Following the Ninth Circuit’s ruling in United States v. Nosal, 844 F.3d 1024 (9th Cir. 2016) (“Nosal II”), several commentators in the media queried whether using a borrowed password for streaming video on demand (SVOD) services such as Netflix and HBO Go constitutes a criminal violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. Time reported, for example, that “[t]he act of sharing Netflix passwords has apparently been decreed a federal crime, based on a ruling from the U.S. Ninth Circuit Court of Appeals.” Variety published the following headline: “Sharing Netflix or HBO Go Passwords Is Technically a Federal Crime Under 9th Circuit Ruling.”
Are the alarmist commentators correct? Ninth Circuit law remains unclear on this point, as there have been no cases specifically involving CFAA prosecutions of password sharing for non-commercial, personal use. That said, there are several factual distinctions between Nosal II and a hypothetical case involving someone being prosecuted under the CFAA for using a borrowed Netflix or HBO Go password. Given these factual distinctions, I speculate that the Ninth Circuit would probably hold that SVOD password sharing does not constitute a criminal violation of the CFAA, at least under the Ninth Circuit’s current interpretation of 18 U.S.C. § 1030(a)(2)(C).
Nosal II
David Nosal was a regional director at the executive search firm Korn/Ferry International. When denied a promotion in 2004, Nosal declared his resignation. He assented to a one-year non-competition agreement during which time he agreed to remain a contractor for Korn/Ferry. Despite his non-compete agreement, Nosal covertly started a competing firm along with fellow Korn/Ferry employees – Becky Christian, Mark Jacobson, and Jacqueline Froehlich-L’Heureaux (“FH”).
Korn/Ferry assigned each of its employees a unique login credential to its computer system. Access to Korn/Ferry’s computer system in turn gave users access to “Searcher” – Korn/Ferry’s internal database. Searcher’s value derived from the vast amount of data which had been compiled in searchable format on its server since 1995, including resumes, contact information, and employment history for over one million executives. When filling vacant executive positions, Korn/Ferry employees plugged criteria into Searcher. Searcher then recommended a “source list” of candidates. Korn/Ferry deemed the source lists generated by Searcher to be proprietary.
Nosal’s computer access credentials were revoked on December 8, 2004. Christian and Jacobson’s computer access credentials were revoked when they quit their jobs at Korn/Ferry in 2005. FH remained at Korn/Ferry at Nosal’s request.
Nosal, Christian, and Jacobson wanted to continue accessing Searcher to expedite work for their new clients. FH willingly shared her Korn/Ferry username and password with Christian and Jacobson. Christian used FH’s login credentials to run Searcher queries on two occasions – once in April 2005 and again in July 2005. Jacobson logged in as FH and ran a Searcher query in July 2005.
The Ninth Circuit affirmed Nosal’s conviction for conspiracy to violate the CFAA, holding that Christian and Jacobson accessed a protected computer “without authorization” within the meaning of § 1030(a)(4). The majority’s construction of the phrase “without authorization” applies equally to § 1030(a)(2), which imposes criminal liability on whoever “intentionally accesses a computer without authorization . . . and thereby obtains . . . information from any protected computer.” The CFAA’s broad definition of “protected computer” basically encompasses any computer connected to the Internet.
In reaching its conclusion, the majority considered the plain and ordinary meaning of “authorization,” including dictionaries which define “authorization” as “permission or power granted by an authority.”[1] The authority with exclusive power to grant or revoke permission, the majority held, is the system owner (i.e. Korn/Ferry), not the system user (i.e. FH).
In dissent, the late Judge Stephen Reinhardt expressed concern that the majority’s holding would sweep in innocuous conduct, such as logging into a coworker’s email to print a boarding pass and other password sharing among family and friends. Reinhardt failed to see a “workable line [in the majority’s opinion] which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners.”[2]
Differences Between Nosal II and SVOD Password Sharing
There are several factual distinctions between Nosal II and a hypothetical case involving SVOD password sharing. First, it is not entirely clear that using a borrowed password is even contrary to the policies of certain SVOD services. For example, Netflix’s terms-of-use do not categorically forbid password sharing, stating as follows: “The Account Owner’s control is exercised through use of the Account Owner’s password and therefore to maintain exclusive control, the Account Owner should not reveal the password to anyone.” The use of the word “should,” as opposed to “shall,” reads more like a recommendation (i.e. a word to the wise for those who wish to maintain exclusive control) than a prohibition. However, HBO Go’s terms-of-use are less keen on password sharing. While an HBO Go account owner can create subaccounts for members within one’s immediate household (each with a unique username and password), the terms-of-use prohibit sharing subaccount passwords outside of one’s household.
Second, many CFAA cases, including Nosal II, involve employees stealing an employer’s trade secrets or other proprietary information, such as the source lists generated by Searcher. SVOD password sharing, however, does not involve employees stealing an employer’s trade secrets or proprietary information. It is highly unlikely that Netflix’s video content, which it publishes online for mass viewing, would constitute a trade secret.
Third, the password sharing at issue in Nosal II was for a commercial use – launching a competing executive search firm in violation of Nosal’s non-competition agreement. However, SVOD password sharing is typically limited to personal use. Presumably, most people who borrow an HBO Go password to watch “Game of Thrones” do so only for their own enjoyment, not to distribute episodes for financial gain.
Fourth, a hypothetical case involving SVOD password sharing probably lacks the element of affirmative revocation, which was a significant factor in the majority’s Nosal II analysis. It was not enough that Christian and Jacobson used FH’s password to access Searcher. Using FH’s password only amounted to accessing Searcher “without authorization” when coupled with the fact that Korn/Ferry had deactivated Christian and Jacobson’s accounts. “[A] person uses a computer ‘without authorization’ under §§ 1030(a)(2) and (4),” the majority concluded, “when the employer has rescinded permission to access the computer and the defendant uses the computer anyway.”[3] The majority elaborated, as follows: “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party.”[4] The court went on to say that “[u]nequivocal revocation of computer access closes both the front door and the back door.”[5]
What would affirmatively revoking SVOD access even look like? Even if all SVOD services, arguendo, updated their terms-of-use agreements to categorically prohibit using someone else’s password, this would still seem to fall short of the type of affirmative, individualized revocation contemplated in Nosal II. Affirmative revocation would seem to require Netflix or HBO take stronger, more direct action. This could take several forms. Affirmative revocation might require, for instance, sending an individualized cease and desist letter to someone who is flagged for using a shared password.[6] As far as I am aware, however, Netflix and HBO do not currently send cease and desist letters to individuals who use borrowed passwords, at least not as a general business practice.
Final Thought
Whether SVOD password sharing is or is not a violation of the CFAA, there are other reasons why you might be better off getting your own Netflix account instead of borrowing a friend’s password. There are ethical reasons, of course. Also, it might not be in your best interests to use someone else’s password. SVOD services often limit the number of concurrent streams per account. Netflix’s “Basic” plan, for example, allows only one screen at a time. This means that if you use a shared password, you might find yourself blocked out of Netflix next time you attempt to watch that latest season of “Stranger Things.”
[1] United States v. Nosal, 844 F.3d 1024, 1033 (9th Cir. 2016) (quoting LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009) (quoting Random House Unabridged Dictionary 139 (2001))).
[2] Id. at 1049 (Reinhardt, J., dissenting).
[3] Id. at 1029 (McKeown, J., majority opinion) (quoting Brekka, 581 F.3d at 1135).
[4] Id. at 1028 (emphasis added).
[5] Id.
[6] See Futoshi Dean Takatsuki, Case Comment, United States v. Nosal II, 37 Loy. L.A. Ent. L. Rev. 305, 333 (2017) (discussing how “‘revocation’ is more obvious if Netflix were to personally serve the person who accessed content through the use of a valid account holder’s login credentials, for example, via a cease and desist letter”).
Alexander Koster is a J.D. candidate, 2019, at NYU School of Law.