United States vs. Nosal – Recent Ninth Circuit Court of Appeals Decision
You access your friend’s Netflix account after he gave you permission to use it with his login and password. Did you just commit a federal criminal offense?
Earlier this year, the Ninth Circuit Court of Appeals decided 2-1 that sharing passwords to access computer databases can be grounds for criminal prosecution. The case was brought to the Appeals Court after David Nosal, an employee at the executive search firm Korn and Ferry International. Nosal left the firm in 2004 after being denied a promotion. Though he stayed on for a year as a contractor, he was simultaneously preparing to launch a competing search firm, along with several co-conspirators. Although all of their computer access was revoked, they continued to access a Korn and Ferry candidate database, known as Searcher, using the login credentials of Nosal’s former assistant, who was still with the firm. It is important to emphasize that Nosal’s assistant gave him permission to use her login and password when accessing the database.
Nosal was prosecuted under the Computer Fraud and Abuse Act of 1986 (CFAA) and sentenced to serve prison time, probation, and nearly $900,000 in restitution and fines.
Nosal’s conviction was upheld in this recent Ninth Circuit ruling because of the CFAA’s clause that criminalizes anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization.” Though CFAA is often understood to be an anti-hacking law, that clause in particular has been applied to many cases that fall far short of actual systems tampering.
For instance, the CFAA has been used to prosecute violation of Terms of Service agreements. Most notoriously, the law was used to pursue Aaron Swartz, the young programmer who committed suicide after being charged with mass-downloading research papers from an MIT database, in violation of its terms of service—despite the fact that he was then a research fellow at MIT, with authorized access to the involved database.
In the Ninth Circuit ruling, dissenting judge Stephen Reinhardt stated in his opinion that the decision now makes “consensual password sharing” a federal crime. He believes that the decision “loses sight of the anti-hacking purpose of the CFAA, and threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.” Overall, he believes that the decision’s clause is too broad by including consensual password sharing.
After this decision was handed down by the court, many users of database streaming sites such as, Netflix and Hulu, became fearful that they could potentially become prosecuted for allowing friends or family access to their accounts. However, Netflix and HBO CEOs have previously stated that they believe account sharing is a “positive thing” and has been proven to be a “terrific marketing vehicle.” Nevertheless, this law could theoretically ensnare people who share their Netflix or HBO Go password, though it is basically inconceivable that the federal government would prosecute such an action.
If you or a loved one is being investigated or has been arrested for computer hacking or another crime that falls under the Computer Fraud and Abuse Act, contact a computer hacking defenses attorney. Attorney Elizabeth B. Carpenter has defended many people who have been charged with computer crimes in federal courts.