On July 5, 2016, the United States District Court of Appeals for the Ninth Circuit issued a decision in the case entitled United States v. Nosal. The case involved a former employer and others using the password of another employee to hack into his former employer’s database in order to access and take information which belonged to his former employer.
The decision has gained a lot of attention and press because Mr. Nosal’s criminal conviction was based upon his use of another employee’s passwords. There are a large number of articles and blog posts warning that the holding in the case could result in the criminal prosecution of an individual who uses a friend’s Netflix or HBO GO password to access those sites. While that could be one result of the decision, I believe the holding in the Nosal case does not currently go that far. Per the Ninth Circuit, “this appeal is not about password sharing. Nor is it about violating a company’s internal computer use policies.” Rather, the case revolves around accessing a protected computer with the intent to defraud as defined in the Computer Fraud & Abuse Act (CFAA), 18 U.S.C. § 1030.