Sharing passwords from popular streaming services, like Netflix and HBO, could become a federal crime under a broad federal criminal statute.
Last week, a divided panel of federal judges on the 9th U.S. Circuit Court of Appeals, in an opinion written by Judge Margaret McKeown, affirmed the conviction of David Nosal under the Computer Fraud and Abuse Act for accessing a former employer’s database, without permission, to download proprietary information for use in his own competing business. How? Nosal solicited login credentials from a former co-worker.
Judge Stephen Reinhardt wrote a dissenting opinion theorizing that the precedent set by Nosal’s conviction might make “millions of our citizens” who engage in the widespread conduct of password sharing “potential federal criminals overnight.”
Reinhardt’s dissent triggered much debate over whether or not sharing passwords for video streaming services, email platforms, or other online services is now a federal crime. Some have said that the 9th Circuit’s ruling in Nosal suggests that password sharing is a crime. Others argue that it does not, and even if it does, prosecution is unlikely. Now a middle ground seems to dominate the debate, that maybe password sharing is a crime, maybe not.
A Divided Legal Interpretation
This is notable for the reasons identified in the opinion and in other commentary, reduced here to three takeaways.
First, the fact that so many online publications are closely scrutinizing federal judicial opinions on the scope of federal criminal statutes reflects a healthy awareness of the ever-present danger of overcriminalization—the “misuse and overuse of criminal laws and penalties to address societal problems”—even though this case may not merit that label (as explained below).
Second, wide disagreement over whether or not current legally, commercially, and socially accepted forms of password sharing constitute criminal conduct, as the Nosal majority indicates may be the case, suggests that the time may be ripe for Congress to take another look at the Computer Fraud and Abuse Act.
And third, now that the dissent’s warning of overcriminalization is out of the bag, many are wondering whether the employees of some service providers or attorneys at the Department of Justice might take a closer look at common forms of password sharing.
The statute in Nosal, 18 USC § 1030(a)(4), states:
… whoever … knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value … should be punished …
McKeown’s opinion makes clear that the majority was affirming Nosal’s conviction on the narrow “circumstance here—former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer.” That form of “password sharing” is a crime. That circumstance, however, McKeown wrote, “bears little resemblance to asking a spouse to login to an email account to print a boarding pass,” or engaging in other common password sharing conduct.
‘Egregiously Overbroad’ Statute
But while this case is limited by its facts, that is not necessarily true of the statute. “Congress has broadened” the Computer Fraud and Abuse Act “every few years” since its enactment in 1986, writes George Washington University School of Law professor Orin Kerr. It now “criminalizes computer use that ‘exceeds authorized access’ to any computer.” Columbia Law School professor Tim Wu writes the statute is now “egregiously overbroad.” That makes the widespread disagreement over the significance of this case even more interesting.
Reinhardt was wise to remind all of us that “it is unacceptable in our legal system to impose criminal liability on actions that are not proscribed ‘plainly and unmistakably.’” It is “an elementary rule of constitutional law,” writes our colleague and criminal law expert Paul Larkin, “that the government must afford the public fair notice of the conduct defined as criminal so that the average person, without resort to legal advice, can comply with the law.”
It appears the Computer Fraud and Abuse Act has come into tension with that principle, which is the point Reinhardt makes in his dissent: “It is also unacceptable to base ‘criminal liability on violations of private computer use policies’” in part because those are “lengthy, opaque, subject to change and seldom read,” but “also private—by definition not addressed and perhaps not even accessible to shared password recipients who are not official users themselves” (of the online password-protected services).
For these practical reasons, Reinhardt was right to warn that “the clear (and public) words of Congress—not the obscure policies of system owners—[must] delimit [the] scope” of federal criminal statutes going forward. As it stands, the computer fraud law is a paradigmatic example of the problems that poor legislative drafting—which gives the Justice Department extraordinary breadth when making charging decisions—can have for citizens.
Businesses Adjust to Password Sharing
Still, not only do the facts of this case not lead ineluctably to the conclusion that all password sharing is illegal, it is unlikely that service providers like video-streaming companies HBO or Netflix will start a hunt for password sharers. So long as that conduct “remains de minimis,” HBO CEO Richard Plepler said , “we’re not going to overreact to it.”
Although it is perceived as a common practice, “password sharing has had ‘no impact on the business,’” and actually, Plepler says, it is a “terrific marketing vehicle for the next generation of viewers.”
Netflix CEO Reed Hastings has also said, “it really hasn’t been a problem.” Even if it becomes a problem, companies may be more likely to restrict access to their services through technology rather than prosecution.
Whether the same restraint may be expected of the Department of Justice is another matter. America has rejected prosecutors’ noblesse oblige or “trust us” theory, writes Larkin, because the law, and not the hoped-for good judgment of prosecutors, is our protection from abusive enforcement. Mass media attention to Nosal’s case suggests that plenty of people will weigh in if such prosecutions occur. Perhaps the energetic response to this case will lead lawmakers to clarify the language of the Computer Fraud and Abuse Act, and end the debate over what it means going forward.
Mass media attention to Nosal’s case suggests that plenty of people will weigh in if such prosecutions occur. Perhaps the energetic response to this case will lead lawmakers to clarify the language of the Computer Fraud and Abuse Act, and end the debate over what it means going forward.