Share Your Netflix Password, Commit a Federal Crime?
When an anti-hacking law was expanded beyond its intended scope
What America really needs is move over-criminalization of the innocuous, or at least that’s what the 9th Circuit seems to think.
Though this is nothing new, the 9th Circuit’s latest opinion reiterated the awful bastardization of Computer Fraud and Abuse Act (CFAA). Meant to be an anti-hacking act, the CFAA could be broadly interpreted to view all unauthorized database access as prosecutable.
Fortune reported:
The decision came in the case of David Nosal, an employee at the executive search (or headhunter) firm Korn/Ferry International. Nosal left the firm in 2004 after being denied a promotion. Though he stayed on for a year as a contractor, he was simultaneously preparing to launch a competing search firm, along with several co-conspirators. Though all of their computer access was revoked, they continued to access a Korn/Ferry candidate database, known as Searcher, using the login credentials of Nosal’s former assistant, who was still with the firm.
Nosal was eventually charged with conspiracy, theft of trade secrets and three counts under CFAA, and was sentenced to prison time, probation, and nearly $900,000 in restitution and fines.
Nosal’s conviction under CFAA hinged on a clause that criminalizes anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization”. Though CFAA is often understood to be an anti-hacking law, that clause in particular has been applied to many cases that fall far short of actual systems tampering.
CFAA has, for instance, been used to prosecute violation of Terms of Service agreements (which are themselves a contested practice). Most notoriously, the law was used to pursue Aaron Swartz, the young programmer who committed suicide after being charged with mass-downloading research papers from an MIT database, in violation of its terms of service—despite the fact that he was then a research fellow at MIT, with authorized access to the involved database.
…
One of the Ninth Circuit judges, Stephen Reinhardt, seemed to agree with those interpretations in his dissenting opinion. While Reinhardt took no issue with Nosal’s convictions on trade secrets violations, he said the new decision also makes “consensual password sharing” a prosecutable offense. Reinhardt noted that the decision “loses sight of the anti-hacking purpose of the CFAA, and . . . threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.”
Scott Shackford at Reason writes the ACLU has filed a complaint, hoping to block part of the CFAA:
The ability to interpret the prohibitions of the law extremely broadly has prompted the American Civil Liberties Union (ACLU) to file suit to block part of the law. They argue that the law’s bans on unauthorized access or violating a site’s terms of agreement make it a felony for researchers and journalists to investigate whether sites engage in discrimination in their use of consumer-driven algorithms by pretending to be somebody that they’re not for auditing purposes. Read more about their suit here.
Opinion here:
UNITED STATES OF AMERICA vs. DAVID NOSAL
[Featured image a screen grab from included video]
Follow Kemberlee on Twitter @kemberleekaye
DONATE
Donations tax deductible
to the full extent allowed by law.
Comments
Wouldn’t this also affect Neislen and other marketing research firms that access user’s account on a site to pull billing and purchasing information.
“Though all of their computer access was revoked, they continued to access a Korn/Ferry candidate database, known as Searcher, using the login credentials of Nosal’s former assistant, who was still with the firm.”
Translation: Though they were not allowed to access the database, they obtained someone else’s credentials through social engineering and did so anyway.
THAT’S HACKING.
You seem to be saying that a hacking conviction in this case is inappropriate and will spell doom for everyone else. But I have a hard time understanding why convicting a hacker of hacking is a bad thing. (If you want to say that the penalty was excessive, I’m with you there. But that’s not the same argument).
I agree, it read to me like he was willfully engaged in unauthorized access to steal a competitor’s protected information.
If it was used against someone accessing Netflix, that would be different.
A person who uses another’s Netflix login to access content is committing identity theft and/or fraud. (Even with the account holder’s permission/compliance, the user is posing as the account holder, intentionally misleading the business into believing the user is a paid subscriber. This misrepresentation allows the user to fraudulently access content for which he has not paid.)
That’s a stretch. Netfix accounts are two tier. One level you pay for two devices to run simultaneously. The higher level you pay for four devices to access the network simultaneously.
No matter who or where the network is accessed, only two/four devices will play at a given time. It’s not a free for all where one person can sign up for Netflix and then give the password to 20 of their friends and they can all watch the programming at the same time on 20 different devices.
Netflix isn’t getting anything stolen from them. That access is paid for by the account holder whether its two/four devices at one location or a single device in two/four locations.
While I agree with the conclusion you make as to “hacking,” the Nosal and his two associates did not use “social engineering” to get Nosal’s former assistants password and access.
The assistant was going to leave the company with Nosal and two others to join his new firm, but was encouraged to stay in her position at Korn/Ferry for the express purpose of using her credentials to get into the system and steal the “Searcher” database.
They didn’t trick her, they didn’t dumpster dive, they didn’t set up a situation where she would give her credentials out in good faith to someone. The four conspired to use her credentials to bypass the locking out of the three people (including Nosal) who left to form a competitor.
I don’t think that Nosal act and his three partners acted in a way that would be called “social engineering.”
When the company locked out Nosal and the two people that left, in essence the company “locked the front door” to them. The assistant then went and opened the back door to allow them illegal access to data they wanted to steal.
That’s hacking too.
Enticing someone to knowingly do what they know they should not is very much social engineering because it exploits human weaknesses to gain access. Dumpster diving, on the other hand, is not social engineering. It’s just good recon.
I’m skeptical of the article title’s premise as it relates to netflix.
In general, most companies offering password protected services do not actively seek to prosecute password sharing, paying customers because it tends to be bad for business.
Specific to netflix, the company now has a limit on how many devices you can stream from at the same time (you can get more with a higher tier membership fee). This effectively ameliorates the problem by greatly curtailing sharing capacity. This makes me happy as a customer because my cost doesn’t go up to support the freeloaders.
Yes, Netflix ACTIVELY ENCOURAGES multiple users to share one account. In addition to the concurrent device limit, the first screen you see when you login is “Who’s watching?” where you choose your profile. They use this to better tailor recommendations to each individual within a household. What they seem to be selling is really a “family” license, although I’ve never bothered to read their license to see what it says exactly.
I don’t understand why everyone has connected this case with Netflix when it wasn’t about Netflix. With your Netflix membership, you pay for simultaneous streams. Which means, even if a thousand people have your password, only the number of streams associated with your account can be used at any given time.
Ex. I pay for two streams. So, even if I gave 50 friends the password, only two of them could use it for streaming at a time. That’s what I pay for. There is no limitations as far as who uses my service or where or on which device. I’m paying for the streams, not the online access. Just accessing the service doesn’t allow you to stream. The stream must be available as part of your membership plan. Does this make sense?
That’s not actually correct. From Netflix’s EULA, “2.1 Grant of Limited License. Netflix grants you (which, for purposes of this License Agreement, shall include members of your immediate household for whom you will be responsible hereunder and users of the Netflix ready device with which you are accessing the Netflix service and for whom you will be responsible hereunder) a non-exclusive, limited, personal and nontransferable license, subject to and conditioned on your compliance with the restrictions set forth in this License Agreement, to install and use the Software, in object code form only, provided to you by or on behalf of Netflix in connection with your use of the Netflix service.”
You purchase the license for yourself, members of your household, and anyone watching TV with you while you or members of your household are watching it. At least as I read the license, it would be a violation to share your password with a friend, to let him watch one of your streams at his home.
Whether or not they’d ever both to prosecute is another question, but the ruling in the article makes it sound like they’d have a case. Again, assuming I am following all this correctly.
I can see why the FBI and DoJ don’t want to waste any more time on Hillary Clinton’s immense compromise of national security, potentially revealing to our adversaries a trove of our most sensitive secrets on a scale so huge we’ll never know the damage she caused.
They have to protect the country against Netflix password-sharing and teenagers downloading music.
I’ll bet Director Comey won’t have any conflicts about enforcing this law.
It’s called “priorities.”
Our computer-savvy generation expects everything to be free. Wanna see the new “Ghostbusters” film? Illegally download it. Same with the best new music around. This is just part of that greater trend, and now there could be serious repercussions.
I’m no legal scholar, so I won’t even opine on the nuts and bolts of the cases in play. I will say we should respect artists more and realize stealing their work is wrong.