Play Live Radio
Next Up:
Available On Air Stations
KPBS Midday Edition

Password Sharing Can Be A Crime, Court Rules

The James R. Browning U.S. Court of Appeals Building in San Francisco on November 7, 2013.
Ken Lund
The James R. Browning U.S. Court of Appeals Building in San Francisco on November 7, 2013.

Password Sharing Can Be A Crime, Court Rules
Password Sharing Can Be A Crime, Court Rules GUEST: Dan Eaton, attorney, Seltzer Caplan McMahon Vitek

Could sharing your online password for Netflix or Facebook for example with friends and family via federal crime? The ninth circuit court of appeals upheld a ruling that can fix a corporate recruiter of hacking because he gained access with a password that was voluntarily given. This can criminalize the everyday opinion of millions of Americans. Joining us with more is Danny Gilmore. Happy to be here Allison. What was the defendant who is David know so actually accused of doing? What he was accused of doing Allison was he was accused of accessing the computer of his former employer one of the largest corporate recruiters in the world of accessing the computer specifically their database with all the names of their potential candidates without authorization under the computer fraud and abuse act of 1986 which makes that a crime if you do that specifically what happened was that he left and then a couple of his coworkers left in a couple of the coworkers had his executive assistant who was still working at the firm gives these three men the password. They use that password to access this proprietary or trade secret database to gain access to these various candidates and compete against Mr. Novell any other employer . The executive search form that he used to work for contacted the authorities after doing an investigation following a tipoff. So the court upholds his conviction under a 1976 federal computer law -- wind today wrote what you did illegal trust. He said look, this was without authorization. There was no authorization to access that proprietary database once his in the other two employees with whom he worked and left. Once they left it was very clear that their former employer had revoked their right to access that database and by having the executive Secretary. assistant who was still working for the company that password to these now former employees so that they could access this database, they were acting to access the computer of their former employer without authorization and that is a crime under that law. In fact he did benefit from financially. Or so it would appear. So the argument between the majority of the court any dissenting child seems to be over who can give -- the dissenting court seems to be who can give somebody a password. That is exactly right. It really is a question of -- what does without authorization mean? Without authorization from whom? You have to have authorization from the entity or person in control of the system and in this case of course the former employer. The minority -- the dissenting judge Judge Reinhardt said it is enough if the person with the password in this case Mr. Novell former executive assistant gave you permission to access that by sharing her password. That is why John Weidner said this criminalizes sharing passwords and that is why you are hearing a lot of the talk about the potential criminalization of sharing passwords and things like Netflix and boarding passes which is the parade of horribles that judge Steinhardt articulates. Anyone who is wondering, this seems to be saying that you would be breaking the law if you give your net looks password to someone else without Netflix's permission. Well except that the majority framed issue very carefully. Their opinion was written by San Diego-based US circuit Judge McEwen and in it characteristically she define the issue in the case as whether the quote without organization coefficient of the CFA a -- law and question extends to a former employee whose computer access credentials had been rescinded but who disregarding the revocation accesses the commuter the other means. In other words you think this is not about password sharing at all. This is about someone who's access was affirmatively rescinded who tries to gain access through the back door and that is criminal in the jury properly convicted him she set on three counts of violating this is the FAA as a result of that conduct. If we take the court at its words and password sharing is allowed, why is that different from what happened here? Except the court did not exactly say that is allowed. It is just that the issue was not raised by this particular issue. What the court seems to be saying is that will you have to have permission or at least you can't have had your axis revoked in order to be able to access the computer. In this case the permission was affirmatively revolve but judge Steinhardt said there's really no difference between that and let's say Facebook or Netflix or whatever saying in their terms and condition you cannot share passwords. Is so much as a password and gains access and all of the sudden the person who gained access because they got a shared password is committing a federal crime. There is no limiting principle according to judge Stephen Reinhardt. This is an issue ultimately that may have to be solved by Congress fixing the language of the law if that is what is necessary or perhaps a broader panel of the Ninth Circuit or Supreme Court considering this issue. Just enjoy conclusion as to how this affects us, unless HBO or Netflix runs to prosecutors with a net case, does that mean that most of us are probably safe testament yes. Remember how this started. The whole prosecution started because the former employer having a tipoff that this kind of unauthorized access to their very proprietary in very valuable database is going on. They contacted the authorities and said we think this is a violation of the CFAA and that US attorney's office got involved in that resulted in this year's long prosecution. I don't see HBO or Facebook going around trying to seek prosecution for this innocuous conduct even the dissenting judge in this case said the activity of the offended -- defendant was unscrupulous. And how far this particular hold extends to other cases will have to await further cases. That is why we have judges. Okay. 10, thanks as always for help -- Dan, thanks as always for the hell. -- Thanks for the help.

The 9th U.S. Circuit Court of Appeals this week upheld the conviction of a man under a computer hacking law after he used the password of a colleague to log in to his former employer’s database and accessed confidential information.

The court ruled 2-1 that David Nosal, a corporate recruiter, violated the Computer Fraud and Abuse Act of 1982, finding he acted “without authorization” even though his former co-worker willingly shared her password with him.

Critics of the decision, including dissenting Judge Stephen Reinhardt, argued that the ruling could apply to the millions of people who harmlessly share their passwords with friends or family. He said that the Computer Fraud and Abuse Act should not turn them into criminals.

Under the ruling, should people start thinking twice about sharing a Netflix or HBO password?

"What the court seems to be saying is you have to have permission or at least can have your access revoked," San Diego legal analyst Dan Eaton, a lawyer at Seltzer Caplan McMahon Vitek, told KPBS Midday Edition on Thursday.

The attorney said that although he doesn't see companies like Netflix seeking prosecution for sharing passwords, Judge Reinhardt is concerned that the ruling doesn't have a limiting principle.

"This is an issue that ultimately may have to be solved by either Congress fixing the language of the law, if that's what's necessary, or perhaps a broader panel of the 9th Circuit or even the Supreme Court considering this issue. ... How far this particular holding extends to other cases will have to await further cases," Eaton said.