Two federal judges have ruled that it’s illegal to circumvent a company or employer’s computer security by sharing passwords or access to its data. That ruling—and all its potentially terrifying implications for the HBO Go password your buddy’s been letting you “borrow” since 2014—falls under the auspices of the Computer Fraud And Abuse Act, once described by The New Yorker as “The Worst Law In Technology.” The law states that it’s a crime for computer users to either have “accessed a computer without authorization or exceeding authorized access,” provided that that computer is involved in interstate communication—a.k.a., pretty much every computer hooked up to the internet.
In the case of the case in question, United States v. Nosal, those violations took the form of corporate headhunter David Nosal convincing a former co-worker to give him access to a company’s database after he had already left. Nosal’s case has bounced all over the U.S. legal system, with both the government, and Nosal’s attorneys, appealing whenever a ruling goes against them. That’s what happened earlier this week, when two judges upheld the government’s claim that Nosal had violated the law by acquiring access to the system, counter to the company’s clear desires to keep him out by establishing security systems like a password.
Circuit Judge Stephen Reinhardt disagreed with his colleagues, though, writing a dissenting opinion on the case in which he addressed the wider concerns inherent to broadening the CFAA’s scope. “This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it. In my view, the Computer Fraud and Abuse Act (‘CFAA’) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.”
To be clear: Netflix probably isn’t going to kick down your door for sharing your password with your family and friends. Like HBO, the company has expressed straightforward approval for people going halvesies, thirdsies, or even sixthsies on an account. (To quote CEO Reed Hastings: “We love people sharing Netflix.”) The danger comes in the widening power of the CFAA—originally designed to combat hacking—and the potential for these new powers to be abused. (Another judge cited exactly those concerns several years ago, when he ruled that the law couldn’t be invoked to prosecute people who violated Myspace’s terms of service in a high-profile and tragic cyberbullying case.)