According to a closely watched case, the Ninth Circuit Court of Appeals just ruled sharing passwords is considered a federal offense:

In the majority opinion, Judge Margaret McKeown wrote that “Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.” She then went on to describe a thoroughly run-of-the-mill password sharing scenario—her argument focuses on the idea that Nosal wasn’t authorized by the company to access the database anymore, so he got a password from a friend—that happens millions of times daily in the United States, leaving little doubt about the thrust of the case.

The argument McKeown made is that the employee who shared the password with Nosal “had no authority from Korn/Ferry to provide her password to former employees.”

At issue is language in the CFAA that makes it illegal to access a computer system “without authorization.” McKeown said that “without authorization” is “an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?

If the account holder authorized someone to access their account using their credentials, then does that not constitute authorization, as written in the CFAA? The law does not define which party is required to provide authorization in order to prevent triggering a violation of the CFAA.

  • Is the account holder allowed to authorize access?
  • Is authorization required from the system owner?

Imagine all the scenarios that could play out based on either of those authorization requirements. As the article rightly discusses, if the latter is needed, everyone sharing Facebook, Spotify, Apple, Netflix, and other similar account types are considered in violation of the CFAA and therefore should be prosecuted.

As with most US laws around the idea of hacking, the CFAA is in desperate need of updating.