Password Sharing And The CFAA 9th Circuit Court Appeals Ruling
Recent headlines regarding the July 5th 9th Circuit Appeals Court decision in US v. Nosal have been skewed a bit far to the dramatic. Before we take these headlines too far, (or seriously even), let’s keep some perspective on the facts at issue in this case and what the majority in the 3-judge panel actually said.
First off, this case does not involve the sharing of passwords to access Netflix, Hulu, Facebook, HBO GO, or any other consumer media platform. The case specifically involved individuals who, in an effort to start up their own competing employment agency, conspired with current and former employees to access confidential, proprietary information of their former employer’s password secured database.
While the language of the CFAA does make unauthorized access to computer networks illegal, (when committed knowingly and with intent to defraud), this law was not enacted to target people sharing their passwords to access email or their friends Twitter account. As stated clearly by the majority opinion by Circuit Judge M. Margaret McKeown, “The act was aimed at hackers who accessed computers to steal information or to disrupt or destroy computer functionality . . . .” Opinion, pg. 12. The conclusions presented by many reputable news outlets are blowing this decision very much out of proportion.
Secondly, the judges clearly understood the implications of their decision and made a point to speak to how a broad interpretation of the language of 18 U.S.C. § 1030 could be interpreted to make bring otherwise innocent conduct at risk:
We are mindful of the examples noted in Nosal I—and reiterated by Nosal and various amici—that ill-defined terms may capture arguably innocuous conduct, such as password sharing among friends and family, inadvertently “mak[ing] criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” Nosal I, 676 F.3d at 859. But the circumstance here—former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer—bears little resemblance to asking a spouse to log in to an email account to print a boarding pass. The charges at issue in this appeal do not stem from the ambiguous language of Nosal I…but instead relate to a common, unambiguous term. (here, the term being “without authorization”). Majority opinion, pg. 23
We have to give credit to the panel here for recognizing the implications raised in prosecuting individuals under § 1030(a)(4) of the CFAA. Not only by understanding that the broad language of the act could be applied recklessly, but by giving a voice to the argument that it shouldn’t. The dissenting opinion, written by Circuit Judge Stephen Reinhardt, was strong and clear in stating:
“the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct [password sharing] into unwitting federal criminals. Dissenting opinion, pg. 46
I think the court knew how this ruling could be interpreted by the general public and was smart in making sure it presented both sides of the issue. Unfortunately, this effort escaped our headline-focused media culture and resulted in headlines like: “Netflix and HBO Go Password Sharing Illegal, Federal Court Rules,” People Magazine, “Sharing Passwords Can Now Be a Federal Crime, Appeals Court Rules,” Fortune.com.
I must give credit, the LA Times for bringing a rational perspective to this ruling.
Mark B. Saku, Esq. is an intellectual property attorney and managing partner of Mark Saku Law, PLLC, an international IP law, business and media firm based in Seattle, WA with offices in Berlin, Germany.
This article is intended for informational purposes only and is not offered as legal advice or legal counsel in any way. For questions regarding this article please contact: @marksakulaw.