Earlier this week, judges from the United States Court of Appeals for the Ninth Circuit passed down a ruling stating that “access[ing] a protected computer without authorization” can be considered a federal crime under the Computer Fraud and Abuse Act (CFAA).
This ruling specifically references the case of David Nosal, a former employee of the executive search firm Korn/Ferry, who used a co-worker’s password to access a computer after his access was revoked. The CFAA has been widely criticized for its vague language and for ensnaring activists like Aaron Swartz, who was charged under the act in 2011 for downloading academic journals and later committed suicide.
But how this ruling will translate to the sharing of passwords for Netflix or HBO Go—and who decides what constitutes “authorization”—remains vague.
Judge Margaret McKeown in the majority decision wrote the case was explicitly not about password sharing: “The conduct at issue is that of Nosal and his co-conspirators, which is covered by the plain language of the statute.”
But here's the thing: Netflix's terms of service don't offer permission to share your password. Unless the terms change, you're technically breaking federal law in doing so without Netflix's blessing.
In 2014, HBO's CEO told BuzzFeed that he didn't really have a problem with users sharing passwords: "It’s not that we’re unmindful of it, it just has no impact on the business," he said, adding that they're "in the business of creating addicts." Netflix's CEO Reed Hastings has been similarly cool-dad about password-sharing, saying earlier this year at CES that it's a "positive thing, not a negative thing," though it's not clear if he meant within households or more broadly. Sharing Netflix passwords was already a crime in Tennessee as far back as 2011.
The dissenting judge, Stephen Reinhardt, pointed out that it's dangerous to make such sweeping rulings in a case about password sharing:
In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals. Whatever other liability, criminal or civil, Nosal may have incurred in his improper attempt to compete with his former employer, he has not violated the CFAA.
We've reached out to Netflix for comment.
Correction: This story has been updated for context and clarity.