Individuals and Password-Sharing
With the 1980s came the explosion of computing. In 1980, the Commodore ushered in the advent of home computing. Time magazine declared 1982 was “The Year of the Computer.” By 1983, there were an estimated 10 million personal computers in the United States alone.
As soon as computers became popular, the federal government began to legislate their use. In 1986, the Comprehensive Crime Control Act was amended to included the Computer Fraud and Abuse Act (CFAA). The CFAA criminalized trafficking in passwords, distributing malicious code, and other computer-related acts.
The CFAA has been amended five times in four decades (including in 2001 when it was amended by the Patriot Act), and the courts have interpreted it in ways that further extend its scope. The result is a law that Tim Wu called “the worst law in technology.” As part of his article for The New Yorker, Wu wrote:
“Orin Kerr, a former Justice Department attorney and a leading scholar on computer-crime law, argues persuasively that the law is so open-ended and broad as to be unconstitutionally vague. Over the years, the punishments for breaking the law have grown increasingly severe—it can now put people in prison for decades for actions that cause no real economic or physical harm. It is, in short, a nightmare for a country that calls itself free.”
Wu wrote these words in 2013, and the CFAA is only worse today. It goes far beyond its original intent to target cybercriminals and hackers, and now threatens many normal people, using their computers in harmless and legitimate ways.
Nothing demonstrates this as ominously as the July 5 opinion from the U.S. Ninth Circuit Court of Appeals. In this opinion, the court found that sharing passwords can be grounds for prosecution under the CFAA. Theoretically, this means a husband could be prosecuted for sharing a banking password with his wife, or vice versa.
The court issued this opinion knowing full well the implications of it. They state in their opinion, quoting part of another court’s ruling:
“We are mindful… that ill-defined terms may capture arguably innocuous conduct, such as password sharing among friends and family, inadvertently ‘mak[ing] criminals of large groups of people who would have little reason to suspect they are committing a federal crime.’”
Their “mindfulness” will be of cold comfort to Americans who are prosecuted under CFAA. It’s not only innocuous password-sharing that makes someone run afoul of the Act; it has also been used to prosecute the violation of terms of service agreements. Most infamously, the FBI used it to pursue Aaron Swartz. Swartz was a programmer and activist who downloaded research papers from a database at MIT, in violation of its terms of service. The fact that he was a research fellow at MIT, with authorized access to the database, didn’t matter. Swartz committed suicide while under federal indictment.
The July 5 opinion from the Ninth Circuit Court of Appeals will turn many others like Swartz into criminals. The dissenting judge on the case noted this, stating that the majority opinion “… loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”
The vagueness of the CFAA and the nuances of terms of service, which vary from company to company, make this ruling dangerous for ordinary corporate and individual citizens. Will sharing a bank or Netflix password with a spouse or child be a federal crime? The only way to know would be to find the terms of service, find any clauses that apply to password- or account-sharing, and work out how it legally applies in each case. It’s not simple or straightforward.
Take the examples of Netflix and HBO Go. Both subscription-based services have limits that prevent too many people from using the same account. Both companies’ CEOs have stated account-sharing is positive. They view it as an excellent way of marketing their services.
Yet this ruling raises many questions about what the government may consider an offense worthy of prosecution, regardless of what Netflix or HBO thinks about it. Is it a violation of the CFAA if a Netflix account owner enters the password to their account to watch a show on a friend’s device? Does that count as password-sharing?
The situation gets even murkier when:
- A service’s terms of service do not specify if you can or cannot share passwords.
- It’s not easy to find the terms of service.
- The login to a service uses a multi-factor login (such as a Facebook account) rather than a password. In this situation, does sharing your Facebook account then count as password-sharing for the other service?
- Corporations keep password libraries for use of many employees in the same company.
This ruling also fails to account for the practical nature of life and business. How can a parent or business plan for serious illness, death, or other significant events without consensual password-sharing? Our personal and business lives revolve around myriad disparate online services requiring password access, and in some cases not sharing those passwords could lead to serious business or personal disruptions. Consider, for instance, a wife using her husband’s bank accounts to pay the bills while he is in the hospital.
It’s dispiriting to watch individuals being prosecuted. The CFAA has veered far from its original intent of targeting hackers and other egregious offenders. It’s possible it will be used like the Digital Millennium Copyright Act (DMCA) was used to go after illegal file sharers in bulk, going after the many, many Americans who innocuously share their passwords with others.
Sadly, this is only one of many recent examples of the courts extending the scope of criminal law in a way that seriously undermines people’s ability to function and do business on the Internet. The cases of Lavabit and Apple clearly show the encroachment of government fingers into the electronic privacy rights of American citizens.
There is some steady light at the end of this tunnel. Another ruling shortly after the July 5th one, in Facebook v. Power Ventures, a separate court ruled that one can willfully pass along your authorization to specific login credentials to another person. However, even this ruling leaves many unanswered questions as to what types of activity are allowed and what “authorized access” exactly means. In particular, under what specific conditions can this delegated access be revoked such that continued use would be considered a crime?
The message of these cases: The government gets to dictate how Americans use computers and the Internet, regardless of their rights or what makes sense. Americans should be vigilant in staying on top of the legal developments surrounding their online lives, and communicate loud and clear with their representatives to let them know what they think about legislation such as the CFAA.
By Erik Kangas