Monday, July 11, 2016

Is sharing your password a federal crime?

Is sharing your password a federal crime?  It turns out the answer is probably yes, at least for the moment.  The ninth circuit court of appeals says sharing your passwords is a violation of the CFAA.  Currently Netflix, HBO, and others aren't lining up to identify users who are sharing passwords.  But should you be concerned?

We all have something to hide
It's no secret that law enforcement often uses anything they can to hold a suspect in custody or get probable cause for a search warrant when they are trying to develop evidence in a larger case.

If you think "that's okay, I'm a good person, I have nothing to hide" think again.  Moxie Marlinspike wrote an outstanding blog post dispelling this myth some time ago.  If you haven't read it, do so now, then come back and finish this post. No, really - it's that important.  Bottom line, most of us are breaking one obscure law or another practically every day - often without having any idea we are breaking the law - we all have something to hide...

Law enforcement targeting
Suppose for a moment that you - through no fault of your own - become a suspect in a murder investigation.  The police get a warrant for your phone, but there's no direct evidence there.  The police need warrants for other computers and digital devices (yes, I know it's a stretch that they'd have a warrant for the phone and not the rest of your devices).  But suppose for a moment that you are using a shared password for Netflix viewing.  They determine this and use this leverage under the CFAA to get warrants for many more digital devices.

Alternatively, suppose law enforcement is trying to coerce a witness to testify against a criminal (I mean encourage, I'm sure law enforcement never coerces a reluctant witness).  They determine a reluctant witness's family member is using a shared account for Netflix.  Law enforcement leverages this knowledge.  "We can forget about CFAA charges if you make it easier on everyone and testify."  There's even a possibility that law enforcement is able to query HBO Go and/or Netflix to find suspicious account usage and find a suspect family member from there. A long shot? Sure. Unthinkable? Not at all.

Employee misconduct investigations
Misconduct investigations happen all the time at larger enterprises and most DFIR professionals will be involved in one sooner or later.  Your employer has it out for someone - often for good reason - and is ready to fire them.  But to prevent a wrongful termination suit, they're looking for more evidence of wrongdoing.  Sometimes that manifests itself when you find they've been watching Netflix on their work machine.  With a good acceptable use policy (AUP), this is a slam dunk for employee misconduct.

But picture this: you're doing an employee misconduct investigation and discover that your employee is logging into Netflix on their work machines using someone else's account.  What sort of leverage does this create for the employer?  Well, when you can threaten to report someone for a federal crime if they try to fight a termination, that's a great position to be in.  But it's not just someone you can report - technically it's two someones - the employee using someone else's account and the person who shared the password in the first place.

It may sound like a mean thing to do to a suspect, but at Rendition Infosec we put our clients' best interests first - so I'll definitely be putting more emphasis on evidence of password sharing in my future investigations.  It's also probable that this ruling could be applied retroactively - meaning that if you are working a case today, you could use this to discover shared account usage from a year ago and still at least threaten that this is in scope.  At the end of the day, the employee is likely to roll over and accept their walking papers rather than risk federal charges - even if they don't think they did anything wrong.

The CFAA is an extremely disturbing piece of legislation.  This particular application of CFAA charges is a disturbing evolution to say the least.  The worst part is that those who with low incomes (i.e. those least able to afford online subscription services) are the most likely to share account passwords.  Those who know me know that I'm no SJW, but from where I sit this application of the CFAA is just wrong.  It's time for some legislative overhaul since the courts clearly can't apply common sense to this extremely poorly written law.


  1. For those highly interested in knowing more. Ref. U.S. v Nosal on the 9th's interpretation on "intent to defraud" and also "abuse of a system."

  2. For those highly interested in knowing more. Ref. U.S. v Nosal on the 9th's interpretation on "intent to defraud" and also "abuse of a system."


Note: Only a member of this blog may post a comment.