On July 5, 2016, the United States District Court of Appeals for the Ninth Circuit issued a decision in the case entitled United States v. Nosal. The case involved a former employer and others using the password of another employee to hack into his former employer’s database in order to access and take information which belonged to his former employer.
The decision has gained a lot of attention and press because Mr. Nosal’s criminal conviction was based upon his use of another employee’s passwords. There are a large number of articles and blog posts warning that the holding in the case could result in the criminal prosecution of an individual who uses a friend’s Netflix or HBO GO password to access those sites. While that could be one result of the decision, I believe the holding in the Nosal case does not currently go that far. Per the Ninth Circuit, “this appeal is not about password sharing. Nor is it about violating a company’s internal computer use policies.” Rather, the case revolves around accessing a protected computer with the intent to defraud as defined in the Computer Fraud & Abuse Act (CFAA), 18 U.S.C. § 1030.
The CFAA imposes criminal penalties upon those who “knowingly and with intent to defraud, access a protected computer without authorization or exceed authorized access, and by means of such conduct further the intended fraud and obtain anything of value….” Id. at 1030(a)(4). The issue in the case falls under the meaning of the first prong of the Act; specifically, what the terms “knowingly and with intent to defraud” and “accessing a protected computer without authorization” mean. The Ninth Circuit Court of Appeals used a very simplistic and plain meaning to answer that question. It held, simply, that it means accessing a protected computer “without permission.”
The reason legal commentators, bloggers, and attorneys are pondering whether or not the decision applies to the Netflix accounts is because Netflix only licenses to the holder of each password. Netflix does not contractually give permission to an authorized user’s “friend” to use their password and access Netflix’s databases with its online content. Applying the simplistic “without permission” definition could result in a criminal case against a non-authorized user utilizing the authorized user’s password. While this could someday be the ultimate interpretation, the Court’s own limitations as set forth in the preceding paragraph seem to negate that argument.
Nevertheless, until the issue is clarified, unauthorized users using their friends’ passwords should be forewarned. District Courts or Circuit Courts of Appeal, including future deacons out of the 9th Circuit, may hold that the unauthorized logging into Netflix or other computer databases are in violation of the CFAA which, in turn, could lead to criminal prosecution. As it stands now, the law appears to be in flux and developing as technologies advance.