A US appeals court recently ruled that it is illegal for people to share passwords for accounts.
The case in question involved a man who had been convicted of using another person’s login information to access the database of a workplace where he was no longer employed.
A dissenting judge wrote that the legal implications of such a decision could be far wider than those intended for the specific case; people sharing the passwords for their Netflix or Amazon Prime accounts, for example, may now be liable.
The American press has speculated that such a ruling could certainly throw common practices revolving around paid account sharing into question, though another judge who was for the decision stated that the precedent being set in the case in question was more limited than the dissenting judge feared it would be.
The case in question dealt with defendant David Nosal’s decision to use an ex-colleague’s password to gain access to his former recruitment firm Korn/Ferry in 2004. Nosal was hoping to use the information from the Korn/Ferry database to aid him in his work at his new firm. In 2008, Nosal was charged with hacking under the Computer Fraud and Abuse Act (CFAA) and ultimately convicted in 2013.
The case found that the company that issued the password must be the authorizing entity for there to be legal access; even if an individual chooses to share his or her password with someone of their own volition, the outside entity who then enters the account is still hacking.
What remains to be determined is whether the password sharing that was deemed to violate federal law in this specific case will then create a precedent for future cases brought to American courts.
According to Judge Reinhardt, who dissented with the majority ruling, the case was “about password sharing” rather than hacking and “the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.”
“The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders,” Reinhardt added,” which may also be contrary to the policies of system owners… There is simply no limiting principle in the majority’s world of lawful and unlawful password sharing.”
Judge M. Margaret McKwoen wrote the majority opinion and disagreed with Judge Reinhardt’s take on the situation, positing that the case bore “little resemblance to asking a spouse to log in to an email account to print a boarding pass.”
According to Kuan Hon, a consultant lawyer at Pinsent Masons, UK law does not define password sharing as a criminal offence unless the individual is aware that they are not authorized to access the company’s program or data:
“You have to know that the access is unauthorized. If you give your password to your child, they might not necessarily realize that the ultimate service doesn’t warrant it,” she explained. “The question of what is unauthorized or authorized is different under the UK’s Computer Misuse Act.”