It’s become so common that it’s almost a joke. One person has a Netflix account and three other people are using it. A recent court ruling found that because of a law called the Computer Fraud and Abuse Act (CFAA), using someone else’s password could be considered a federal crime with an extremely harsh punishment. Someone who violates the CFAA can face decades in prison and large fines.
“The CFAA was intended to be an anti-hacking statute. It should be targeting the circumvention of technological access barriers — people breaking into computers — and the law is so vague and so confusing that it’s gone really far beyond that,” Jamie Lee Williams, a legal fellow for the , told Salon.
The case is called United States v. Nosal. David Nosal was a former recruiter with an executive search firm when he at one point decided to use a former coworker’s password to get into the firm’s database. That might seem innocent enough, but the prosecution is to allege that Nosal’s use of the password was unauthorized and thus a crime. The U.S. Court of Appeals for the Ninth Circuit found it was indeed a violation of the CFAA.
Judge Margaret McKeown of the ninth circuit argued that this case is not about sharing password for common services like Netflix, and that it’s simply about an employee “accessing trade secrets” through a “back door.” However, the reasoning used in the case was broad and could affect common password sharing.
“Their reasoning was so broad that it would criminalize any type of use of someone else’s password, even with their permission, so long as you didn’t have the computer’s owner’s permission,” Williams said. The “computer owner” in the hypothetical case would be Netflix, as it owns the computer systems running the website.
Another case dealing with the CFAA received a , and it only added to the confusion around the law. A case called Facebook v. Vachani dealt with a company called Power Ventures that was having people give it their Facebook username and password so their timeline could be integrated into its social media aggregating service.
Facebook attempted to stop this practice by issuing a cease and desist letter to Power Ventures, and a lawsuit against Power Ventures arose when it was not stopped. The ruling in that case showed a third party may be able to legally use someone else’s password if they’re authorized, but it also said that authorization can be revoked. Exactly how it is supposed be revoked remains a mystery. How the CFAA is meant to work continues to get more confusing.
A piece of legislation called “” attempted to curb some of the issues with the CFAA, but it has received little attention and hasn’t gone anywhere in Congress. Swartz’s death remains a tragic reminder of how lives can be destroyed by misinterpreted laws.
It is clear to many who advocate for Internet freedoms that the CFAA needs to be reformed. Besides password sharing, someone can be charged under the law for violating a website’s terms of service in various other ways or for numerous other innocuous actions.
Williams said we need a reform that makes the CFAA about stopping hackers, not criminalizing standard behavior. “We may need reform that specifically says that password sharing is not a crime…; to be more clear about what is unauthorized access,” she said.
Until the CFAA is reformed, contradictory court rulings will likely continue to be put out in the world, and people who probably shouldn’t be considered criminals may face draconian prison sentences.
“We are at the whim of prosecutors to decide whether to bring a CFAA case,” Williams said. “It doesn’t matter if the prosecutor has promised to use the law responsibly, that’s not a reason for adopting an overly broad interpretation of a statute. We need to interpret our laws clearly to give people notice of what is and is not criminal.”
When simply using a computer for its understood purpose becomes a crime that can put you in prison for a large portion of your life, one has to wonder who the law is truly serving.