You Wouldn’t Share A Car: The Absurd Possibility of Criminalizing Password Sharing

Kyle Moodhe, Contributing Member 2023-2024
Intellectual Property and Computer Law Journal

I. Introduction

If password sharing were a crime, then most Americans would be guilty. Unfortunately, under a strict reading of a couple of federal statutes, Americans may truly be guilty of a crime for sharing their passwords.[1] Password sharing is the act of a user of an online or digital service allowing a non-user, often friends and family, to utilize their username and password to access that same service.[2] Federal courts, law enforcement, and streaming services are reticent to pursue these criminal claims, but there is no reason for that to be the status quo.[3]

This article will explain the possible federal statutes which potentially subject citizens to penalties or liability for password sharing. Next, it surveys recent court cases which lend support to the idea of criminal liability or contradict this notion. Lastly, it discusses Van Buren v. United States, and why the Supreme Court, if it takes up the issue, has reason to reject criminalizing password-sharing for streaming service customers.

II. Background

Streaming services have long understood that password sharing is widely practiced amongst its account holders.[4] Allegedly, in 2019 password sharing “cost Netflix, Amazon, and Hulu at least $2.3 billion, $540 million, and $480 million in annual revenue, respectively.”[5] In May of 2023, Netflix, the streaming giant, began cracking down on password sharing.[6] As a result, Netflix saw an 8% year-over-year increase in new account holders in the third quarter of 2023.[7] However, Netflix still offers differently priced plans which allow for and authorize password sharing among different users and households.[8] Although streaming services prohibit the practice of password sharing, it is part of the business model. Everyone acknowledges that password sharing is a common practice.

III. The Criminal Statutes

The two major criminal statutes at issue with password sharing are 1) the Digital Millennium Copyright Act (“DMCA”) and 2) the Computer Fraud and Abuse Act (“CFAA”).[9] While both statutes are arguably a problem for password sharing, the CFAA is worded in such a was to directly criminalize password sharing.[10] The DMCA, on the other hand contains anti-circumvention language, which is a problem for password sharing, but this interpretation has been disfavored in recent court cases.[11]

The DMCA

The DMCA was passed to provide an extra layer of protection for copyrighted works.[12] The legislation, passed in 1998, was part of an initiative to modernize copyright law protections as they related to the new digital landscape.[13] The specific provision of the DMCA which password sharing may violate is §1201(a)(1)(A), and it states “No person shall circumvent a technological measure that effectively controls access to a work protected under this title.”[14] This provision makes it illegal for individuals to “circumvent a technological measure” controlling “access” to copyrighted works stored digitally.[15]

Password sharing would technically violate the anti-circumvention language of §1201(a)(1)(A).[16] Circumventing a technological measure includes “avoiding, bypassing, removing, deactivating, or otherwise impairing a technological measure”[17] Under a fairly plain reading, using another’s username and password fits these criteria.[18] As a result, some argue that streaming services have a fairly straightforward way to rein in password sharing under the DMCA.[19]

However, according to John Mixon, recent case law suggests that courts are unlikely to find password sharing to be a true circumvention.[20] Mixon points to the case I.M.S. Inquiry Management Systems, Ltd. v. Berkshire Information Systems, Inc. in which an I.M.S. client violated the terms of service and provided Berkshire, a competitor, with login information to a client portal.[21] In this case, the federal district court held that the use of a username and password granted to a third party by an authorized party was not a “circumvention” under DMCA.[22] Additionally, Mixon points to Dish Network L.L.C. v. World Cable Inc., which also supports the holding that entry of the username and password into a system is not a circumvention.[23]

Although it may appear that the DMCA offers recourse to streaming providers seeking to crack down on password sharing, it does not appear that courts are willing to declare password sharing to be circumvention.[24]

The CFAA

The CFAA began as an anti-hacker statute geared toward the protection of government computers.[25] Over time, it has expanded to encompass any unauthorized access of computers connected to the internet.[26] Almost every digital device is captured in this understanding of “computer” including phones and iPads.[27]

The CFAA is phrased in such a way that may allow streaming providers to pursue CFAA claims against individuals who share passwords.[28] The key portion of CFAA regarding password sharing states that liability attaches when someone “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer.”[29] Again, under a plain reading, this seems to suggest that password sharers are violating the CFAA because sharing a username and password is not authorized by the terms of service, or at least exceeds authorized access. [30] Streaming content can be considered obtaining information from the streaming provider.[31] As a result, the CFAA provides the most viable route to impose liability, civil or criminal, on those who share their passwords.[32]

Unfortunately for streaming services, courts are not clear that password sharing is illegal under the CFAA.[33] Specifically, the 9^th Circuit addressed “without authorization” and “exceeds authorization” in two related cases involving the same defendant, David Nosal.[34] Nosal left his employer to start his own competitor company.[35] He poached two former co-workers who provided him with the login access to his previous employer.[36] Once their access was revoked, Nosal used another former co-worker to obtain valuable information from his previous employer.[37]

In the first case of United States v. Nosal (“Nosal I”), the court was tasked with determining whether “exceeds authorized access” can include any conduct that violates contractual restrictions on use.[38] The 9^th Circuit refused to allow private entities’ computer policies the determining factor in whether one “exceeded authorized access” and committed a federal crime.[39] The court noted that to rule otherwise was to subject a large number of unsuspecting persons to criminal liability under federal law.[40] Many praised the 9^th Circuit’s restrained approach to the definition of “exceeds authorized access” in Nosal I.[41]

In the second case of United States v. Nosal (“Nosal II”), the court tried to settle the meaning of “without authorization” in the CFAA.[42] Since there was no statutory definition of “without authorization,” the court interpreted the language’s plain meaning to be “without permission.”[43] Consequently, Nosal’s use of another employee’s login information to access the company computer was a violation of the CFAA.[44] The majority waved away fears that they had criminalized password sharing by claiming their interpretation only applied to the subsection on defrauding.[45] However, as Mixon pointed out, the dissent correctly identified that the majority’s definition of “without authorization” also applies to mere access without permission.[46] As a result, Nosal II alarmed observers who agreed with the dissent that the 9^th Circuit made sharing one’s Netflix or Hulu password with their family a federal crime.[47] Essentially, hacking and a password sharing are seen as equivalent crimes under this interpretation of the CFAA in spite of the 9^th Circuit’s assurances.[48]

IV. Van Buren v. U.S.

Following Nosal I and Nosal II, the Supreme Court was asked to decide the extent of “exceeds authorized access.”[49] This case involved a police sergeant named Nathan Van Buren, who utilized his access to a law enforcement database to retrieve information in exchange for money.[50] Van Buren agreed to utilize this database to conduct a search for money which was an “improper purpose” in violation of his police department’s policy.[51] While the government argued that using a database in violation of policy had “exceed[ed] authorized access,” Van Buren argued that his improper purpose did not meet the definition of “exceeds authorized access.”[52] The jury found Van Buren guilty of violating the CFAA, and he was sentenced to 18 months in jail.[53]

The Supreme Court held that Van Buren’s improper use of the database was not “exceed[ing] his access,” so he did not violate the CFAA.[54] The majority focused on the statutory definition of “exceeds authorized access,” found in §1030(e)(6).[55] The majority understood the definition to prohibit obtaining information from a specific area one does not have access to within a larger system which one has been granted access.[56]

Justice Barrett, writing for the majority, dispatches with the Government’s and the dissent’s counterarguments, but she also includes an interesting policy argument against the broad interpretation of the CFAA.[57] Barrett claims that the Government’s broad interpretation, “would attach criminal penalties to a breathtaking amount of commonplace computer activity. Van Buren frames the far-reaching consequences of the Government’s reading as triggering the rule of lenity or constitutional avoidance.”[58] Barrett states, “If the “exceeds authorized access” clause criminalizes every violation of a computer-use policy, then millions of otherwise law-abiding citizens are criminals.”[59] Barrett concludes that the Government has no answer to these hypothetical concerns of criminalizing innocuous or commonplace violations of terms of use.[60]

V. Analysis

Van Buren appears to be either a test run or a prophylactic opinion discouraging the government from cracking down on password sharing by prosecuting individuals under the CFAA. Barrett reinforces the understanding that courts do not want to read the CFAA as expansively as possible. Her concern that a broad reading of the CFAA would criminalize password sharing is, at the very least, implied. If the court were to directly take on a CFAA case dealing with password sharing, then the decision would arguably look like Van Buren. The Supreme Court, as a whole, has no appetite for interpretations which make millions of Americans criminals.

VI. Conclusion

Although the DMCA and the CFAA have plausible interpretations which make password sharing illegal, law enforcement is unlikely to pursue password sharers as criminals, and courts will not affirm this interpretation. Previous case law does not show any willingness of the court to read these statutes broadly. The Supreme Court’s decision in Van Buren confirms that the court will not criminalize password sharing when doing so would have untenable consequences.

[1] Futoshi Dean Takatsuki, Comment: United States v. Nosal II, 37 Loy. L.A. Ent. L. Rev. 305, 307 (2017).

[2] Id. at 306–07.

[3] Id. at 333–34.

[4] Alex N. Samaei, The Computer Fraud and Abuse Act: Are You Still Watching?, 18 J. High Tech. L. 98, 108 (2017).

[5] John Mixon, Netflix and Not-So-Chill: The Legality of Sharing Passwords for Netflix & Other Streaming Services, 101 J. Pat. & Trademark Off. Soc’y 336, 337 (2021).

[6] Angela Watercutter & Will Bedingfield, Netflix’s Password-Sharing Crackdown Is Working—for Now, Wired (Oct. 10, 2023, 6:47 PM), https://www.wired.com/story/netflix-password-sharing-crackdown-working-for-now/

[7] Id.

[8] Netflix.com, https://help.netflix.com/en/node/24926 (Last visited 4/15/2024). (demonstrating that Netflix allows for simultaneous streaming on two devices and offers a “Premium” subscription which allows for four simultaneous streamers and “2 extra members who don’t live with you).

[9] Matthew Ashton, Debugging the Real World: Robust Criminal Prosecution in the Internet of Things, 59 Ariz. L. Rev. 805, 811 (2017).

[10] Mixon, supra note 5 at 342.

[11] Id. at 341.

[12] Ashton supra note 9 at, 811–12.

[13] Mixon, supra note 5 at 339.

[14] 17 U.S.C.A. § 1201

[15] Ashton supra note 9 at 812.

[16] Mixon, supra note 5 at 339–40.

[17] 17 U.S.C.A. § 1201(a)(3)

[18] Mixon, supra note 5 at 339–40.

[19] Id. at 340.

[20] Id.