In July 2016, a panic swept across social media due to widespread claims a “new law” or other legal action made it a felony or a “federal crime” to share one’s Netflix password.
The rumor quickly decoupled from articles about Netflix passwords and the law, with legions of users simply claiming that as of July 2016 the common practice was highly illegal. Slate summed up the panic:
The ruling was widely reported as meaning it is illegal for people to share their account passwords with anyone else (sample headlines: “Federal court rules that sharing your Netflix password is a federal crime,” and “Federal Court Rules That Password Sharing Is Illegal Under Insane Ancient Law”). It’s true that the case hinged on the illegality of sharing a password (though not a Netflix password), and it’s true that—by a 2–1 majority—the court decided this particular instance of password sharing was a violation of the CFAA. But as is often the case when dealing with CFAA rulings, the implications of the decision are probably not as clear-cut (or as dramatic) as “all password sharing is illegal all the time.”
By all accounts, the rumors sprang from a 5 July 2016 opinion issued by the United States Court of Appeals for the Ninth Circuit in San Francisco [PDF]. A summary for that opinion quickly revealed that the ruling in question in no way pertained to Netflix; the word “Netflix” appeared nowhere in the 67-page long document.
The decision actually had to do with the use of unauthorized login credentials by former employee to “circumvent … revocation of access”; that is, a former employee breached company login protocols after having access his revoked upon separation of employment. The opinion had nothing to do with sharing Netflix passwords between siblings or friends:
The panel affirmed convictions for knowingly and with intent to defraud accessing a protected computer “without authorization,” in violation of the Computer Fraud and Abuse Act (CFAA), and for trade secret theft, in violation of the Economic Espionage Act (EEA); and vacated in part and remanded the restitution order for reconsideration of the reasonableness of the attorneys’ fees award.
The panel held that the defendant, a former employee whose computer access credentials were revoked, acted “without authorization” in violation of the CFAA when he or his former employee co-conspirators used the login credentials of a current employee to gain access to computer data owned by the former employer and to circumvent the revocation of access. The panel rejected the defendant’s contentions regarding jury instructions and sufficiency of the evidence in connection with the CFAA counts, as well as his sufficiency-of-the-evidence, instructional, and evidentiary challenges to his EEA convictions for trade secret theft.
As is often the case, a brief portion of the summary containing the opinion of a dissenting judge was rapidly seized on by outlets claiming that Netflix password sharing had now become a federal crime:
Dissenting, Judge Reinhardt wrote that this case is about password sharing, and that in his view, the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.
People who read down to page 23 of the opinion found that the concerns of criminalizing Netflix use were considered in issuing the opinion and found to be of minor import:
Our conclusion does nothing to expand the scope of violations under the CFAA beyond Brekka; nor does it rest on the grace of prosecutorial discretion. We are mindful of the examples noted in Nosal I — and reiterated by Nosal and various amici — that ill-defined terms may capture arguably innocuous conduct, such as password sharing among friends and family, inadvertently “mak[ing] criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” But the circumstance here — former employees whose computer access was categorically revoked and who surreptitiously accessed data owned by their former employer — bears little resemblance to asking a spouse to log in to an email account to print a boarding pass.
While at least one United States Court of Appeals Circuit Judge disagreed, the operative factor was that the case involved had nothing at all to do with streaming, Netflix, HBO Go, Facebook, or other services by which users commonly share passwords for myriad reasons. The specific issue was lack of authorization and deliberate intent to circumvent access revoked in an employer-employee capacity. Extrapolating that such a ruling might affect Netflix users wasn’t out of the bounds of possibility, but was unnecessarily alarmist given the scope of the ruling.
A Los Angeles Times article about the rumors noted that while one judge fretted over future criminalization of password sharing, popular streaming services openly acknowledged the practice and generally viewed it as harmless to their business models:
But to be clear, the dissenting judge was concerned about a speculative future situation. It’s not like some new law was passed that criminalized sharing your password, and no one has been indicted for watching “Mr. Robot” with their mom’s Hulu Plus login. One judge is just saying he’s concerned about setting an overly zealous precedent.
Besides, streaming sites know people share logins, and none of them appear to be cracking down on it. HBO Chairman and Chief Executive Richard Piepler said password sharing wasn’t encouraged but wasn’t a big enough problem to warrant the network’s attention. Netflix CEO Reed Hastings said people sharing an account hasn’t really been a problem for his company either. And according to court documents, the firm where Nosal worked had employees sign a confidentiality agreement stating they would not share login information with anyone else.
In response to our inquiry, a representative for Netflix told us that:
Overall, Netflix members can create up to five profiles on each account and the only limit is on how many devices that can be used to access Netflix at the same time, which is by plans. The $11.99 plan allows four devices to stream at the same time; the $9.99 plan allows two. As long as they aren’t selling them, members can use their passwords however they please.
It is not true that any new law was passed in July 2016 criminalizing Netflix password sharing. The ruling that sparked the rumors itself didn’t in any way make the practice a crime; a dissenting judge merely expressed concern that the decision (unrelated to streaming services) opened the door for precedent in password sharing regulation. However, Netflix has stated that the company views such sharing as a positive and a way to attract new customers.