Blog

It's no secret that many subscribers of streaming video on demand and other forms of over-the-top content like to share passwords and accounts with their friends and family. This lets two people in different rooms - or even different states - enjoy the program of their choice at the same time. However, one recent court ruling has consumers afraid they won't be able to enjoy this perk much longer.

Sharing passwords now a crime?
Many news organizations reported on a July 5 ruling by the U.S. Ninth Circuit Court of Appeals. The decision essentially found that sharing passwords without authorization is a federal crime under the Computer Fraud and Abuse Act. This law, enacted in 1986, was designed to prevent hacking attempts by officially making unauthorized access to computers and networks a federal crime.

The July 5 case involved a former employee at Korn/Ferry International, an executive-search firm. The New York Daily News claimed that this ruling would put millions of subscribers under federal scrutiny and end with them facing heavy fines or jail time. The idea seems dystopian, but the CFAA is a vague piece of legislation that could theoretically be used for such a purpose.

"Clever prosecutors have used the CFAA to bring unusual cases against defendants."

Criticisms of the CFAA
Because of the way the CFAA was originally written, clever prosecutors have used it to bring unusual cases against defendants, Wired noted. One notable case occurred in 2008, when 49-year-old Lori Drew was charged for using a fake MySpace account to cyberbully a teenage girl who ultimately committed suicide. There were no laws against cyberbulling at the time, so federal prosecutors claimed Drew acquired unauthorized access to MySpace's computers to create the fake profile in violation of the social network's terms of service. As Wired mentioned, this interpretation of the law turned a simple breach of contract into a criminal matter.

There have been attempts to reform the CFAA in recent years. In 2013, internet activist and standards developer Aaron Swartz was charged with violating the CFAA for downloading MIT files. Anxiety over the case led Swartz to commit suicide, prompting two members of Congress to propose an amendment to the CFAA. They wanted a more succinct definition of unauthorized access and for the law to exclude breaches of user agreements and terms of service. As Forbes noted, the proposal - dubbed Aaron's Law - never gained support.

"This reform only captured the attention of a small group of people," Orin Kerr, a law professor at the George Washington University Law School, told Forbes. "It's not an issue that resonates with the public- at least yet."

Will the CFAA affect businesses on a subscription business model?
With such an intense history, it's no wonder why consumers are afraid of facing criminal charges under the CFAA for sharing their Netflix, Hulu, Spotify and other subscription passwords. This might cause the law to finally receive the public attention Kerr alluded to.

But are subscribers really under the threat of federal prosecution? To answer this question, one needs a comprehensive understanding of the recent case.

According to Fortune, defendant David Nosal left Korn/Ferry in 2004. He stayed as a contractor for a year after, during which time he plotted to create a rival firm. Nosal's computer access with Korn/Ferry was revoked, so he and several co-conspirators used the login credentials of Nosal's former assistant - who still worked with the company - to access the firm's candidate database.

"The concept of authorization highlights why Nosal's actions are different than friends sharing a Hulu password."

This aspect of the case is key to understanding the ruling and explaining to customers why they shouldn't worry. Nosal's access to the Korn/Ferry database was revoked, so he had no authorization to access the information no matter whose credentials he used. The concept of authorization is critical and highlights why Nosal's actions are different than a pair of friends sharing a Hulu password. Major SVOD providers encourage their customers to share credentials.

"We love people sharing Netflix," the company's CEO Reed Hastings said at the 2016 Consumer Electronic Show, according to CNet. "That's a positive thing, not a negative thing."

The CEO of HBO made a similar statement, TechCrunch reported. In fact, password sharing actually reduces churn while encouraging customer acquisition. Children who use their parents' SVOD accounts while living at home often purchase their own upon entering adulthood. Plus, many businesses view allowing their subscribers to share passwords as a consumer-friendly move. 

This is just the opinion of a few providers, however. Ultimately, it's up to individual businesses to decide whether sharing passwords violates their terms of service and subjects subscribers to federal prosecution. The potential is there, but companies on a subscription billing platform should keep in mind the fact that customers enjoy sharing passwords and that adding such a clause to their TOS could negatively impact their subscriber base.