Have you ever used a shared password for Netflix, Hulu, or HBO GO? If so, you might now be an "unwitting federal criminal" thanks to an appeals court's finding that people who share passwords are subject to prosecution under the Computer Fraud and Abuse Act, or CFAA, Time reports. The July 5 decision stems from the case of David Nosal, an employment recruiter who used his former assistant's password (with that employee's permission) to access the candidate database of his former employer as he prepared to launch a competing firm. Ultimately, Nosal was sentenced to prison and fined nearly $900,000 for conspiracy and theft of trade secrets, along with three CFAA violations—namely, using the assistant's password to access data "without authorization" from the company.
The ruling by the Ninth Circuit Court of Appeals could make "password sharing among friends and family" a federal crime, Judge M. Margaret McKeown writes in the majority opinion, per TechCrunch. However, she adds, “the reality is that facts and context matter in applying the term ‘without authorization.'” In his dissent, Judge Stephen Reinhardt writes that, Nosal's other crimes notwithstanding, he did not violate the CFAA by using a shared password, adding that the traditionally anti-hacking law "does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals." As TechCrunch notes, "don’t expect the FBI to come knocking next time you stream on your boyfriend’s account," as the court's decision leaves "without authorization" open to interpretation and allows for context to be considered. But someday, it adds, a company may want to make an example of someone for sharing a password.