If you are in a habit of letting brothers and sisters, sons and daughters, best buddies and girlfriends use your password to access your video or music service, better start looking over your shoulder.
The 9th U.S. Circuit Court of Appeals upheld the conviction last week of a former Korn/Ferry International headhunter who quit his job to start his own firm for violating the Computer Fraud and Abuse Act by using the company’s passwords without authorization.
After leaving Korn/Ferry, David Nosal persuaded a former co-worker still employed by the company to share his login credentials for a database for research without permission.
lawbreakers or harmless password sharers?
More broadly for the users of password-protected Internet sites and services, the appeals court ruled that sharing passwords without permission amounts to unauthorized access and is against the law.
The judge in the case, Margaret McKeown wrote that “unauthorized access” was “an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.”
Dissenting, Judge Stephen Reinhardt wrote that this case is about password sharing, and that “in his view, the CFAA does not make the millions of people who engage in this ubiquitous, useful and generally harmless conduct into unwitting federal criminals.”
But McKeown said the case is not strictly about password sharing. Nor is it about violating a company’s internal computer-use policies. It is about former employees “who nonetheless accessed trade secrets in a proprietary database through the backdoor when the front door had been firmly closed.”
What does this mean for Netflix, Spotify, HBO?
Two services that may be impacted by the ruling, movie and video subscription service Netflix and music provider Spotify, did not comment on the ruling.
Netflix offers a way to deactivate unauthorized use of a streaming account. But this ruling covers different ground.
HBO offers a frequently asked questions (FAQ) section on its website for sharing content. However, it doesn’t make any reference to sharing passwords.
The terms for its service, HBO Go, allows for family members to use an account as “subaccount” users:
“You are responsible for all activity occurring under our registered account and any subaccount authorized by you, including maintaining the confidentiality of each username and password, and you agree that any household member account users authorized by you will not permit the disclosure of any username and password to any person.”
Industry loses $500 million a year
Numbers don’t lie; people do it with regularity.
According to a study done by Parks Associates in 2015, 57% of U.S. households access an over-the-top video account, meaning streaming services like Netflix, Hulu or HBO Go, but 11% of Netflix subscribers, 10% of Hulu Plus subscribers and 5% of Amazon Prime Instant Video subscribers are using an account paid for by someone else.
Young adults between 18 and 24 are the biggest perpetrators of password sharing, with 22% of those surveyed admitting to using an account that was not theirs.
Parks Associates also estimates that “illicit password sharing” could cost the industry as much as $500 million per year.