The practice of password sharing has received a lot of attention this past year. Some media reports have suggested that using a friend or family member’s Netflix or HBO Go password without having an account yourself could land you in a federal prison as a violation of the Computer Fraud and Abuse Act (“CFAA”). These reports are based largely on two decisions by the Ninth Circuit Court of Appeals: United States v. Nosal (“Nosal”) and Facebook, Inc. v. Power Ventures, Inc. (“Power Ventures”). But what do these decisions really mean for password sharing? Should you be worried about going to prison if you use a family or friend’s Netflix or HBO Go password? Probably not. (Although password sharing could still be problem, just not a go directly to jail, do not pass go problem.) Here's why:
United States v. Nosal – Using a shared password most likely won’t violate the CFAA under Nosal for three reasons:
(1) Nosal involved a conspiracy between the defendant and several others to gain access to a proprietary database by using a shared password in order to steal trade secrets for a competing business. This kind of commercial password sharing bears little resemblance to the act of using a Netflix or HBO Go password obtained from a family or friend so that you can binge watch the latest season of House of Cards or Game of Thrones. In applying the law, facts matter and the greater the difference between two factual scenarios the less likely a court decision governing one situation will apply in another factually distinct situation.
(2) the legal rule set forth in Nosal is simply incompatible with the kind of recreational password sharing so prevalent today. The court in Nosal set forth the following rule: an employee violates the CFAA if such an employee “knowingly and with intent to defraud” his or her employer uses a computer “when [his or her] employer has rescinded permission to access the computer and the [employee] uses the computer anyway.” In other words, “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party.” The Nosal rule, more often than not, simply does not work in the context of Netflix or HBO Go password sharing, specifically:
(i) the online video service providers generally do not affirmatively revoke a password recipient’s access to the service (this could be through a cease and desist letter or otherwise). In fact, Netflix knows its users share passwords and finds the practice positive from a business standpoint.
(ii) The password recipient is generally not an employee of the online service provider. And,
(iii) a recipient of a shared Netflix password is generally not using the password to steal trade secrets or other confidential information (unless you're watching the X-Files).
(3) subjecting Netflix or HBO Go shared password users to sanctions under the CFAA would be inconsistent with the purpose of the CFAA and the intent Congress had when passing it. The CFAA was enacted by Congress to “deter and punish certain ‘high-tech’ crimes,” and “to penalize thefts of property via computer that occur as part of a scheme to defraud.” This is exactly the type of conduct the defendant in Nosal was involved in. He accessed his former employer’s proprietary database without authorization (authorization that had been explicitly revoked) in order to steal trade secrets. Using a shared password obtained from a family or friend to watch TV shows and movies on Netflix is not the type of “high-tech crime” Congress intended to deter and punish under the CFAA.
Facebook, Inc. v. Power Ventures, Inc. – Like Nosal, Power Ventures does not impose criminal liability for recreational use of a shared password.
Power Ventures was a social media aggregation company that provided its users a platform in which they could manage all their social media accounts from one place. In order to do this with respect to Facebook, Power Ventures asked its users for permission to access Facebook through their Facebook accounts. Once armed with this permission, Power Ventures accessed its users' Facebook accounts in order to provide its users with its all-in-one social media service. The court found Power Ventures liable under the CFAA because, despite receiving permission from Facebook users to access their Facebook accounts, Power Ventures continued to access Facebook’s systems after Facebook explicitly revoked the permission Power Ventures needed to access its systems.
While Power Ventures did involve user-level access authorization to a computer system without access authorization from the system's owner (like using a shared password to access a service you do not have an account for), the holding of Power Ventures does not appear to directly apply to the recreational sharing and use of a Netflix or HBO Go password. Power Ventures was liable under the CFAA because it continued to access Facebook’s systems after Facebook sent it a cease and desist letter demanding that it stop doing so. Since online service providers like Netflix do not generally send users of shared passwords cease and desist letters, accessing one of these TV-viewing services with a shared password is probably not a violation of the CFAA.
It is therefore highly unlikely that the CFAA could (or would) be used to criminally prosecute someone who used a friend or family member’s password purely for personal entertainment purposes. However, this is not to say that using someone else’s password for personal use without having an account yourself is permitted under other laws, it just won’t land you in a federal prison.*
*However, you should never use your consumer Netflix, HBO, cable, DirecTV or other video service for commercial purposes, such as showing a movie or TV show in your restaurant. THAT can get you in boatloads of expensive trouble.