On July 5, 2016, the 9th Circuit Court of Appeals affirmed the district court’s decision in United States v. Nosal, No. 14010037, 2016 WL 3608752 (9th Cir. Jul. 5, 2016), holding that the defendants, former employees of the global executive search firm Korn Ferry, violated § 1030(a)(4) of the Computer Fraud and Abuse Act (“CFAA”) by accessing Korn Ferry’s computers with a current employee’s password “without authorization.” The court agreed with the trial judge that the current employee’s granting permission to use her password to the defendants did not give the defendants the right to access her account because the current employee “had no authority from Korn Ferry to provide her password.”
But what does that mean for all of us who share passwords with friends and family for services such as Netflix, HBO Go, and Amazon Prime? Are we all now in violation of the CFAA? We all know that these services are meant only for members who hold personal accounts (Netflix explicitly states in its user agreement that passwords are not meant to be shared) but we still use other people’s passwords to access their accounts all the time.
Judge Reinhardt points out this exact problem in his dissent. In his view, the court’s decision to render the current employee’s permission irrelevant now criminalizes even innocuous password sharing. But rest assured that besides the fact that it is highly unlikely Netflix will call the feds on you, the court stressed that this case was not about password sharing. The court’s main focus was to make sure that a person, whose access to a computer was affirmatively revoked, cannot “sidestep the statute by going through the back door and accessing the computer through a third party.” Nosal, 2016 WL 3608752, at *1.
Notwithstanding this rationale, critics understandably wish that the court had given a more detailed analysis providing guidance as to the difference between the defendants’ acts and routine password-sharing. Judge Reinhardt expressed his concerns with various situations in which a person may use another person’s password that may be actionable under the court’s analysis for example, a coworker asking a friend to log-on to his email to print a boarding pass, or a husband asking a wife to log-on to an online bank account to pay a bill. Most people would say that access in these examples were “authorized,” but the majority “does not provide . . . a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders.” Id. at *20.
Professor Orin Kerr of George Washington University Law School offers a suggestion of what the majority could have done to come to the same result but also assuage the dissent’s concerns. In his new article, Norms of Computer Trespass, 116 Colum. L. Rev. 1143 (2016), Professor Kerr suggests that cases involving shared passwords should be based on the notion of delegation of authority by authenticated accounts. “Under this rationale, whether use of a shared password violates the CFAA depends on a critical fact: Was the user intentionally acting outside the agency of the legitimate account-holder?” Orin Kerr, Password-sharing case divides Ninth Circuit in Nosal II, The Volokh Conspiracy (Jul. 6, 2016), https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/06/password-sharing-case-divides-ninth-circuit-in-nosal-ii/. Applying Professor Kerr’s agency test to Nosal, the defendants would still be violating the CFAA because they used the current employee’s password for their own benefit, not the employee’s. In contrast, the previously mentioned friend and wife would not have been in violation of the CFAA because they were acting within the scope of agency of the co-worker and husband respectively.
One problem that Professor Kerr’s article does not address is password sharing for our beloved Netflix accounts. When I’m using my roommate’s Netflix account to watch a show, can I still be acting as her agent even if I am watching the show solely for my own benefit? This is obviously a trickier question to answer, but for now, I’ll continue to watch Orange is the New Black.