In America sharing your password is now a federal crime!

[Master Disaster]

On Wednesday the USA court of appeal voted 2:1 to back a ruling that anybody sharing any password with another user that hasn't been "authorised" is a breach of the CFAA and as such is committing a federal crime. 

 

Now to add some context to this ruling, it stems from a group of 4 employees at Ferry International Research who left the company but then borrowed a password from a friend who still worked there so they could access the companies private database and take information they needed to start their own company. 

 

Quote

An appeals court ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all "hacking" law that has been widely used to prosecute behavior that bears no resemblance to hacking. Motherboard reports: "In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal's use of a former coworker's password to access one of the firm's databases was an 'unauthorized' use of a computer system under the CFAA. In the majority opinion, Judge Margaret McKeown wrote that 'Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.' She then went on to describe a thoroughly run-of-the-mill password sharing scenario -- her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore, so he got a password from a friend -- that happens millions of times daily in the United States, leaving little doubt about the thrust of the case. The argument McKeown made is that the employee who shared the password with Nosal 'had no authority from Korn/Ferry to provide her password to former employees.' At issue is language in the CFAA that makes it illegal to access a computer system 'without authorization.' McKeown said that 'without authorization' is 'an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.' The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"

The worry is the ruling will lead to cases such as your average Joe gives there Netflix password to their wife and they're in breach of the CFAA, after all, it's not like Joe had authorisation from Netflix to give his wife access. 

 

A judge on the case has remarked that the definitions attached to the case are loose and ambiguous allowing the ruling to potentially be misused. 

 

https://news.slashdot.org/story/16/07/06/2010233/password-sharing-is-a-federal-crime-appeals-court-rules

 

Wow, this one's a doozie. First of all I can see how this ruling makes sense in the context of the case outlined, I mean stealing corporate information should be a crime (pretty sure it already is) but C'mon America. Attaching such a loose definition to such a trivial and everyday occurrence is idiotic. We'll see how long it takes before Netflix start suing users who give passwords to "unauthorised users". 

[bigneo]

Good ole America

[ShadowCaptain]

Hold on

 

Sharing you password with somebody not authorised?..... I am not sure that is called sharing

 

"look I didnt steal the apple, the owner was just sharing it"

 

 

[Cryptonite]

America, being retarded as usual. I personally would much rather go to either Japan or Canada. I don't get why people here love america so much.

[MoonSpot]

WHOA!  Does this mean I can use this as an excuse to stop having my significant other grab, use and fork around with my sh!7?  Like "Sorry babe, I'll we'll get pinched by the man if I let you use my am coerced into having you use my gear and accounts." 

Please say yes, I want my shit back so I can use it.

[IhazHedont]

AZERTY1234.

 

Youps, glad I'm not in the US /o/

[Stefan1024]

Now all of you americans have to go to jail: you shard the password with the NSA

[Sauron]

31 minutes ago, ShadowCaptain said:

Hold on

 

Sharing you password with somebody not authorised?..... I am not sure that is called sharing

 

"look I didnt steal the apple, the owner was just sharing it"

 

 

I think they mean "not authorized by the service provider".

 

If you ask me it's a blatant excuse to force families to buy two netflix (or whatever) accounts. It's the same logic behind trying to kill the used games market.

[vanished]

46 minutes ago, Master Disaster said:

Wow, this one's a doozie. First of all I can see how this ruling makes sense in the context of the case outlined, I mean stealing corporate information should be a crime (pretty sure it already is) but C'mon America. Attaching such a loose definition to such a trivial and everyday occurrence is idiotic. We'll see how long it takes before Netflix start suing users who give passwords to "unauthorised users". 

That seems like a fair analysis to me

[DXMember]

Quote

anybody sharing any password with another user that hasn't been "authorised" is a breach

 

don't you like authorize the person by sharing a password with him in the first place, so it's ok then?

[Master Disaster]

45 minutes ago, ShadowCaptain said:

Hold on

 

Sharing you password with somebody not authorised?..... I am not sure that is called sharing

 

"look I didnt steal the apple, the owner was just sharing it"

 

 

You can give your password to someone who doesn't have authority to access it. 

 

11 minutes ago, DXMember said:

 

don't you like authorize the person by sharing a password with him in the first place, so it's ok then?

What gives you permission to authorise someone to access something you don't own? 

[DXMember]

2 minutes ago, Master Disaster said:

What gives you permission to authorise someone to access something you don't own? 

if it's like a company or a work account, sure, there are already policies and laws in place

 

if it's like a facebook, youtube... c'mon...

[Clonzoo]

It helps to protect the less intelligent that think they can lend their steam account to the sexy girl from Japan after talking to her for 15 minutes and trust her 100%

 

America helps the less gifted! Its so beautiful!

[Master Disaster]

1 minute ago, DXMember said:

if it's like a company or a work account, sure, there are already policies and laws in place

 

if it's like a facebook, youtube... c'mon...

That's the issue this judge has with this ruling, it only says "unauthorised" and it doesn't clarify what exactly that means or who exactly needs to give authorisation. 

 

Using you example, I authorise my girlfriend to use my Facebook account but I doing so she is technically logging onto Facebooks server using a password which they haven't authorised her to use meaning they could go after me under CFAA because I gave her access to data on their server that only I'm authorised to access. 

 

It's a giant mess if you ask me, just like anti terrorism laws you bet your ass there will be companies using this ruling to go after people who simply don't deserve it. 

[captain cactus]

So, who's ready to sue the NSA?

[Sauron]

18 minutes ago, Clonzoo said:

It helps to protect the less intelligent that think they can lend their steam account to the sexy girl from Japan after talking to her for 15 minutes and trust her 100%

 

America helps the less gifted! Its so beautiful!

What if I told you making it illegal doesn't stop idiots from being idiots? A lot of people probably won't even know this is a thing.

 

Last time I checked drunk driving was also illegal, but you constantly hear about human garbage that does it anyway and kills someone in the process.

[samcool55]

How are they going to check that?

Also when a person steals your password, will you end up in jail because you "shared" it?

[vanished]

4 minutes ago, samcool55 said:

How are they going to check that?

Also when a person steals your password, will you end up in jail because you "shared" it?

probably.  you have to be responsible and keep it safe.

 

I'm half joking and half serious... I feel weird

[Clonzoo]

22 minutes ago, Sauron said:

What if I told you making it illegal doesn't stop idiots from being idiots? A lot of people probably won't even know this is a thing.

 

Last time I checked drunk driving was also illegal, but you constantly hear about human garbage that does it anyway and kills someone in the process.

Atleast give them a few points for trying..  

[DXMember]

41 minutes ago, Master Disaster said:

That's the issue this judge has with this ruling, it only says "unauthorised" and it doesn't clarify what exactly that means or who exactly needs to give authorisation. 

 

Using you example, I authorise my girlfriend to use my Facebook account but I doing so she is technically logging onto Facebooks server using a password which they haven't authorised her to use meaning they could go after me under CFAA because I gave her access to data on their server that only I'm authorised to access. 

 

It's a giant mess if you ask me, just like anti terrorism laws you bet your ass there will be companies using this ruling to go after people who simply don't deserve it. 

what about sharing netflix account with family members? liable of piracy and CFAA?

[Master Disaster]

1 minute ago, DXMember said:

what about sharing netflix account with family members? liable of piracy and CFAA?

That was literally the example that the judge used when he spoke out against this ruling

[colonel_mortis]

It even says in the quote in the OP

1 hour ago, Master Disaster said:

This appeal is not about password sharing. [...] her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore

The issue is not password sharing - it would be stretching it a lot to call that fraud. The issue here is that the password that was shared was a password to a corporate database which the recipient was not allowed to access (because they were no longer an employee), so accessing the database is prohibited. In the ruling, it says

Quote

Dissenting, Judge Reinhardt wrote that this case is about password sharing, and that in his view, the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.

Although a lot of sources are saying that this is an attack against password sharing in general, and I guess it is possible that a judge will end up taking it that way in the future, that is not what has happened here, and this case is only about the fact that his access had been revoked, making it clear that his access to the database was unauthorised, but he tried to work around it and gain access to the database anyway.

[Tech_Dreamer]

#PasswordSharingMatters

[Mr.Meerkat]

Hmmmm...sounds like this thing called the computer misuse act in the UK where basically those 3 ex-employees "hacked" into the database  

[Master Disaster]

1 hour ago, colonel_mortis said:

It even says in the quote in the OP

The issue is not password sharing - it would be stretching it a lot to call that fraud. The issue here is that the password that was shared was a password to a corporate database which the recipient was not allowed to access (because they were no longer an employee), so accessing the database is prohibited. In the ruling, it says

Although a lot of sources are saying that this is an attack against password sharing in general, and I guess it is possible that a judge will end up taking it that way in the future, that is not what has happened here, and this case is only about the fact that his access had been revoked, making it clear that his access to the database was unauthorised, but he tried to work around it and gain access to the database anyway.

You mean like how the anti terrorism bill wasn't going to inflict on the lives of ordinary Americans? These things generally start from genuine circumstances and are often passed with the best of intentions but having undefined terms and loose definitions in law can and does lead to the laws being misused in situations they were never intended to be used.

 

If you gave me the LTT SQL password right now would you say Linus or Luke would be correct in saying I accessed their database without authorisation? That's the problem here, the law has a genuine purpose but its so open to interpretation.