In a dissenting opinion handed down last week, Judge Stephen Reinhardt wrote that the majority opinion “does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners.”
The underlying case involves a man who used a former co-workers password (with permission) to access files stored on his former employers’ computer network. The man then used the files to open a competing business. The man was convicted for violating the Computer Fraud and Abuse Act (CFAA).
The majority opinion, authored by Judge M. Margaret McKeown, wrote that the majority was mindful of concerns about the decision making “arguably innocuous conduct, such as password sharing among friends and family” into a federal crime. However, she found those concerns were overstated because, “[T]he circumstance here—former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer—bears little resemblance to asking a spouse to log in to an email account to print a boarding pass…. The reality is that facts and context matter in applying the term “without authorization.”
Judge Reinhardt’s concern is that individuals who share passwords for subscription services like Netflix, Showtime Anytime, or HBO GO, might be doing so in violation of the terms of service. Therefore, they might also be subject to prosecution for providing someone with access to the account in violation of the terms of service and “without authorization.” He wrote that the purpose of the CFAA was to go after hacking and computer fraud, not password sharing.
According to TechCrunch, the possibility of an individual facing prosecution for subscription service password sharing is still probably pretty low — even with the new 9th Circuit ruling. The report states some subscription services, such as Netflix, have already specifically stated that password sharing is permitted. However, there is always the possibility that a company “may want to make an example out of someone, similar to how a select few individuals were sued for pirating music.”