July 12, 2016
Josephine Wolff wrote for Future Tense about the effect of the Computer Fraud and Abuse Act:
What is illegal to do on a computer? When I teach technical computer science majors about cybersecurity policy, that is one of the first questions I tackle. But the answer changes from semester to semester as courts issue new rulings on what constitutes illegal hacking under the Computer Fraud and Abuse Act. Just last week, on July 5, the Ninth Circuit Court of Appeals issued a decision about shared passwords that highlighted, yet again, how much ambiguity and uncertainty there still is around the CFAA even though it was passed 30 years ago.
The ruling was widely reported as meaning it is illegal for people to share their account passwords with anyone else (sample headlines: “Federal court rules that sharing your Netflix password is a federal crime,” and “Federal Court Rules That Password Sharing Is Illegal Under Insane Ancient Law”). It’s true that the case hinged on the illegality of sharing a password (though not a Netflix password), and it’s true that—by a 2–1 majority—the court decided this particular instance of password sharing was a violation of the CFAA. But as is often the case when dealing with CFAA rulings, the implications of the decision are probably not as clear-cut (or as dramatic) as “all password sharing is illegal all the time.”