The controversies regarding cyberspace just keep burning brightly. In the past couple of weeks, the Ninth Circuit Court of Appeals ruled that the unauthorized sharing and use of passwords can be deemed as hacking, and thus can be a violation of the Computer Fraud and Abuse Act (CFAA).
As noted by motherboard.vice.com and others, this is a nightmare scenario, since it technically makes felons out of anyone that is sharing passwords regardless of the ultimate objective:
- You’re sharing your Netflix password with a roommate.
- You’ve given your spouse access to your online bank account.
- A work colleague gives you his username and password for accessing work-related files because he’s out on vacation.
The above scenarios look OK to the average person because, well, it’s not unauthorized, right? It’s your Netflix password, your online bank account, a colleague giving you his password. If you give the password to someone (or vice versa), the authorization is baked right in.
Well, the case that the Ninth judged on says otherwise: despite the fact that an authorized user handed over the password to someone else, it turns out that the authorized user is not authorized to do that. That particular authorization can only come from a higher power, such as a system administrator, or the company that ultimately takes care of the data, etc.
Per this ruling, you’re technically breaking the law if you, the account owner, give someone else access to your Netflix account: ultimately, Netflix would have to authorize each instance of password sharing.
Netflix, of course, issued a press release saying that sharing passwords is fine as long as you’re not, say, selling the password. Which, makes sense: you could end up profiting monetarily at Netflix’s expense if you price the password just right.
Not So Controversial if Details are Looked At
On the face of it, the ruling doesn’t make sense. But consider the actual court case the Ninth ruled upon: a guy was caught looking up data on a database he wasn’t authorized to access. Since he didn’t have access to it, he colluded with people who did to run the searches. But, because the password holder found it a hassle to follow search instructions, she instead forked over the password so her counterparts could run the searches themselves.
Is that hacking? Well… yes. You have a proprietary database that is guarded with individual passwords to limit access to authorized people only. You’re using someone else’s password, which was willingly given to you, but not by someone who has the authority to give it to you. How is that not hacking? I mean, if I had used social engineering to extract a password and accessed a database, wouldn’t it be called hacking? Nothing would come out of it if I held on to the password and did nothing with it (mostly because I probably wouldn’t be caught, to be honest). I have to do something with the password for it to be hacking; the fact that the password was “shared willingly” (but under false pretenses) has almost no bearing whatsoever.
The fact that millions of Americans (and billions around the world) share passwords all the time doesn’t mean that it cannot be called hacking. Context matters, as Netflix’s position on password sharing shows.
(Plus, it should be pointed out that Netflix allows for the creation of separate profiles under an account – that is, one shared password – so that users’ preferences in shows are not intermixed. This way, your emo brother will not be seeing My Little Pony and Care Bears as suggestions on his list of suggested movies. Netflix’s setup essentially encourages the sharing of passwords, and is a potent argument in court if sharing passwords ever became a problem.)
And, yet, we know what the hubbub is all about. As the lone Ninth Circuit dissenter noted, “we cannot construe a criminal statute on the assumption that the Government will use it responsibly.”
Indeed, it bears reminding that the same CFAA was used to bulldoze over Aaron Swartz:
The CFAA received much scrutiny and attention when it was used against Aaron Swartz…. Swartz was charged under the CFAA when it was discovered he was using a program to download millions of academic journals from the JSTOR database. Facing a felony, crippling court expenses and much more, Swartz committed suicide before his case was over. He was 26 years old.
A piece of legislation called “Aaron’s Law” attempted to curb some of the issues with the CFAA, but it has received little attention and hasn’t gone anywhere in Congress. Swartz’s death remains a tragic reminder of how lives can be destroyed by misinterpreted laws. (salon.com)
And for what? To defend the rights of publications that pretty much everyone agrees rake in exorbitant fees for essentially doing nothing while restricting access to tax-payer funded research? Or, as some (many?) say, so that politically-hungry government attorneys can notch another hole in their belts?
Getting off on a technically is always bad business, but not as bad as sending someone to the slammer (or worse) because of one. When it comes to the CFAA, it looks like the courts are laying the grounds for the latter.
Related Articles and Sites: