Over the last week there has been a lot of fretting about a decision by the US Court of Appeals for the Ninth Circuit regarding a case in which a former employee gained access to his former employer’s proprietary database using a current employee’s password. A veritable who’s who of tech blogs have been spun up claiming that the decision makes it illegal to share your Netflix password.
In his dissenting opinion, Judge Stephen Reinhardt pointed out the trouble of ambiguous phrases like “unauthorized access” is that it could be interpreted to criminalize the actions of millions of Americans who might share their Netflix passwords.
The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.
Simply put, this is nonsense. In the case, David Nosal, a headhunter, left his employer to start a new firm, and brought several other employee’s along for the ride. Together, they used the password of a current employee of their former employer to access sensitive and proprietary data belonging to their former firm. This is, quite simply, hacking. Had they used a brute force attack to compromise their former employer’s data, it would be no different. As former employees, they simply were not allowed to access the system. Period.
I have my issues with many of our cybercrime laws. For instance, the defacement of a website is essentially the equivalent of spray painting your name on a building wall. In many ways it is actually less serious as it can typically be undone with a backup restore, and has almost zero cost associated with it. Compare that to the cost of having to hire someone to paint over or sandblast your wall. Yet the defacement of a website is a serious crime and the punishment for physical vandalism is typically very minor.
In Nosal’s case, however, the comparison to the real-world equivalent of his crime is pretty spot on.
If Nosal had been employed by a department store, quit, then got his buddy the night-shift stock clerk to open the door so he could come in and steal all of their clothing to resell it, he still stole the clothing. It doesn’t matter that he had a friend on the inside. In fact, the friend on the inside should be charged as well for facilitating the burglary. The tech blogs, however, want to draw a different comparison. They want you to believe that his friend helping to steal from Target is the same as his friend simply lending Nosal the key to his house despite the fact that his roommate was home.
To be clear, nobody was charged with sharing a password. Nosal was charged with illegally accessing a proprietary database to steal something of value from a system he was not authorized to access. The facts of the case are not in dispute. The Computer Fraud and Abuse Act, under which Nosal was tried, was meant to handle exactly this sort of incident – an individual circumventing prohibitions on system access to steal something of great value.
The comparison to sharing a Netflix password, specifically, is completely ridiculous given that Netflix actively encourages you to share your account by allowing you to specify multiple account users. Nothing in this decision makes that illegal.
If the tech community wanted to make a sensationalist claim, a more apt comparison might be the sharing of an Amazon password to get a Prime discount tomorrow. Even that, however, is not an apt comparison as you are still paying for the goods, albeit at a savings. You are still paying the full price that any Prime member would pay. The CFAA does, however, give Amazon the legal authority to prosecute that if they would like to do so.
Despite the wishes of the “everything should be free” crowd, their is still a concept of ownership. The CFAA decision reinforces that concept and holds individuals (in this case Nosal) responsible for theft of goods owned by someone else. Despite the public outcry, this decision was rightly decided and is, in fact, a feature of the law, not a bug.