Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Shocking gossip

Password Sharing Is a Federal Crime, Appeals Court Rules

July 11, 2016

One of the nation’s most powerful appeals courts ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all “hacking” law that has been widely used to prosecute behavior that bears no resemblance to hacking.
In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal’s use of a former coworker’s password to access one of the firm’s databases was an “unauthorized” use of a computer system under the CFAA.
The decision is a nightmare scenario for civil liberties groups, who say that such a broad interpretation of the CFAA means that millions of Americans are unwittingly violating federal law by sharing accounts on things like Netflix, HBO, Spotify, and Facebook. Stephen Reinhardt, the dissenting judge in the case, noted that the decision “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”
In the majority opinion, Judge Margaret McKeown wrote that “Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.” She then went on to describe a thoroughly run-of-the-mill password sharing scenario—her argument focuses on the idea that Nosal wasn’t authorized by the company to access the database anymore, so he got a password from a friend—that happens millions of times daily in the United States, leaving little doubt about the thrust of the case.
The argument McKeown made is that the employee who shared the password with Nosal “had no authority from Korn/Ferry to provide her password to former employees.”
At issue is language in the CFAA that makes it illegal to access a computer system “without authorization.” McKeown said that “without authorization” is “an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?
Reinhardt argues that Nosal’s use of the database was unauthorized by the firm, but was authorized by the former employee who shared it with him. For you and me, this case means that unless Netflix specifically authorizes you to share your password with your friend, you’re breaking federal law.
“In the everyday situation that should concern us all, a friend or colleague accessing an account with a shared password would most certainly believe—and with good reason—that his access had been ‘authorized’ by the account holder who shared his password with him,” Reinhardt wrote in a powerful dissent that was primarily concerned with “the government’s boundless interpretation of the CFAA.”
“The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners,” he wrote. “There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.”
Notably, Reinhardt appears to have a commanding knowledge of what constitutes “hacking,” something that comes up over and over again both in the media and in the courts. He said that the decision “loses sight of the anti-hacking purpose of the CFAA.”
“There is no doubt that a typical hacker accesses an account ‘without authorization’: the hacker gains access without permission—either from the system owner or a legitimate account holder,” he wrote. Using someone else’s password with their permission but not the system’s owner isn’t “hacking,” but that’s what the court is treating it as. Reinhardt noted that all 50 states have their own more narrow computer trespassing statutes, and that the case would have been better suited for civil, not criminal, proceedings.
What does this mean for you? In the short term, unless Netflix or HBO seek to get federal prosecutors to go after many of its customers, probably nothing. So far, neither of those services have shown any inclination to do so, and have made it easy to share your accounts with others. But it does set a scary precedent that should give anyone who shares passwords some pause.
The Ninth Circuit covers much of the West Coast, including Silicon Valley—many tech cases are brought there. The decision will be binding in that circuit, and will be looked at to guide decisions elsewhere in the country.
Cases like these do come up with some regularity. A decision is expected soon in a case called Facebook v Power Ventures, in which a company scraped information from Facebook with permission from its users, but not from Facebook. Once again, the question of “authorization” will come into play.

By Jason Koebler
www.motherboard.vice.com

Tags: , , , , , , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
1e1716e0-trump-4x3
What is the future of privacy, surveillance and policing technologies under Trump?
June 22, 2017

Last Updated Jun 22, 2017 11:13 AM EDT For weeks, President Trump cried foul, repeating unverifie...

Read more
hacker-coder-developer-software-programmer-alphanumeric-matrix
Privacy report critical of Wall’s private email server
June 13, 2017

Saskatchewan’s opposition NDP is renewing calls for an investigation into Premier Brad Wall’s us...

Read more
_92023784_thinkstockphotos-482112104
Rhode Island considers broadband internet privacy
June 5, 2017

PROVIDENCE, R.I. Rhode Island state legislators are considering protections for broadband privacy....

Read more
220732318
How Congress dismantled federal Internet privacy rules
May 31, 2017

Congressional Republicans knew their plan was potentially explosive. They wanted to kill landmark pr...

Read more
SAN FRANCISCO - OCTOBER 24:  Dustin Moskovitz, co-founder of Facebook, delivers his keynote address at the CTIA WIRELESS I.T. & Entertainment 2007 conference October 24, 2007 in San Francisco, California. The confernence is showcasing the lastest in mobile technology and will run through October 25.  (Photo by Kimberly White/Getty Images)
Get Ready for the Next Big Privacy Backlash Against Facebook
May 22, 2017

DATA MINING IS such a prosaic part of our online lives that it’s hard to sustain consumer interest...

Read more