Maybe. After the 2013 suicide of Aaron Swartz, also charged with CFAA violations, members of Congress introduced amendments to the law designed to clarify what “without authorization” might mean. Those changes have gone nowhere. The forecast moving forward remains bleak, given the general technological illiteracy of many members of Congress and their current inability to even agree on the simplest measures.

One more lawyerly observation: This ruling does not cover the entire United States. The story that started all this for me did indicate that it was a ruling of the Ninth Circuit Court of Appeals. It then merrily plowed along with language that made it sound as if the ruling applied nationally. It does not. The Ninth Circuit covers Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon and Washington. A court in, for example, New York might look at this ruling, but would not be bound to follow it.

And now, a journalistic observation: Court cases, like so many other stories, need context. When I was a working reporter, that was a slow process — you had to order a copy of the court decision, decipher the legalese and, if you remained confused, find a lawyer who might explain.

Today, you can likely get the court decision in under a minute, courtesy of Google. The Nosal decision, like many others, starts with a summary; this one was a page and a half long. It was written in clear English, something that has become increasingly common.

I’m not unsympathetic to the 2016 journalistic dilemma: Even more emphasis on speed and even less awareness of the need to give reporters time to do more than grabbing the low-hanging information fruit. But the same technology pushing newsrooms to go ever faster often makes it easier to find context.

Cutting and pasting someone else’s story will always remain faster. But organizations satisfied with that shouldn’t be surprised if their audiences find they, also, can go to the original story or, in this case, the court decision, and skip the stories of cut-and-paste folks.

Carole McNall, an attorney, is an assistant professor at St. Bonaventure University, where she teaches media and internet law.

1 reply »