Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pop Star Tells Fans To Send Their Twitter Passwords, But It Might Be Illegal (arstechnica.com)

Posted by msmash on from the topsy-turvy-world dept.

Cyrus Farivar, reporting for Ars Technica: As a new way to connect with his fans, Jack Johnson -- one half of the pop-rap duo Jack & Jack, not to be confused with the laid back Hawaiian singer-songwriter of the same name -- has spent the last month soliciting social media passwords. Using the hashtag #HackedByJohnson, the performer has tweeted at his fans to send him their passwords. (Why he didn't go for the shorter and catchier #JackHack, we'll never know.) Then, Johnson posts under his fans' Twitter accounts, leaving a short personalized message, as them. While Johnson and his fans likely find this password sharing silly and innocuous, legal experts say that Jack Johnson, 20, may be opening himself up to civil or criminal liability under the Computer Fraud and Abuse Act, a notorious anti-hacking statute that dates back to the 1980s. "While the entertainer in question likely considers this password collection to be a harmless personalized promotional activity, there may indeed be legal implication of both the fans' and the entertainer's conduct," Andrea Matwyshyn, a law professor at Northeastern University, told Ars.

1 of 116 comments (clear)

  1. Re:Nope. This involves active sharing and consent. by vux984 · · Score: 5, Interesting

    You might even be considered an "unauthorized user" from twitter's perspective

    That is precisely what triggers the fraud and abuse act.

    but by giving you their password,
    the end-user has made you the defacto authorized user of that account.

    The end user is not authorized to do that, per the Terms of Service.

    Look, the point is that its is not an open and shut case. There is a valid legal argument, bolstered by recent court rulings that the CFAA can be triggered in this way. The most recent court cases was just such an example of an authorized user sharing their password with an ex-employee. Obviously that's not exactly the same thing.

    But its close enough in a lot of ways, the twitter user, like the employee doesn't really 'own the account'. It is assigned to them and they aren't allowed to share it. So if they do share it the person they share it with is NOT an authorized user, and that in theory triggers the CFAA.

    Yes, its all kinds of stupid... but the CFAA is all kinds of stupid too.