back to article Dear America, best not share that password with your pals. Lots of love, the US Supremes

A California bloke fighting a computer hacking conviction has lost his final appeal after the US Supreme Court declined to hear his case. The ramifications of this decision could affect everyone in America who has ever shared a password with their friends and family. We'll explain. In 2004, David Nosal was a high-level …

Silver badge

What happens if...

You guess the password and do it anyway?

What is "authorized"? By whom?

Inquiring minds need to know.

Now if they will convict the ransomware people, that would be a start.

14
9
Bronze badge

Re: What happens if...

It seems pretty simple to me.

If you are authorized to access a given system the owner (or their authorized agent for such purposes) of it will have provided you with a userid and password of your own to facilitate that access, if they haven't, or won't, then guessing someone else's account details or persuading them to give them to you is the same as any other form of hacking in - it's illegal because you have not been granted authorized access and you quite rightly run the risk of being done for it. Where I work corporate policy is also very clear that you'll also be invited to seek exciting opportunities outside the company.

Using a spouse's or friend's account details to access their computer should also be fairly straight forward - if they own the computer/system, have given you their account info and told you you can access the system using those details then they've authorized you to log in using those details - if they didn't want you to do that they should have created a separate account for you or told you you can't have access. If you then log in using their account without them authorizing you to do so, then once again you're on the dodgy side of the law (not to mention the relationship). I have a separate account on my wife's personal laptop and I also know her login and password - but I still check with her every time if I need to log in as her to look at a problem - just because I know more about computers than she does doesn't reduce her right to whatever level of privacy she desires.

Even giving a family member the details to your bank cards is covered - the T&Cs for these (and any of the numerous company ID/access cards or tokens I've ever held) invariably make it clear that the card or token remains the property of the issuer - in other words, you as the user are not the owner and therefor do not have the authority to delegate use of that item.

Simples, really.

51
2
Silver badge

Re: What happens if...

The is the Nine Seniles do not grasp there is a difference between unauthorized access and data theft and sharing Netflix passwords or email passwords with friends and family. The shysters defined hacking as knowing the credentials without distinguishing between intent to harm or innocent convenience. Given there is a standing precedent, a shyster with a vendetta can charge someone with hacking for logging into a family members email or Failbook account.

Given that a couple of the Nine Seniles are doddering idiots and probably really borderline senile does not help either.

3
40
Bronze badge

Re: What happens if...

"The is the Nine Seniles do not grasp there is a difference between unauthorized access and data theft and sharing Netflix passwords"

Actually, in this specific case of sharing passwords to services with friends and family I would argue that the "Nine Seniles" have in fact got the correct grasp - when a service such as Netflix puts in its T&Cs that you are not allowed to share your access with other people they, as owners of the service, are being pretty specific about the fact that you don't have any right or authority to delegate your access to anyone else - anyone who then uses your access password or codes is very definitely illegally accessing the system. I suspect Netflix (and similar services) will have a very definite opinion on whether or not sharing passwords is akin to data theft.

I haven't studied FB's T&Cs, but I wouldn't be surprised if they have a similar restriction, if nothing else to try and build their user numbers. As for a personal email account, well, people have ended up in the poo for just this before today - if the person who's account it is doesn't authorize you to access it then doing so is, at the very least, an indication that you're a bit of an arsehole and from there it's not too much further to being a stalker and/or divorced.

I just don't see what's complicated about this - either you have been granted legitimate access by a person with the authority to do so, or you haven't - one is legal, the other isn't. If the person giving you the access information is not authorized to delegate their access, then potentially you're both in trouble.

36
1
Silver badge

Re: What happens if...

Exactly, Kernel.

I think in this case the EFF are barking up the wrong tree.

Just because something is convenient doesn't mean it can negate legal restrictions. Breaking the law is breaking the law.

The only exception I would see is the bank account. In that case, both my wife and I have Power of Attorney for each other's bank accounts, for emergencies. That means that we can legally access the accounts, because it has been legally approved (this is German law).

You can't do that with a Netflix account, for example. The Power of Attorney would only allow me to cancel the subscription or change the payment information, but not to use the account.

15
1
Silver badge

Re: What happens if...

Seems to me the individual has been sent down because of the intent not just the action. He intended to use data that wasn't his. Just about every employee induction programme I've gone through has been pretty clear I can't walk off with the company's data.

20
0

Re: What happens if...

What planet do you live on? Some Utopian world where nothing goes wrong? Or maybe you are one of those people who thinks they do nothing wrong. Of course its not that simple.

Your son or daughter is away at university and loses their credit card on a Friday evening and needs to pay a bill on Saturday morning or be evicted. If you have kids you will realize that kids don't plan. So you have your credit card couriered to them and tell them the PIN so they can withdraw cash to pay the bill. By your reckoning this is obvious breach of rules is punishable.

There are many, many scenarios when sharing details between close members is sometimes necessary.

In the specific case documented in the article it is clearly a crime since the person was stealing intellectual property so it is bewildering why the person was not prosecuted for this crime. This case is no different to a giving your front door key to a neighbor so they can feed to your cat only to find they've cleared out your house. What's the crime here? Giving the key or clearing out the house. The answer is obvious.

It's a sign of the times that the justice system cannot apply appropriate laws. In this case presumably because the prosecutors believed the possibility of a conviction for a computer crime is more likely than proving damages as a result of the theft of data.

4
25
Silver badge

Re: What happens if...

@Sirius Lee, like hell I would! I wouldn't send them the credit card, I'd get them to send me the account information for the landlord and I'd make a payment from my account. I'd also ask them, why they hadn't set up a standing order to pay the rent on time every month...

30
0

Re: What happens if...

The issue is really different. Even the Netflix case is not correct. If you share your Netflix details with somebody else then you are in breach of terms and conditions of the contract. The person you gave access details never entered into a contract with Netflix. Netflix can try to remedy this situation when the login process requires to agree to the contract and its T&Cs.

If you borrow a tablet from me and watch Netflix what then? You did not need to login to Netflix. Legal or illegal? Fine for an hour? Fine for a year? Still fine when you give me money for rent of the tablet?

What with email which is configured too for several accounts? Are you now a hacker when you start the App?

7
2
Silver badge

Re: What happens if...

That Netflix example isn't hacking though is it? It's a breach of contract. Not punishable by time in jail but by cancellation of the account and any other punishment/compensation agreed upon in the contract.

There is also a huge difference between sharing a Netflix account and pilfering the entire customer database from a company for your own commercial purposes. One is perhaps unethical, the other is a crime in it's own right. Even if it's done by gaining the legitimate password through social engineering.

15
1
Silver badge

Re: What happens if...

If you borrow a tablet from me and watch Netflix what then? You did not need to login to Netflix. Legal or illegal? Fine for an hour? Fine for a year? Still fine when you give me money for rent of the tablet?

I would suggest that is akin to borrowing a DVD - I can't use the tablet whilst you've borrowed it.

That's very different to plugging my Netflix creds into your tablet or indeed your smart TV so that we can both use the account in the comfort of our separate homes.

It's not a perfect analogy since I could be using my TV whilst you use my tablet, but the idea of sharing devices differs slightly in that it applies to a (presumably) finite number of devices, whereas raw credentials could (in principle) be used on an infinite number of devices (until Netflix blocks the account).

5
0
Boffin

Re: What happens if...

You guess the password - that would be hacking.

You've brute forced access, it just happens you've got lucky on the first attempt.

7
0
Anonymous Coward

Re: What happens if...

"Even giving a family member the details to your bank cards is covered - the T&Cs for these (and any of the numerous company ID/access cards or tokens I've ever held) invariably make it clear that the card or token remains the property of the issuer - in other words, you as the user are not the owner and therefor do not have the authority to delegate use of that item."

How does this square with the possible existenc of formal documents such as Power of Attorney which are drawn up for various purposes such that one person may act as an agent of another? Say, for example, in the case of acting on behalf of someone who is physically or mentally incapacitated either temporarily or longer term? This is fraud or hacking?

3
1
Anonymous Coward

Re: What happens if...

My son can have all my bank account details, and he can use the money if he needs to. That's just how we roll in my family. To each his own.

1
1
Silver badge

Re: What happens if...

"Seems to me the individual has been sent down because of the intent not just the action."

Just this. Intent can be an important factor in criminal cases.

6
0
Silver badge

Re: What happens if...

"Giving the key or clearing out the house. The answer is obvious."

Good luck getting your insurance to pay for the theft.

1
0
Silver badge
Facepalm

Re: What happens if...

"If you have kids you will realize that kids don't plan. So you have your credit card couriered to them and tell them the PIN so they can withdraw cash to pay the bill. By your reckoning this is obvious breach of rules is punishable."

Jesus, you're a fecking eejit! So you want a new car, you see it on eBay, you make contact and agree to buy it from the seller. You then post the seller your card telling them to take the money off the card and post the card back when they're done?!

Only one person can use your CC, that's you. Don't like it? Tough! The CC company owns the card, the account, it's a private company and you made an agreement with them, their rules.

9
1
Gold badge
Unhappy

""overzealous prosecutors" "

Is there any other kind in Trumpistan?

5
1
Bronze badge

Re: What happens if...

In your example, the child was given access to the card by the OWNER of the card.

In this legal case, those who provided access to the defendant weren't authorized to do so. They WEREN'T the OWNERS of the data which was stolen.

So in your example, it's like the child passed on the credit card number and PIN to a friend.

Then this friend used the information to charge on the father's credit card. This friend wasn't given access by the OWNER, the friend was given access by the child who had access to the information.

It isn't about passwords, it's about trespassing and having authorized access.

From an information security perspective, this is an insider threat who is an accessory to data theft.

2
0
Silver badge

Re: What happens if...

How does this square with the possible existenc of formal documents such as Power of Attorney

POA is, essentially, a legal way of saying that you wish the nominated person to be able to act as if they were you in certain legal situations. It's not fraud or hacking since, in the eyes of the law, you are them (in certain situations and for certain activities).

I suspect that trying to use someone elses Netflix under POA would be a breach. Cancelling their netflix however, would be legal since one of the abilities that POA gives you is to start or end contracts as if you were the other person.

Another example - if the other person has a car granted under the Mobility scheme, you wouldn't be able to drive it, but you would be able to cancel the scheme because that falls under the remit of the powers of POA.

3
0
Silver badge

Re: What happens if...

That's just how we roll in my family. To each his own.

And if someone happens to obtain your details from him and cleans out your bank account, I suspect that your bank would be somewhat unsympathetic..

2
0
Silver badge

Re: What happens if...

Under the UK's Computer Misuse Act it would come down whether your access was authorised.

If you had power of attorney for an incapacitated relative then you would be considered authorised to use that computer and no offence would be committed (at least of unauthorised access - if you then defrauded that person then you could still be done for fraud).

If you accidentally woke up a computer to which you did not have authorisation, then no offence would have been committed since you had no intent.

If the original case in the article had happened in the UK, it would seem to be a straightforward breach of Sections (1) and (2) of the Computer Misuse Act.

1
0

Re: What happens if...

"are being pretty specific about the fact that you don't have any right or authority to delegate your access to anyone else "

What is the practical difference between letting someone use your password, on the one hand, and logging in and selecting a film and then letting someone else watch it?

1
1
Gold badge

Re: What happens if...

"How does this square with the possible existenc of formal documents such as Power of Attorney "

It squares perfectly. If you have Power of Attorney then you would have the authority to act as that person and the T&Cs are overridden. However, the vast majority of cases where "my spouse and I know each other's bank passwords" are not PoA cases and so would be a breach of the bank's conditions.

Look at it the other way. If you lend someone an object and a few weeks later you discover that it has been loaned on to others, are you miffed? You might be, even if the object is undamaged and back in your possession when you requested. There's a breach of trust and a level of risk that you didn't bargain for.

2
0
Gold badge

Re: What happens if...

"What is the practical difference between letting someone use your password, on the one hand, and logging in and selecting a film and then letting someone else watch it?"

To you, very little. To Netflix, there is an increased risk that the password will be re-used by the other person (perhaps without your knowledge) with the reduced chance of the other person actually buying their own sub. If they (Netflix) are grown up about this, they might consider letting a third party watch a free film is a form of advertising and so it is debatable whether they suffer any financial loss. They are much less likely to treat password-loan as a form of advertising.

1
0
Bronze badge

Re: What happens if...

>when a service such as Netflix puts in its T&Cs that you are not allowed to share your access with other people

A lot of people here (along with the judges) are missing the point.

T&Cs are terms of a civil contract.

This judgment turns them into criminal code.

If you can't see the difference, you're not looking hard enough.

4
1
Silver badge

Re: What happens if...

"Your son or daughter is away at university and loses their credit card on a Friday evening and needs to pay a bill on Saturday morning or be evicted."

Whatever happened to Western Union, "The Fastest Way to Send Money"? Or its competitor MoneyGram? No need to divulge the credit card, they can get the money by Saturday morning to pay their bill.

1
0

Re: What happens if...

So what we now have is a good way of getting out of paying babysitting fees -- just give the babysitter your netflix password, and have her arrested before paying her.

Simples.

0
0

So ...

What happened to the people that coughed up their passwords? Would this be any different than if they had put the info on a disc or printed it out?

7
0
Silver badge

Re: So ...

It's simple. Was the person who "published" the info granted the authority by the site owners to share this information (yes or no)?

6
0
Silver badge

Re: So ...

In either case (handing over the password or copying the information in some form) would be at least a disciplinary offence, if not a sackable offence.

If we are talking about websites with discrete user access, the company running the service would be within its rights to immediately disable / delete the account for misuse under its terms and conditions.

You know, that long piece of text you had to read and agree to before signing up.

6
0

Why the upset?

Nosal used other people's credentials to filch data and ended up in the clink.

Would anyone be upset if he was jailed after he got them to cough up the keys to the building so he could walk off with the server? Would anyone even be surprised if those who gave him the keys ended up in adjacent cells?

23
0
Silver badge

Re: Why the upset?

"The ramifications of this decision could affect everyone in America who has ever shared a password with their friends and family. We'll explain. ......"

As was explained in the article, it seems that he was jailed for using a shared password to access a computer system, not for stealing data. Hence any husband and wife (or whatever) couple who shared a password to access Facebook (or whatever) could go to jail.

1
12
Silver badge

Re: Why the upset?

I'm not sure that's the right way round. He accessed a system to which he was unauthorised by using a password he shouldn't have had. As I read it he was jailed because of the access, not the method he used to get that access; his defence was that because the original user of the password had access then there was no issue with him using the password.

Which is clearly a ludicrous argument; having the password does not imply that you are authorised to get access - a particular person is authorised and given the password to permit the access. Not the same thing at all.

15
0
Silver badge

Re: Why the upset?

As was explained in the article, it seems that he was jailed for using a shared password to access a computer system, not for stealing data.

Unlikely. The Act in question does not criminalise unauthorised access per se except in the case of Government computers or others having specific national security implications. Otherwise the prosecution also needs to establish either:

(s4) "knowingly and with intent to defraud..."

(s5) "...as a result of such conduct, causes damage and loss."

That's easy enough to do in this case but not in the case of simply accessing your wife's FB account, with her permission. Of course if you use that access to start trolling or scamming then that's a different matter.

What is more interesting is the Netflix scenario. You are not a party to the Netflix T/C so you're not liable for any breaches in contract/civil law (that's your wife's problem), but you probably are guilty of crime. Personally I don't find this surprising. If my wife gives me the key to the office photocopier then that's an issue between her and her employer. However if I use that key to obtain photocopying services for myself then that's a matter for the police.

9
0
Silver badge

Re: Why the upset?

Netflix: you that would come under theft or damages, probably.

At the very least, Netflix would be within its rights to suspend / delete the account in question and possibly sue the user for breach of contract.

2
0

Re: Why the upset?

I think you missed the point. No-one is arguing that Nosal did the wrong thing. The argument is that the basis upon which the decision was made has potential well beyond its intended scope.

To reiterate the article's example (I have no idea personally if the conditions are real, just using the example):

- Netflix state in their EULA that only the account holder may posses the login credentials for their account, that they cannot be shared with anyone.

- You as the Netflix customer then share your login credentials with your spouse, who uses them to watch a show, in violation of the EULA.

Using the same argument basis that put Nosal behind bars, both you and your spouse have engaged in criminal activity:

- You have directly violated the EULA by giving out your credentials.

- Your spouse (more to the point), has accessed the service using a set of credentials that they have no right to.

Using Nosal as a precedent, your spouse is now considered a hacker.

The whole thing is that there is no limitation on the quoted precedent, and while it seems insane, we know lawyers don't always work with common-sense, they work with law and legal precedents, regardless of reality.

2
1
Silver badge

Re: Why the upset?

You're mixing up contract and criminal law. An EULA is a contract; it can only apply to someone who intentionally agrees to be bound by it. That means that you could be sued for giving your spouse the password, but your spouse is in the clear (in that regard) because they never agreed to the Netflix EULA in the first place.

Criminality only enters the equation if your spouse then steals goods or services from Netflix. This is an offence irrespective of how your spouse gained access to their network. Handing over your password for the purposes of facilitating a crime may well make you an accessory, but that isn't exactly a groundbreaking precedent. Pretty much any action intentionally taken with the foreknowledge that it will be used to facilitate crime is potentially illegal.

"Sharing passwords" is a red herring. It is exactly the same as sharing any other keys, combinations, or access codes with someone who you know intends to use them to steal something from a third party.

9
0
Silver badge

Re: Why the upset?

You are not a party to the Netflix T/C so you're not liable for any breaches in contract/civil law (that's your wife's problem), but you probably are guilty of crime.

In the UK, you wouldn't even need computer misuse/"hacking" laws.

Fraud Act, Section 2 will do - Fraud by False Representation.

You have obtained a service by masquerading as a customer using their credentials. You are not a customer, you have not paid for a service, you are not entitled to use that service. QED.

I don't know about Netflix, but for Amazon there is Family Sharing, which allows you to share services such as Prime Video across a limited number of named users. There should be no need to ever share passwords. If Netflix has a similar system, then sharing passwords would indeed seem to be operating outside the system they have provided for family sharing, and would represent evidence of malfeasance (an intent to defraud) in and of itself.

5
0
Silver badge

Re: Why the upset?

Using the same argument basis that put Nosal behind bars, both you and your spouse have engaged in criminal activity:

- You have directly violated the EULA by giving out your credentials.

- Your spouse (more to the point), has accessed the service using a set of credentials that they have no right to.

Fucking hell, where the fuck do you people learn about the law? Criminal acts are those which are contrary to laws. Some shite written in a EULA is not a law, so breaking the EULA is not a crime. The account holder does not access computer systems without authorisation, and so in no way can be described as engaging in criminal activity.

Breaking an EULA cannot be a criminal act (unless the act is illegal in itself, eg Twitter probably disallow profane images of some kind; uploading those would be against the EULA, but would only be illegal if the images are illegal themselves eg CP)

3
0
Bronze badge
Devil

My Password is

Password1

Now I've just overloaded their courtroom space by +100,000%.

2
4
Silver badge

Re: My Password is

Not necessarily. They could lump all the users of that password into one multi-defendant case. Unless each user then commits a serious crime with that access, the case can get settled in a general district court without need for a jury (depending on the jurisdiction, jury trials for criminal matters are only guaranteed for felonies).

2
0
Silver badge

Interesting opinion to have...

...in a country that routinely expects foreigners to cough up their passwords and such on entry.

27
0
Anonymous Coward

Re: Interesting opinion to have...

Simple. (1) They're not citizens and (2) they're not officially in the country yet.

6
6

Re: Interesting opinion to have...

(3) DO AS I SAY NOT AS I DO

8
3
Silver badge

Re: Interesting opinion to have...

@AC, it is irrelevant, under the terms and conditions, it is illegal to hand over the passwords. Therefore Customs would, theoretically, require a court order to force you to hand over the passwords.

And if the person in question is coming from the EU, they would need the written permission of every identifiable person in that account, before they can hand over the information, otherwise the person would be liable to prosecution back in the EU.

6
0
Silver badge

Re: Interesting opinion to have...

under the terms and conditions, it is illegal to hand over the passwords.

No it isn't. T/C are contracts and breach of contract isn't illegal. Also, as a general principle, any contract that contains illegal terms is liable to be voided entirely so you can't escape a charge of (for instance) harbouring a felon just because you to signed a tenancy agreement with a confidentiality clause.

coming from the EU, they would need the written permission ... before they can hand over the information, otherwise ... liable to prosecution back in the EU.

Possibly so, but also not relevant. Countries aren't obliged to take any account of other countries laws unless they sign specific treaties (e.g. WTO) to that effect. Austrian law requiring removal of face veils directly contradicts Saudi law which demands them and a female Saudi national returning home after visiting Austria could theoretically be prosecuted for indecency, particularly if the incident occurred "air side" and therefore not technically within Austria. Caveat viator.

6
0
Silver badge

Re: Interesting opinion to have...

"otherwise the person would be liable to prosecution back in the EU."

Didn't you get the memo? US law overrules everyone else's

4
1
Silver badge

Re: Interesting opinion to have...

That's not the point.

The Feds, who are US citizens, and are in the country, presumably log onto Facebook using these passwords.

3
0
Silver badge

Re: Interesting opinion to have...

But acting in a law-enforcement capacity and conducting an investigation of a prospective alien who is not yet officially in the country (he can still be denied and held to be returned) and therefore is not necessarily protected by liberties accorded those "within" the country, unless you can cite case law otherwise. Legal investigations can trump contracts and even legal protections (like attorney-client or spousal privilege) under certain circumstances.

0
1

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017