web analytics

Netflix: Is Password-Sharing a Crime? – Source: securityboulevard.com

Rate this post

Source: securityboulevard.com – Author: Mark Rasch

On May 25, 2023 streaming content provider Netflix began enforcing its policy prohibiting the sharing of Netflix accounts even among family members who are not members of the same “household”—meaning living together in the same house. It was always Netflix’s policy to prohibit such account and password sharing—it’s just that Netflix finally began enforcing the policy and requiring each separate account holder to have (and pay for) their own account.

One question raised by the newly enforced policy is whether the sharing of passwords that permit account access to goods or services in violation of the terms of the website that provides those goods and services constitutes a “trespass” in violation of federal criminal law. While the Supreme Court, in the Van Buren case in 2021, addressed the question of whether a person with authorized access to a database exceeds an authorization to access the computer containing the database when they use that authorized access to do something with the data that violates the terms and conditions of the database owner, the issue of password sharing is somewhat more complicated.

Cloud Native Now

Obviously, password sharing can (and does) deprive Netflix of a stream of revenue. Netflix is entitled to create a “one account, one login” or “one account, one household” policy as part of its revenue model and to enforce it. Sharing passwords and accounts can constitute “theft of services” or a breach of contract. If I sign up for cable TV, I can’t connect a box to my neighbor and “share” my cable, but I can invite them over to my house to watch the Orioles (or Nats) game. Sharing cable or satellite is a crime. So, my giving my account login information to a third party could constitute theft, fraud, theft of services, etc. This is particularly a problem when a contract provides “per seat” access to some service. Say you create a brilliant database of threats, vulnerabilities, etc., and sell a single-seat license to access the database to a user at Company X, which has 20,000 employees. The contract says “no account sharing,” and the user shares the password (and account) with all 20,000 employees who use it. Not only is that a breach of contract, but it’s also a potential fraud on the part of the person who shared and the person who used the account.

But is it a “trespass?” The answer is complicated.

Trespass and the CFAA

The Computer Fraud and Abuse Act, 18 USC 1030, makes it a crime to intentionally “access a computer without authorization” or to intentionally “exceed authorization to access” a computer and to “obtain information.” The statute was patterned after the common law of trespass, which made it a crime to enter or remain unlawfully on premises and which required some kind of affirmative (or lack of negative) permission. Because there are no natural boundaries in cyberspace, rules had to be developed over what it means to “access” a computer and how we determine if the “access” is “authorized.”

Here’s an example (and all analogies are imperfect and silly when applied to cyberspace, so bear that in mind.) It’s three in the morning, and a shadowy figure lurks in an office building. When approached by the security guard, the person indicates that they don’t work there but that an employee who does work there gave them a key to the office and told them they could come in and do whatever they want. Is the interloper “trespassing?” Are they “intentionally” trespassing? Would it matter if the company had a policy that employees are not permitted to allow third parties into the office after hours? Would it matter if the interloper did not know of this policy? Would it matter what the interloper was doing in the office?

A user ID and password for an account (like a Netflix account) could be treated like a non-assignable, revocable license. If I bought a ticket to a movie at a movie theater, went to the movies and, for some reason, the ticket was not ripped by the ticket taker (yes, very 1980s here, but bear with me), I could not legally hand the ticket to my buddy to watch the movie for free. Indeed, we both might be guilty of theft of services, and my buddy might be guilty of trespass, right? I mean, a person who enters a movie theater that requires a license (a valid ticket) without such a valid ticket is a trespasser, right?

According to Netflix’s most recent SEC filing, about 100 million users share their passwords outside the “household.” Kids go to college and want to continue to watch their shows. Parents may occasionally want to watch a single show or episode without a full (and expensive) subscription.

It is possible that the Department of Justice could not only treat each password-sharing event as a federal computer crime felony but could treat each login using the shared password as a separate “unauthorized access” to Netflix’s computers in order to “obtain information” (the show) on that computer. In doing so, DOJ could ask the following questions:

1. Did the person with the shared password “access” (that is, “use the resources of”) Netflix computers? Probably yes.

2. Did Netflix “authorize” this access? No. In fact, the access was in violation of Netflix’s express policy.

3. Did the person who accessed the Netflix account do so “intentionally?” Probably yes.

4. Did the person “obtain information” as a result of the access? Sure—they got to either stream a show or, at a minimum, see what shows are streaming. In any case, they obtained information.

So, does that mean that we have 100 million felons committing more than a billion felonies a year? Maybe. Maybe not.

Physical and Logical Barriers to Access

Figuring out what is and is not “authorized” on a computer system is not an easy undertaking. For example, if a URL gives access to a file (e.g., https://www.filestructure.com/files/jones/jonesfile.txt) clicking on the link might take you to the text file called “jonesfile.” However, truncating the URL to files/jones might take you to other publicly accessible files within the “jones” subdirectory, and truncating it further to the “files” directory might take you to all files. Without a physical barrier to seeing the file, are you “authorized” to see it? Is the mere ability the same as authorization?

It’s easy to say, “Well, whatever you can ‘see’ without ‘hacking’ you are authorized to see,” but that puts the cart before the horse. You are guilty of “hacking” when you exploit something to allow you to see something that is not otherwise available to the public. Does it matter how sophisticated the hack is?

If someone shares their password with you, do you have to inquire as to the extent of their authorization to do so? Do you have to inquire as to their motives and intent? What if they shared their password accidentally or inadvertently? Or what if they inadvertently forgot to create a password?

Certainly, the Justice Department and state law enforcement agencies (under state law) could push to prosecute the Netflix thieves for “hacking” Netflix by sharing passwords. They might even win these cases and, in the course of doing so, make bad precedent and bad law. And bad optics and bad politics. But if they did so, you can bet it would make for an awesome Netflix streaming series.

Recent Articles By Author

Original Post URL: https://securityboulevard.com/2023/06/netflix-is-password-sharing-a-crime/

Category & Tags: Application Security,Cyberlaw,Cybersecurity,Data Security,Featured,Governance, Risk & Compliance,News,Popular Post,Security Awareness,Security Boulevard (Original),Spotlight,apps,netflix,password sharing,passwords – Application Security,Cyberlaw,Cybersecurity,Data Security,Featured,Governance, Risk & Compliance,News,Popular Post,Security Awareness,Security Boulevard (Original),Spotlight,apps,netflix,password sharing,passwords

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post