back to article Dear America, best not share that password with your pals. Lots of love, the US Supremes

A California bloke fighting a computer hacking conviction has lost his final appeal after the US Supreme Court declined to hear his case. The ramifications of this decision could affect everyone in America who has ever shared a password with their friends and family. We'll explain. In 2004, David Nosal was a high-level …

  1. Herby Silver badge

    What happens if...

    You guess the password and do it anyway?

    What is "authorized"? By whom?

    Inquiring minds need to know.

    Now if they will convict the ransomware people, that would be a start.

    1. Kernel

      Re: What happens if...

      It seems pretty simple to me.

      If you are authorized to access a given system the owner (or their authorized agent for such purposes) of it will have provided you with a userid and password of your own to facilitate that access, if they haven't, or won't, then guessing someone else's account details or persuading them to give them to you is the same as any other form of hacking in - it's illegal because you have not been granted authorized access and you quite rightly run the risk of being done for it. Where I work corporate policy is also very clear that you'll also be invited to seek exciting opportunities outside the company.

      Using a spouse's or friend's account details to access their computer should also be fairly straight forward - if they own the computer/system, have given you their account info and told you you can access the system using those details then they've authorized you to log in using those details - if they didn't want you to do that they should have created a separate account for you or told you you can't have access. If you then log in using their account without them authorizing you to do so, then once again you're on the dodgy side of the law (not to mention the relationship). I have a separate account on my wife's personal laptop and I also know her login and password - but I still check with her every time if I need to log in as her to look at a problem - just because I know more about computers than she does doesn't reduce her right to whatever level of privacy she desires.

      Even giving a family member the details to your bank cards is covered - the T&Cs for these (and any of the numerous company ID/access cards or tokens I've ever held) invariably make it clear that the card or token remains the property of the issuer - in other words, you as the user are not the owner and therefor do not have the authority to delegate use of that item.

      Simples, really.

      1. a_yank_lurker Silver badge

        Re: What happens if...

        The is the Nine Seniles do not grasp there is a difference between unauthorized access and data theft and sharing Netflix passwords or email passwords with friends and family. The shysters defined hacking as knowing the credentials without distinguishing between intent to harm or innocent convenience. Given there is a standing precedent, a shyster with a vendetta can charge someone with hacking for logging into a family members email or Failbook account.

        Given that a couple of the Nine Seniles are doddering idiots and probably really borderline senile does not help either.

        1. Kernel

          Re: What happens if...

          "The is the Nine Seniles do not grasp there is a difference between unauthorized access and data theft and sharing Netflix passwords"

          Actually, in this specific case of sharing passwords to services with friends and family I would argue that the "Nine Seniles" have in fact got the correct grasp - when a service such as Netflix puts in its T&Cs that you are not allowed to share your access with other people they, as owners of the service, are being pretty specific about the fact that you don't have any right or authority to delegate your access to anyone else - anyone who then uses your access password or codes is very definitely illegally accessing the system. I suspect Netflix (and similar services) will have a very definite opinion on whether or not sharing passwords is akin to data theft.

          I haven't studied FB's T&Cs, but I wouldn't be surprised if they have a similar restriction, if nothing else to try and build their user numbers. As for a personal email account, well, people have ended up in the poo for just this before today - if the person who's account it is doesn't authorize you to access it then doing so is, at the very least, an indication that you're a bit of an arsehole and from there it's not too much further to being a stalker and/or divorced.

          I just don't see what's complicated about this - either you have been granted legitimate access by a person with the authority to do so, or you haven't - one is legal, the other isn't. If the person giving you the access information is not authorized to delegate their access, then potentially you're both in trouble.

          1. big_D Silver badge

            Re: What happens if...

            Exactly, Kernel.

            I think in this case the EFF are barking up the wrong tree.

            Just because something is convenient doesn't mean it can negate legal restrictions. Breaking the law is breaking the law.

            The only exception I would see is the bank account. In that case, both my wife and I have Power of Attorney for each other's bank accounts, for emergencies. That means that we can legally access the accounts, because it has been legally approved (this is German law).

            You can't do that with a Netflix account, for example. The Power of Attorney would only allow me to cancel the subscription or change the payment information, but not to use the account.

          2. Another User

            Re: What happens if...

            The issue is really different. Even the Netflix case is not correct. If you share your Netflix details with somebody else then you are in breach of terms and conditions of the contract. The person you gave access details never entered into a contract with Netflix. Netflix can try to remedy this situation when the login process requires to agree to the contract and its T&Cs.

            If you borrow a tablet from me and watch Netflix what then? You did not need to login to Netflix. Legal or illegal? Fine for an hour? Fine for a year? Still fine when you give me money for rent of the tablet?

            What with email which is configured too for several accounts? Are you now a hacker when you start the App?

            1. imanidiot Silver badge

              Re: What happens if...

              That Netflix example isn't hacking though is it? It's a breach of contract. Not punishable by time in jail but by cancellation of the account and any other punishment/compensation agreed upon in the contract.

              There is also a huge difference between sharing a Netflix account and pilfering the entire customer database from a company for your own commercial purposes. One is perhaps unethical, the other is a crime in it's own right. Even if it's done by gaining the legitimate password through social engineering.

            2. rh587 Bronze badge

              Re: What happens if...

              If you borrow a tablet from me and watch Netflix what then? You did not need to login to Netflix. Legal or illegal? Fine for an hour? Fine for a year? Still fine when you give me money for rent of the tablet?

              I would suggest that is akin to borrowing a DVD - I can't use the tablet whilst you've borrowed it.

              That's very different to plugging my Netflix creds into your tablet or indeed your smart TV so that we can both use the account in the comfort of our separate homes.

              It's not a perfect analogy since I could be using my TV whilst you use my tablet, but the idea of sharing devices differs slightly in that it applies to a (presumably) finite number of devices, whereas raw credentials could (in principle) be used on an infinite number of devices (until Netflix blocks the account).

          3. Pollik

            Re: What happens if...

            "are being pretty specific about the fact that you don't have any right or authority to delegate your access to anyone else "

            What is the practical difference between letting someone use your password, on the one hand, and logging in and selecting a film and then letting someone else watch it?

            1. Ken Hagan Gold badge

              Re: What happens if...

              "What is the practical difference between letting someone use your password, on the one hand, and logging in and selecting a film and then letting someone else watch it?"

              To you, very little. To Netflix, there is an increased risk that the password will be re-used by the other person (perhaps without your knowledge) with the reduced chance of the other person actually buying their own sub. If they (Netflix) are grown up about this, they might consider letting a third party watch a free film is a form of advertising and so it is debatable whether they suffer any financial loss. They are much less likely to treat password-loan as a form of advertising.

          4. strum Silver badge

            Re: What happens if...

            >when a service such as Netflix puts in its T&Cs that you are not allowed to share your access with other people

            A lot of people here (along with the judges) are missing the point.

            T&Cs are terms of a civil contract.

            This judgment turns them into criminal code.

            If you can't see the difference, you're not looking hard enough.

          5. Mark Wallace

            Re: What happens if...

            So what we now have is a good way of getting out of paying babysitting fees -- just give the babysitter your netflix password, and have her arrested before paying her.

            Simples.

        2. John Smith 19 Gold badge
          Unhappy

          ""overzealous prosecutors" "

          Is there any other kind in Trumpistan?

      2. Sirius Lee

        Re: What happens if...

        What planet do you live on? Some Utopian world where nothing goes wrong? Or maybe you are one of those people who thinks they do nothing wrong. Of course its not that simple.

        Your son or daughter is away at university and loses their credit card on a Friday evening and needs to pay a bill on Saturday morning or be evicted. If you have kids you will realize that kids don't plan. So you have your credit card couriered to them and tell them the PIN so they can withdraw cash to pay the bill. By your reckoning this is obvious breach of rules is punishable.

        There are many, many scenarios when sharing details between close members is sometimes necessary.

        In the specific case documented in the article it is clearly a crime since the person was stealing intellectual property so it is bewildering why the person was not prosecuted for this crime. This case is no different to a giving your front door key to a neighbor so they can feed to your cat only to find they've cleared out your house. What's the crime here? Giving the key or clearing out the house. The answer is obvious.

        It's a sign of the times that the justice system cannot apply appropriate laws. In this case presumably because the prosecutors believed the possibility of a conviction for a computer crime is more likely than proving damages as a result of the theft of data.

        1. big_D Silver badge

          Re: What happens if...

          @Sirius Lee, like hell I would! I wouldn't send them the credit card, I'd get them to send me the account information for the landlord and I'd make a payment from my account. I'd also ask them, why they hadn't set up a standing order to pay the rent on time every month...

          1. Anonymous Coward
            Anonymous Coward

            Re: What happens if...

            My son can have all my bank account details, and he can use the money if he needs to. That's just how we roll in my family. To each his own.

            1. CrazyOldCatMan Silver badge

              Re: What happens if...

              That's just how we roll in my family. To each his own.

              And if someone happens to obtain your details from him and cleans out your bank account, I suspect that your bank would be somewhat unsympathetic..

        2. Anonymous Coward
          Anonymous Coward

          Re: What happens if...

          "Giving the key or clearing out the house. The answer is obvious."

          Good luck getting your insurance to pay for the theft.

        3. FuzzyWuzzys Silver badge
          Facepalm

          Re: What happens if...

          "If you have kids you will realize that kids don't plan. So you have your credit card couriered to them and tell them the PIN so they can withdraw cash to pay the bill. By your reckoning this is obvious breach of rules is punishable."

          Jesus, you're a fecking eejit! So you want a new car, you see it on eBay, you make contact and agree to buy it from the seller. You then post the seller your card telling them to take the money off the card and post the card back when they're done?!

          Only one person can use your CC, that's you. Don't like it? Tough! The CC company owns the card, the account, it's a private company and you made an agreement with them, their rules.

        4. Aodhhan Bronze badge

          Re: What happens if...

          In your example, the child was given access to the card by the OWNER of the card.

          In this legal case, those who provided access to the defendant weren't authorized to do so. They WEREN'T the OWNERS of the data which was stolen.

          So in your example, it's like the child passed on the credit card number and PIN to a friend.

          Then this friend used the information to charge on the father's credit card. This friend wasn't given access by the OWNER, the friend was given access by the child who had access to the information.

          It isn't about passwords, it's about trespassing and having authorized access.

          From an information security perspective, this is an insider threat who is an accessory to data theft.

        5. Charles 9 Silver badge

          Re: What happens if...

          "Your son or daughter is away at university and loses their credit card on a Friday evening and needs to pay a bill on Saturday morning or be evicted."

          Whatever happened to Western Union, "The Fastest Way to Send Money"? Or its competitor MoneyGram? No need to divulge the credit card, they can get the money by Saturday morning to pay their bill.

      3. Anonymous Coward
        Anonymous Coward

        Re: What happens if...

        "Even giving a family member the details to your bank cards is covered - the T&Cs for these (and any of the numerous company ID/access cards or tokens I've ever held) invariably make it clear that the card or token remains the property of the issuer - in other words, you as the user are not the owner and therefor do not have the authority to delegate use of that item."

        How does this square with the possible existenc of formal documents such as Power of Attorney which are drawn up for various purposes such that one person may act as an agent of another? Say, for example, in the case of acting on behalf of someone who is physically or mentally incapacitated either temporarily or longer term? This is fraud or hacking?

        1. CrazyOldCatMan Silver badge

          Re: What happens if...

          How does this square with the possible existenc of formal documents such as Power of Attorney

          POA is, essentially, a legal way of saying that you wish the nominated person to be able to act as if they were you in certain legal situations. It's not fraud or hacking since, in the eyes of the law, you are them (in certain situations and for certain activities).

          I suspect that trying to use someone elses Netflix under POA would be a breach. Cancelling their netflix however, would be legal since one of the abilities that POA gives you is to start or end contracts as if you were the other person.

          Another example - if the other person has a car granted under the Mobility scheme, you wouldn't be able to drive it, but you would be able to cancel the scheme because that falls under the remit of the powers of POA.

        2. Mike Richards Silver badge

          Re: What happens if...

          Under the UK's Computer Misuse Act it would come down whether your access was authorised.

          If you had power of attorney for an incapacitated relative then you would be considered authorised to use that computer and no offence would be committed (at least of unauthorised access - if you then defrauded that person then you could still be done for fraud).

          If you accidentally woke up a computer to which you did not have authorisation, then no offence would have been committed since you had no intent.

          If the original case in the article had happened in the UK, it would seem to be a straightforward breach of Sections (1) and (2) of the Computer Misuse Act.

        3. Ken Hagan Gold badge

          Re: What happens if...

          "How does this square with the possible existenc of formal documents such as Power of Attorney "

          It squares perfectly. If you have Power of Attorney then you would have the authority to act as that person and the T&Cs are overridden. However, the vast majority of cases where "my spouse and I know each other's bank passwords" are not PoA cases and so would be a breach of the bank's conditions.

          Look at it the other way. If you lend someone an object and a few weeks later you discover that it has been loaned on to others, are you miffed? You might be, even if the object is undamaged and back in your possession when you requested. There's a breach of trust and a level of risk that you didn't bargain for.

    2. MyffyW Silver badge

      Re: What happens if...

      Seems to me the individual has been sent down because of the intent not just the action. He intended to use data that wasn't his. Just about every employee induction programme I've gone through has been pretty clear I can't walk off with the company's data.

      1. Doctor Syntax Silver badge

        Re: What happens if...

        "Seems to me the individual has been sent down because of the intent not just the action."

        Just this. Intent can be an important factor in criminal cases.

    3. DontFeedTheTrolls
      Boffin

      Re: What happens if...

      You guess the password - that would be hacking.

      You've brute forced access, it just happens you've got lucky on the first attempt.

  2. JustWondering

    So ...

    What happened to the people that coughed up their passwords? Would this be any different than if they had put the info on a disc or printed it out?

    1. Charles 9 Silver badge

      Re: So ...

      It's simple. Was the person who "published" the info granted the authority by the site owners to share this information (yes or no)?

    2. big_D Silver badge

      Re: So ...

      In either case (handing over the password or copying the information in some form) would be at least a disciplinary offence, if not a sackable offence.

      If we are talking about websites with discrete user access, the company running the service would be within its rights to immediately disable / delete the account for misuse under its terms and conditions.

      You know, that long piece of text you had to read and agree to before signing up.

  3. Sven Coenye

    Why the upset?

    Nosal used other people's credentials to filch data and ended up in the clink.

    Would anyone be upset if he was jailed after he got them to cough up the keys to the building so he could walk off with the server? Would anyone even be surprised if those who gave him the keys ended up in adjacent cells?

    1. frank ly Silver badge

      Re: Why the upset?

      "The ramifications of this decision could affect everyone in America who has ever shared a password with their friends and family. We'll explain. ......"

      As was explained in the article, it seems that he was jailed for using a shared password to access a computer system, not for stealing data. Hence any husband and wife (or whatever) couple who shared a password to access Facebook (or whatever) could go to jail.

      1. Neil Barnes Silver badge

        Re: Why the upset?

        I'm not sure that's the right way round. He accessed a system to which he was unauthorised by using a password he shouldn't have had. As I read it he was jailed because of the access, not the method he used to get that access; his defence was that because the original user of the password had access then there was no issue with him using the password.

        Which is clearly a ludicrous argument; having the password does not imply that you are authorised to get access - a particular person is authorised and given the password to permit the access. Not the same thing at all.

      2. Lysenko

        Re: Why the upset?

        As was explained in the article, it seems that he was jailed for using a shared password to access a computer system, not for stealing data.

        Unlikely. The Act in question does not criminalise unauthorised access per se except in the case of Government computers or others having specific national security implications. Otherwise the prosecution also needs to establish either:

        (s4) "knowingly and with intent to defraud..."

        (s5) "...as a result of such conduct, causes damage and loss."

        That's easy enough to do in this case but not in the case of simply accessing your wife's FB account, with her permission. Of course if you use that access to start trolling or scamming then that's a different matter.

        What is more interesting is the Netflix scenario. You are not a party to the Netflix T/C so you're not liable for any breaches in contract/civil law (that's your wife's problem), but you probably are guilty of crime. Personally I don't find this surprising. If my wife gives me the key to the office photocopier then that's an issue between her and her employer. However if I use that key to obtain photocopying services for myself then that's a matter for the police.

        1. big_D Silver badge

          Re: Why the upset?

          Netflix: you that would come under theft or damages, probably.

          At the very least, Netflix would be within its rights to suspend / delete the account in question and possibly sue the user for breach of contract.

        2. rh587 Bronze badge

          Re: Why the upset?

          You are not a party to the Netflix T/C so you're not liable for any breaches in contract/civil law (that's your wife's problem), but you probably are guilty of crime.

          In the UK, you wouldn't even need computer misuse/"hacking" laws.

          Fraud Act, Section 2 will do - Fraud by False Representation.

          You have obtained a service by masquerading as a customer using their credentials. You are not a customer, you have not paid for a service, you are not entitled to use that service. QED.

          I don't know about Netflix, but for Amazon there is Family Sharing, which allows you to share services such as Prime Video across a limited number of named users. There should be no need to ever share passwords. If Netflix has a similar system, then sharing passwords would indeed seem to be operating outside the system they have provided for family sharing, and would represent evidence of malfeasance (an intent to defraud) in and of itself.

    2. Psion1k

      Re: Why the upset?

      I think you missed the point. No-one is arguing that Nosal did the wrong thing. The argument is that the basis upon which the decision was made has potential well beyond its intended scope.

      To reiterate the article's example (I have no idea personally if the conditions are real, just using the example):

      - Netflix state in their EULA that only the account holder may posses the login credentials for their account, that they cannot be shared with anyone.

      - You as the Netflix customer then share your login credentials with your spouse, who uses them to watch a show, in violation of the EULA.

      Using the same argument basis that put Nosal behind bars, both you and your spouse have engaged in criminal activity:

      - You have directly violated the EULA by giving out your credentials.

      - Your spouse (more to the point), has accessed the service using a set of credentials that they have no right to.

      Using Nosal as a precedent, your spouse is now considered a hacker.

      The whole thing is that there is no limitation on the quoted precedent, and while it seems insane, we know lawyers don't always work with common-sense, they work with law and legal precedents, regardless of reality.

      1. Lysenko

        Re: Why the upset?

        You're mixing up contract and criminal law. An EULA is a contract; it can only apply to someone who intentionally agrees to be bound by it. That means that you could be sued for giving your spouse the password, but your spouse is in the clear (in that regard) because they never agreed to the Netflix EULA in the first place.

        Criminality only enters the equation if your spouse then steals goods or services from Netflix. This is an offence irrespective of how your spouse gained access to their network. Handing over your password for the purposes of facilitating a crime may well make you an accessory, but that isn't exactly a groundbreaking precedent. Pretty much any action intentionally taken with the foreknowledge that it will be used to facilitate crime is potentially illegal.

        "Sharing passwords" is a red herring. It is exactly the same as sharing any other keys, combinations, or access codes with someone who you know intends to use them to steal something from a third party.

      2. Tom 38 Silver badge

        Re: Why the upset?

        Using the same argument basis that put Nosal behind bars, both you and your spouse have engaged in criminal activity:

        - You have directly violated the EULA by giving out your credentials.

        - Your spouse (more to the point), has accessed the service using a set of credentials that they have no right to.

        Fucking hell, where the fuck do you people learn about the law? Criminal acts are those which are contrary to laws. Some shite written in a EULA is not a law, so breaking the EULA is not a crime. The account holder does not access computer systems without authorisation, and so in no way can be described as engaging in criminal activity.

        Breaking an EULA cannot be a criminal act (unless the act is illegal in itself, eg Twitter probably disallow profane images of some kind; uploading those would be against the EULA, but would only be illegal if the images are illegal themselves eg CP)

  4. Tim Seventh
    Devil

    My Password is

    Password1

    Now I've just overloaded their courtroom space by +100,000%.

    1. Charles 9 Silver badge

      Re: My Password is

      Not necessarily. They could lump all the users of that password into one multi-defendant case. Unless each user then commits a serious crime with that access, the case can get settled in a general district court without need for a jury (depending on the jurisdiction, jury trials for criminal matters are only guaranteed for felonies).

  5. heyrick Silver badge

    Interesting opinion to have...

    ...in a country that routinely expects foreigners to cough up their passwords and such on entry.

    1. Anonymous Coward
      Anonymous Coward

      Re: Interesting opinion to have...

      Simple. (1) They're not citizens and (2) they're not officially in the country yet.

      1. Solarflare

        Re: Interesting opinion to have...

        (3) DO AS I SAY NOT AS I DO

      2. big_D Silver badge

        Re: Interesting opinion to have...

        @AC, it is irrelevant, under the terms and conditions, it is illegal to hand over the passwords. Therefore Customs would, theoretically, require a court order to force you to hand over the passwords.

        And if the person in question is coming from the EU, they would need the written permission of every identifiable person in that account, before they can hand over the information, otherwise the person would be liable to prosecution back in the EU.

        1. Lysenko

          Re: Interesting opinion to have...

          under the terms and conditions, it is illegal to hand over the passwords.

          No it isn't. T/C are contracts and breach of contract isn't illegal. Also, as a general principle, any contract that contains illegal terms is liable to be voided entirely so you can't escape a charge of (for instance) harbouring a felon just because you to signed a tenancy agreement with a confidentiality clause.

          coming from the EU, they would need the written permission ... before they can hand over the information, otherwise ... liable to prosecution back in the EU.

          Possibly so, but also not relevant. Countries aren't obliged to take any account of other countries laws unless they sign specific treaties (e.g. WTO) to that effect. Austrian law requiring removal of face veils directly contradicts Saudi law which demands them and a female Saudi national returning home after visiting Austria could theoretically be prosecuted for indecency, particularly if the incident occurred "air side" and therefore not technically within Austria. Caveat viator.

        2. Doctor Syntax Silver badge

          Re: Interesting opinion to have...

          "otherwise the person would be liable to prosecution back in the EU."

          Didn't you get the memo? US law overrules everyone else's

      3. katrinab Silver badge

        Re: Interesting opinion to have...

        That's not the point.

        The Feds, who are US citizens, and are in the country, presumably log onto Facebook using these passwords.

        1. Charles 9 Silver badge

          Re: Interesting opinion to have...

          But acting in a law-enforcement capacity and conducting an investigation of a prospective alien who is not yet officially in the country (he can still be denied and held to be returned) and therefore is not necessarily protected by liberties accorded those "within" the country, unless you can cite case law otherwise. Legal investigations can trump contracts and even legal protections (like attorney-client or spousal privilege) under certain circumstances.

  6. Kevin Johnston

    Sadly, a decision which needs more clarity

    In common with many of the dear readers of this website I have worked at many a company where senior managers and the like have given their logins and passwords to their PA to enable them to handle all the stuff which is encrypted to save them the effort. Since each of those companies very clearly stated that such activity was forbidden and a disciplinary offence, I presume those managers/Execs in the US offices will now go to jail?

    This is why such decisions need to be carefully phrased (rather than the Facebook style examples) since these PAs could be accessing data which is regulated under various laws while using another person's identity.

    1. DavCrav Silver badge

      Re: Sadly, a decision which needs more clarity

      "In common with many of the dear readers of this website I have worked at many a company where senior managers and the like have given their logins and passwords to their PA to enable them to handle all the stuff which is encrypted to save them the effort. Since each of those companies very clearly stated that such activity was forbidden and a disciplinary offence, I presume those managers/Execs in the US offices will now go to jail?"

      No, the PAs would. Unauthorized access is illegal, not giving away your password.

      1. Doctor Syntax Silver badge

        Re: Sadly, a decision which needs more clarity

        "No, the PAs would."

        Only if the PA then uses the access to commit a criminal act. Corporate rules do not have the sanctions available under criminal law.

      2. katrinab Silver badge

        Re: Sadly, a decision which needs more clarity

        The PA would argue that it was authorised access because their manager gave them the password and instructed them to use it to carry out certain tasks for the company.

    2. Richard Jones 1
      WTF?

      Re: Sadly, a decision which needs more clarity

      In a work situation and on the other side of the pond the civil service had this one fairly buttoned down in the pre-computer age. A 'senior person' could under certain defined circumstances authorise another employee to act for them in various defined ways. They were after all also covered by a range of laws in addition to the internal rules of the organisation. So accessing a direct line superior's files in the course of preparing work for them was covered, taking the odd photographic copy for study 'at home', sharing with a friend, passing to anyone outside of the direct functional need was not. You would need to be pretty witless not to see that accessing information directly pursuant to the work was covered. However, accessing material with specific additional access restrictions would not be covered under such circumstanced. For a long time similar rules applied in 'normal' businesses, I have been out of direct contacts for some while now, but doubt that much has changed in that regard.

      I suspect that the key specific is whether authorisation along with any required access code(s) was provided. In more modern times access codes can granted to, e.g. PAs with specific personal restrictions, if needed, by the rules of the organisation. Pass the password is never a good game, though I have seen it played in some otherwise very formal hierarchical organisations where the most dangerous levels of password access were granted to the most senior 'name'. Since the 'name' had no knowledge of the system, junior staff used their name/password almost daily as part of the unwritten culture of the business.

      1. Doctor Syntax Silver badge

        Re: Sadly, a decision which needs more clarity

        "For a long time similar rules applied in 'normal' businesses,"

        The rules might well apply. The sanctions available to a 'normal' business would not include recourse to the Official Secrets Act unless the business were carrying out work for HMG in which case, depending on the work, the Act could apply.

    3. rh587 Bronze badge

      Re: Sadly, a decision which needs more clarity

      In common with many of the dear readers of this website I have worked at many a company where senior managers and the like have given their logins and passwords to their PA to enable them to handle all the stuff which is encrypted to save them the effort. Since each of those companies very clearly stated that such activity was forbidden and a disciplinary offence, I presume those managers/Execs in the US offices will now go to jail?

      No, because the PA is authorised. That's literally their job.

      Moreover, if that is the case then it's on IT to fix it.

      If a Director has to hand over their credentials for the PA to access necessary data, then the PA does not have appropriate rights on their account, which is a failing of the IT systems. If the PA is expected - as part of their normal, authorised duties - to manage correspondence, keep the diary/appointments book, etc, then this needs to extend into the digital realm as well as the dead-tree documents.

      Proper logging and telemetry then allows to you audit changes and messages sent by the Director, or the PA on the Director's behalf - something which is obviously impossible if they're sharing a single account.

      1. Kevin Johnston

        Re: Sadly, a decision which needs more clarity

        I think people are missing some of the details in my original post here...

        The manager may have given his permission to his PA but under the COMPANY regulations he had no authority to do that. A lot of the documents/emails the manager is sent will be private and encrypted and the sender is under the impression that only the manager is reading them.

        1. Doctor Syntax Silver badge

          Re: Sadly, a decision which needs more clarity

          "I think people are missing some of the details in my original post here."

          And you are missing the point: company rules provide for disciplinary action within the company with the ultimate sanction of a quick journey to the outside of the front door but no further.

        2. Ken Hagan Gold badge

          Re: Sadly, a decision which needs more clarity

          "The manager may have given his permission to his PA but under the COMPANY regulations he had no authority to do that."

          I got that part of the post *and* something else that you might not have considered: what if the credentials concerned are for external services. With just about every shopping website (including B2B ones) on the planet badgering us to "create an account so that we can spam you after you give us money", the boss's set of credentials almost certainly includes a few with third parties, not just The Company, so it is more than just an internal disciplinary matter.

    4. Doctor Syntax Silver badge

      Re: Sadly, a decision which needs more clarity

      "Since each of those companies very clearly stated that such activity was forbidden and a disciplinary offence, I presume those managers/Execs in the US offices will now go to jail?"

      It depends. Clearly they could be disciplined by the company but that isn't a criminal offence. If, however, the PA used the password to commit fraud then the PA could go to jail and possibly the manager as an accessory.

      There's a very simply difference here: company rules are not the subject of criminal law, fraud is.

  7. Solarflare

    For the few people who seem to be struggling with this one, consider the following scenario:

    Consider Bob works at an electrical retailer, he has worked there for quite a while and is trusted to have the a key for the front and also the codes to disarm the alarm. His friend Mike used to work with Bob, but doesn't any more. Mike likes TVs and convinces Bob to lend him the key and tell him the disarm code, he then goes in and takes 5 expensive TVs. Is this stealing? Bob was freely given access by someone who was authorised. Answer: of course it is.

    Honestly the only thing I am confused about is why they didn't also go after the members of staff who shared their credentials with the guy - or does the article just not mention them?

    1. Anonymous Coward
      Anonymous Coward

      Intent.

      If they knew he was going to steal the data, then they are an accessory.

      If they thought it was just to help him do his job, it isn't a crime.

      They can still be fired though.

  8. TRT Silver badge

    My password is...

    kamikaze orange racist

    and I'm not telling ANYONE.

    1. James O'Shea Silver badge

      Re: My password is...

      Sigh.

      1 that’s a pass phrase, not a password

      2 The Donald isn’t a kamikaze. Kamikaze were members of the Imperial Japanese armed forces, who (were) volunteer(ed) to die for their country while taking as many of the enemy with them as possible. The Donald has not, and will not, volunteer for anything which might cause so much as a cracked fingernail. (Note that kamikaze-like behaviour is not unique to Japanese forces; look up the Medal of Honor citations for two of the five awarded to pilots in Operation Tidal Wave, or the Victoria Cross award to the captain of HMS Glowworm, for just a few examples). The Donald would NOT drive his ship into a bigger ship’s side. Nope, not going to happen.

      3 The Donald isn’t funny.

      1. Hollerithevo Silver badge

        Re: My password is...

        Mr O'Shea, thank you. Kamikazes were seen during and just after WWII as horrifying -- a sense of being brainwashed into self-destructive sacrifice. Given it was a group of people 'forced' into self-sacrifice by those not making a similar or shared sacrifice, it is not seen as admirable, but IMHO it is not unadmirable, in that it speaks of a sense of selfless duty and commitment to a cause.

        Those who have won the Medal of Honor of the Victoria Cross chose, in the moment, to act in a way that would logically result in self-sacrifice, and so as seen as totally admirable and courageous: they lay down their lives, or risked their lives, for their comrades, in service of their country. Whenever I feel low or gloomy about human beings, their craven stupidity their truculence, their will to go to the lowest possible level, and all these are combined when I look at Donald Trump, I take myself off to read MoH or VC citations and remind myself of the best of the best.

        Or indeed any similar civilian award for bravery for the sake of others. They show us that we are capable of better.

    2. TRT Silver badge

      Re: My password is...

      @Mr O'Shea

      If you are unaware of the news story around this but still picked up that the "pass phrase" was concerning The Donald, then Eminem is bang on the nose.

      If you were aware of the news story around this, then thanks for the history lesson, but go tell it to Eminem, not me.

  9. EnviableOne Bronze badge
    Boffin

    The Crux of the matter

    Giving away your password is a civil matter

    Unauthorised access is a Criminal one

    I have no doubt the employees who shared there passwords were prefunctly terminated with a nice long non-compete

    Netflix is simillar case, you broke T&C by sharing

    The person who uses your account (instead of paying netflix for their own) is intentionall depriving netflix of revenue and viewing licecned content without a licence, so is breaking the law.

    Effectivley by loging in as someone else you are commiting fraud you are representing yourself to be the person who's identity (login) you are using.

    Now the tricky bit comes if they charged the people whos passwords were used with extracting the data ....

    In that case it was their identity (account) that commited the act and their personal credentials, so it becomes difficult to prove it was not them...

  10. M7S

    What about those various employers that demand access to social media accounts

    of potential recruits during the application phase?

    I believe that they expect passwords to be handed over as well

    1. Anonymous Coward
      Anonymous Coward

      Re: What about those various employers that demand access to social media accounts

      Already cover in EU law. They can be told to f*** off.

    2. Ken Hagan Gold badge

      Re: What about those various employers that demand access to social media accounts

      It looks like this ruling allows prospective employees to tell would-be employers to eff off. Even better, anyone who goes along with the request is demonstrating that they can't be trusted, so they shouldn't get the job and any employer who *requires* candidates to give up their passwords is now encouraging candidates to breach their contracts with third parties and those third parties (or their lawyers) might well be interested to know that.

  11. JJKing Bronze badge
    Trollface

    Oh really.

    T/C are contracts and breach of contract isn't illegal.

    Oh great, I can stop paying my mortgage and it isn't illegal. Sweet! Of course I shall use you as my legal reference for this.

    1. Charles 9 Silver badge

      Re: Oh really.

      It isn't illegal in the criminal sense. You breach your mortgage contract, though (Breach of Contract, a civil matter), and the lender can then initiate legally-sanctioned procedures to redress this (foreclosure hearings). Since banks tend to have government backing, they can step in if necessary, but they usually don't have to do this apart from the civil courts. It's like with car payments. Miss too many and they can repossess your car: again, a civil rather than criminal matter.

    2. David Nash Silver badge

      Re: Oh really.

      "Oh great, I can stop paying my mortgage and it isn't illegal. Sweet! Of course I shall use you as my legal reference for this."

      It's a breach of contract. A contract is not the law. You won't get prosecuted for breaching a contract but you might get sued in a civil court.

    3. Lysenko

      Re: Oh really.

      Oh great, I can stop paying my mortgage and it isn't illegal. Sweet! Of course I shall use you as my legal reference for this.

      Correct. You can stop paying your mortgage and you will not be prosecuted for that. You are only acting illegally after you are sued by the lender, the Courts give permission to repossess the property and you refuse to comply with that Court Order, thus placing yourself in Contempt of Court (which is illegal).

      For something to be illegal it has to be against the law, not just against the terms of a contract, agreement, promise or any other ad hoc arrangement. That would only apply to a mortgage non-payment scenario if it could be proven that you never had any honest intention of making the payments (i.e. Fraud).

    4. CrazyOldCatMan Silver badge

      Re: Oh really.

      Oh great, I can stop paying my mortgage and it isn't illegal.

      Indeed it isn't. But it is breach of contract and, for that breach, the lender is entitled to enact the penalties encoded in the contract.

      To wit: reposessing your house and taking you to court in order to force you to pay the rest of your debt.

  12. Sven Coenye

    About that Netflix EULA

    It actually does not say you can't share the credentials. The closest it comes is saying use is limited to "members of your immediate household for whom you will be responsible hereunder and users of the Netflix ready device with which you are accessing the Netflix service and for whom you will be responsible hereunder".

    The only actual use restriction in the EULA is that you are prohibited from using your account when traveling.

    And a lot of us here are probably already in violation of the EULA whether or not we have a Netflix account: no one is allowed to have more than six installed copies of the client. Good luck with that :-/ Your account is hereby terminated as soon as you sign up ;-)

    1. Charles 9 Silver badge

      Re: About that Netflix EULA

      I believe for one of the clients to count as completely installed for the six it has to be registered to the account first. iTunes was the same way IIRC, thus they carry DE-registration procedures which allow you to move on to another client/device.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019