Slashdot Mirror

← Back to Stories (view on slashdot.org)

Appeals Court To Test How the Law Looks at Shared Accounts and Unauthorized Access (washingtonpost.com)

Posted by Soulskill on from the too-complicated-for-legislators dept.

schwit1 writes: On Monday, the Ninth Circuit will hear arguments in United States v. Nosal on an interesting legal question: If a person shares access to a computer account with somebody else, under what circumstances can the second person engage in unauthorized access under the Computer Fraud and Abuse Act? The case centers around the difference between having access to something and having permission to use it. In other words, if you give somebody a desktop password to your computer so they can watch Netflix, but they take advantage of that to read your email, how does the law look at it? What happens if they come back later and log in again without your explicit permission, but only watch Netflix? What happens if you give them your Netflix password to watch while at your house, but they go home and use it to watch Netflix at their house? Eugene Volokh has a forthcoming paper articulating the legal interpretations of computer trespass. It's a tricky set of rules, and one another court has already misapplied.

37 comments

  1. I would compare it to a house by ArmoredDragon · · Score: 3, Interesting

    If you let somebody in (say a babysitter to watch your kids) that doesn't give them permission to peruse through a diary hidden in a drawer in a night stand.

    1. Re:I would compare it to a house by Anonymous Coward · · Score: 0

      But, what is stopping them.
      You may have not given them permission, but you also didn't lock your diary up so they can't.

      Is wasn't like they broken and started to read your diary, or broke the lock on the diary.

    2. Re:I would compare it to a house by Anonymous Coward · · Score: 0

      ...and since *everything* digital is compared to physical equivalents in court systems, this works 100% of the time!

      This doesn't work because the patent and legal system went nuts and left logic at home when they started dealing with digital items. So while logic is on your side, this would totally screw up the whole fragile system they've been paid to set up.

    3. Re:I would compare it to a house by Anonymous Coward · · Score: 0

      It really depends on what you are protecting and how important it is to you, if it's that important don't grant physical access to a relative stranger.

    4. Re:I would compare it to a house by tlhIngan · · Score: 1

      If you let somebody in (say a babysitter to watch your kids) that doesn't give them permission to peruse through a diary hidden in a drawer in a night stand.

      Besides that, I would also liken it to expected permission.

      The owner of the PC may give them access to the computer to view Netflix. That implies a single instance access to the computer to do one thing - view Netflix. It doesn't give permission to view the guy's email or other things, or even if he logs out permission to log in again.

      This permission can be extended implicitly - e.g., the person comes over regularly and the owner regularly gives them permission to log in and view Netflix. Still no permission to view email, though. But in this case, the person can reasonably assume that since he's been given permission to use Netflix while he's over, he can continue to do so.

      If an email alert pops up, he's allowed to read the alert, but not to dig deeper - while he didn't get permission to view the alert, he really couldn't NOT read it since it popped up on the screen while he was watching Netflix. However, reading just the preview alert doesn't give permission to read the rest of it, as he only had permission to use Netflix.

      I mean, just because you got the credentials, they were provided to you in trust to do one specific thing. Just because you can, doesn't mean you should.

    5. Re:I would compare it to a house by DRJlaw · · Score: 1

      If you let somebody in (say a babysitter to watch your kids) that doesn't give them permission to peruse through a diary hidden in a drawer in a night stand.

      If the babysitter peruses through a diary hidden in a drawer in a night stand, it's not a Federal felony. That in and of itself makes it a bad comparison. In some of these examples, you've authorized the babysitter to open a drawer, but not that drawer right next to it. Up to five years, federal prison, with no such thing as parole.

      So while you would, I would not.

    6. Re:I would compare it to a house by Tyrannosaur · · Score: 1

      It really depends on what you are protecting and how important it is to you, if it's that important don't grant physical access to a relative stranger.

      Yes, as a prevention to be a victim, I won't be STUPID, but even if I am stupid this doesn't give them the right to do whatever they want.

    7. Re:I would compare it to a house by Anonymous Coward · · Score: 0

      This is more a case of societal etiquette than actual rule or law, though.

      I mean, hell, look at friends who piss around with each other and go through their things to embarrass them.
      "Yeah, where's your sex hole at ya mad perv. "
      "Where's that inflatable Miku you've been hiding?"
      etc.

      Hell, it has even happened on TV shows.
      Come Dine With Me, cooking show in UK.
      Random strangers cook for each other at their homes. Guests regularly go around each others houses and look through things. Yes, that is drawers.
      There has even been people putting on each others clothes in some instances.

      Funny house party hijinks or poor social etiquette?
      It is a very blurry line indeed.

    8. Re:I would compare it to a house by Anonymous Coward · · Score: 0

      Although, in all fairness, the babysitter would not be charged with breaking and entering nor trespassing? So what is the analogy in the digital world?

    9. Re:I would compare it to a house by Ol+Olsoc · · Score: 4, Insightful
      If only someone owuld think of putting a sort of limited access to a computer. You know, like something where they could log in, but not access your email?

      They could call it a "Guest Account". Yeah, someone should invent that.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  2. That 5th Netflix friend, man by Impy+the+Impiuos+Imp · · Score: 1

    Basically is it a DMCA violation AKA anti-hacking law crime, to use a password you legitimately know to use the computer system for things you weren't supposed to.

    This really stretches it too far if you ask me as there are other remedies before applying a hacking law. But they went too far long ago by allowing companies to use DMCA to hide copies of copyrighted things you bought from your own sight, like firmware. "Your car's computer can read your copy you own, but you can't."

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:That 5th Netflix friend, man by Anonymous Coward · · Score: 0

      I don't think you know what DMCA means.

      The article is not about DMCA but Computer Fraud and Abuse Act.

      BUT, regarding the example given, Apple already does that with iTunes and the it's music files (if they are encrypted, you can only move them to the "authorized" devices, not to all devices).

  3. Re:sharing is for cows by Anonymous Coward · · Score: 0

    LOL what did /. do to piss off the cow guy? I see him in every thread.

  4. Sharing Netflix password by whoever57 · · Score: 1

    In limited circumstances, I think that sharing a Netflix password is clearly OK. I base that statement on the fact that Netflix has a concept of users different users within one account.

    The question is perhaps: what does "limited" mean in this context? Family member who lives with me? Family member who lives elsewhere? Friend?

    --
    The real "Libtards" are the Libertarians!
    1. Re:Sharing Netflix password by Anonymous Coward · · Score: 0

      "The member who created the Netflix account and whose Payment Method is charged is referred to here as the Account Owner. The Account Owner has access and control over the Netflix account. The Account Owner's control is exercised through use of the Account Owner's password and therefore to maintain exclusive control, the Account Owner should not reveal the password to anyone."

    2. Re:Sharing Netflix password by Anonymous Coward · · Score: 0

      EULA:
      Permitted Use/Restrictions
      2.1 Grant of Limited License. Netflix grants you (which, for purposes of this License Agreement, shall include members of your immediate household for whom you will be responsible hereunder and users of the Netflix ready device with which you are accessing the Netflix service and for whom you will be responsible hereunder) a non-exclusive, limited, personal and nontransferable license, subject to and conditioned on your compliance with the restrictions set forth in this License Agreement, to install and use the Software, in object code form only, provided to you by or on behalf of Netflix in connection with your use of the Netflix service.
      2.2 The license grant above includes the right to use documentation accompanying the Software for the sole purpose of using the Netflix service and the right to make one (1) backup copy of the Software, provided that (i) the Software is installed on only the number of Netflix ready devices authorized by Netflix (which number shall be six (6) Netflix ready devices unless otherwise agreed or modified in writing by Netflix); (ii) the Software may NOT be modified; (iii) all copyright notices are maintained on the Software; and (iv) you agree to be bound by all the terms of this License Agreement.

    3. Re:Sharing Netflix password by AF_Cheddar_Head · · Score: 1

      "Should" implies a suggestion, "May not or will not" implies a directive. Lawyers drafted this if they meant a prohibition they would have used the later terms.

      You can legally have four users on a Netflix account, how are these users supposed to access the account in your absence without the password?

    4. Re: Sharing Netflix password by Anonymous Coward · · Score: 0

      Type it in the app for them and tick the remember me box?
      There now they have access that you granted even when you leave and have no idea what the password is.

    5. Re: Sharing Netflix password by mjm1231 · · Score: 1

      That ties it to the device. Not the person. I am the Account Owner on a Netflix account. I watch on at least 3 different devices. The three people I share it with watch it on more than one device as well.

      --
      Ideology: A tool used primarily to avoid the bother of thinking.
    6. Re: Sharing Netflix password by Aristos+Mazer · · Score: 1

      Just because you think you should be able to do that under the EULA does not mean you can do that under the EULA. One clause gives permission to three other people to use the account -- but only if you can fulfill the other clauses. Just because there's no technological way to do that doesn't mean you get to break the EULA, legally speaking.

    7. Re: Sharing Netflix password by mjm1231 · · Score: 1

      If there is something in the EULA that prevents me from using the service on multiple devices, then I reject the EULA and they can keep the service. It's barely worth what I pay for it in the first place.

      --
      Ideology: A tool used primarily to avoid the bother of thinking.
  5. what about new email pop ups? by Joe_Dragon · · Score: 2

    what about new email pop ups? that you can read at least some info from?

    Open wifi where you can see, shared files/folders, shared printers, etc.

    Files on the desktops

    Have permission to use the printer and see other documents on it / next to it.

    post it nodes with info on them on the display / desk

    Wait by now you are looking at 20 to life need I go on?

    1. Re:what about new email pop ups? by ArmoredDragon · · Score: 1

      There's quite a difference between plain site and digging. That concept is actually pretty well established in case law as well.

    2. Re:what about new email pop ups? by Anonymous Coward · · Score: 0

      Plain site? What does that mean?

    3. Re:what about new email pop ups? by Anonymous Coward · · Score: 0

      I think he mean "plane sight" -- that is, can the drone peeking in your window see it or not.

    4. Re:what about new email pop ups? by ArmoredDragon · · Score: 1

      It means that sometimes swype inputs the wrong word and I didn't properly proofread.

    5. Re:what about new email pop ups? by HornWumpus · · Score: 1

      Default Apache home page. Duh.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    6. Re:what about new email pop ups? by Kjella · · Score: 1

      Why would you need to make new law here? Obviously if you let a babysitter in, they can see things in plain sight. If they're looking for a glass and you got illegal stuff hidden in your kitchen cabinet, too bad. It's only if they go snooping in places that they clearly have no business snooping in it might be an issue. Same applies for your computer, clearly some things are just there. Some you might run into. And other things you don't find unless you go snooping.

      --
      Live today, because you never know what tomorrow brings
  6. a password is like a key by Anonymous Coward · · Score: 0

    If you lend it out to someone, you ask it back.
    With a password you cannot do that, so you change it

    If the password gets abused while lend out, laws similar as for the keys should apply.

    Other than that, just don't be stupid with your passwords.

    1. Re:a password is like a key by Aristos+Mazer · · Score: 1

      When I read your first sentence (slashdot collapsed section only presented that one line) I thought you were going to suggest bludgeoning them until the amnesia makes them forget the password... other stuff, too, but the password is the legally important bit.

  7. Simple: Owner Negligence by Anonymous Coward · · Score: 0

    The case shouldn't even go to court. Modern OS's have guest accounts for a reason, and everyone knows you don't handout your password.

  8. Re: sharing is for cows by Anonymous Coward · · Score: 0

    He's just pissed that he can't be a cow. MOOOOOO!

  9. Pay The Consequences by Anonymous Coward · · Score: 0

    Share the password, and thereby grant access. You've given permission and lost control at the same time.

    Change the password and don't share it. Problem solved.

    1. Re:Pay The Consequences by Aristos+Mazer · · Score: 1

      Problem may be solved, but the legal question remains: did the person who abused your password do something illegal? If I leave my house unlocked, someone who comes in and steals stuff is still guilty of a crime. If I share my password, they *can* use my stuff, but there's still a legal bar that says they *should not*, and if they do, there may be criminal charges. This case is critical for determining what happens in various fraud and phishing scams. That's why in needs to go to court.

  10. keys and locks by Solandri · · Score: 1

    Summary focused on legal ramifications for individuals on their personal computers. But this is actually a bigger issue for corporate use of cloud services. What if your company has an official Twitter feed or Facebook wall which needs to be updated by multiple people? Right now, the only way you can do that is to share the single password with all those people. Now what if one of those people gets fired and you're a little slow to change the password? People criticized Sony for making themselves easy to hack by keeping their passwords in a plain text file, but that's inevitably what happens when you need to share an account among multiple employees and the service providing the account only allows a single login. First the password gets posted on the refrigerator door. But one day an unauthorized employee uses it, and someone gets the "clever" idea of putting it in a text file on the file server in a directory where only the people who are authorized to use that account and password have read access. Right where hackers can get it.

    You can't create a guest account because those services don't yet support that. What needs to happen is for these services to either allow logins with multiple revocable keys/passwords; or allow multiple sub-accounts under a master account, with the sub-accounts able to post as if they were the master account. The same concept applies for collaborative virtual spaces.

    If every online service allowed this, then the issue in TFA becomes easy. If Netflix allows up to 4 family members to share the account, then each of those family members should have a separate login and password, with one being a master account which has the power to revoke login permissions for the sub-accounts. If you want to let a new "family member" temporarily use the account, you simply give them a sub-account. And when you no longer wish them to have access, you simply revoke the permissions of the sub-account. (And as you point out, for your home PC, you can simply log them into the guest account.)

    1. Re:keys and locks by Ol+Olsoc · · Score: 1

      But this is actually a bigger issue for corporate use of cloud services. What if your company has an official Twitter feed or Facebook wall which needs to be updated by multiple people?

      You lost me at Twitter and Facebook.

      Those two "services" are right up there with web advertising.

      I don't give a damn, and I have no sympathy for anything that goes wrong with that bit of douchbaggery.

      I mean, whatever could go wrong with multiple employees having the same password? If a business is so damn stupid as to do that, they don't have much to bitch about when the inevitable happens.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.