Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pop Star Tells Fans To Send Their Twitter Passwords, But It Might Be Illegal (arstechnica.com)

Posted by msmash on from the topsy-turvy-world dept.

Cyrus Farivar, reporting for Ars Technica: As a new way to connect with his fans, Jack Johnson -- one half of the pop-rap duo Jack & Jack, not to be confused with the laid back Hawaiian singer-songwriter of the same name -- has spent the last month soliciting social media passwords. Using the hashtag #HackedByJohnson, the performer has tweeted at his fans to send him their passwords. (Why he didn't go for the shorter and catchier #JackHack, we'll never know.) Then, Johnson posts under his fans' Twitter accounts, leaving a short personalized message, as them. While Johnson and his fans likely find this password sharing silly and innocuous, legal experts say that Jack Johnson, 20, may be opening himself up to civil or criminal liability under the Computer Fraud and Abuse Act, a notorious anti-hacking statute that dates back to the 1980s. "While the entertainer in question likely considers this password collection to be a harmless personalized promotional activity, there may indeed be legal implication of both the fans' and the entertainer's conduct," Andrea Matwyshyn, a law professor at Northeastern University, told Ars.

16 of 116 comments (clear)

  1. Nope. This involves active sharing and consent. by aristotle-dude · · Score: 5, Insightful

    There is no "hacking" involved.

    --
    Jesus was a compassionate social conservative who called individuals to sin no more.
    1. Re:Nope. This involves active sharing and consent. by Anonymous Coward · · Score: 2, Insightful

      Twitter did not consent.

      That's irrelevant. That only makes it against their TOS, giving them grounds to terminate the account/service.
      However, that doesn't make it any more illegal than me posting an email with my neighbors credentials while fixing/testing his email software.

    2. Re:Nope. This involves active sharing and consent. by Opportunist · · Score: 5, Insightful

      But for once this insane law will hit "normal" people instead of just "computer geeks". And since people only start to think about insane laws when they have a "this could have been me!" experience, this might finally get something moving there.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Nope. This involves active sharing and consent. by vux984 · · Score: 5, Interesting

      You might even be considered an "unauthorized user" from twitter's perspective

      That is precisely what triggers the fraud and abuse act.

      but by giving you their password,
      the end-user has made you the defacto authorized user of that account.

      The end user is not authorized to do that, per the Terms of Service.

      Look, the point is that its is not an open and shut case. There is a valid legal argument, bolstered by recent court rulings that the CFAA can be triggered in this way. The most recent court cases was just such an example of an authorized user sharing their password with an ex-employee. Obviously that's not exactly the same thing.

      But its close enough in a lot of ways, the twitter user, like the employee doesn't really 'own the account'. It is assigned to them and they aren't allowed to share it. So if they do share it the person they share it with is NOT an authorized user, and that in theory triggers the CFAA.

      Yes, its all kinds of stupid... but the CFAA is all kinds of stupid too.

    4. Re:Nope. This involves active sharing and consent. by FatdogHaiku · · Score: 2

      Twitter did not consent.

      Gmail did not consent (and I SURE didn't) when a lady accepted the fB offer to "Help her find her friends" by spamming everyone she had every contacted using Gmail...
      BTW, what happens to those lists of contacts once fB has spammed them?
      I'll bet they are deleted right away to avoid any appearance of data collection on non-users! Oh, sorry, that cat has been out of the bag for so long I forgot about it...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    5. Re:Nope. This involves active sharing and consent. by fahrbot-bot · · Score: 2

      Here int he USA we have a major problem. WE allow the very uneducated to be the ruling class, this causes tons of laws that are absurd and applied badly.

      Worse than that, we actively vote them into office.

      --
      It must have been something you assimilated. . . .
    6. Re:Nope. This involves active sharing and consent. by vux984 · · Score: 2

      This is not stupid at all.

      Yes, yes it IS stupid.

      It mirrors the obvious principle that everyone here knows, which is that authorization to use a system does not necessarily confer authorization to authorize additional users.

      But does that principle automatically apply here? Does a normal person *consider* their Twitter account their own property or the property of twiiter. (Not the legalese... but in terms of how they think about and interact with it.)

      Moreover, it's a principle of our daily lives that's so obvious we don't even mention it. I let my neighbor Bob use my pool whenever he wants, but I would be shocked if Jill was using it and just said "Oh yeah, Bob said I could".

      Exactly right. Its clearly your property, and your delegate has clearly exceeded his authority according to all social conventions. That would be quite the faux pas, and you'd be rightfully upset.

      There is no reason that the principle of non-delegation (that is to say, without explicit authority granted to delegate) shouldn't apply to the virtual world just as much as it applies everywhere else.

      It doesn't automatically apply everywhere else. It applies when the property being delegated is recognized as belonging to someone else. It doesn't apply when the property being delegated is recognized as belonging to me. The legalese underneath the transaction may cement that status, but socially what matters is how we perceive the property.

      Bob's using YOUR pool. That is the social convention (and the legal reality) of the situation.

      If I give you social media account password. Am I giving you access to MY account? Or am I giving you access to a (for example) twitter account that twitter lets me use?

      Legally its probably the latter, but that's not how ANYBODY thinks about it. They think of it as THEIR OWN twitter account.

      They'll say it's 'my account'; they'll complain 'my account was hacked'... everything surrounding it is framed in that sense of ownership.

      The same way they think about their TV service, their cellular phone service, their steam account... that the account "belongs" to them, and they don't give a 2nd thought to whether their friends or guests or babysitters or whatever can watch their TV, or borrow their phone to make a call, or play some video games on my account.

      Or even their bank account. People think of that as their property too. It gives them access to their money. Its not the banks money!! It's mine. The password is also mine. I chose it, and the bank shouldn't even know what it is. etc etc.

      Yes legally, and when you get deep into it... the money is mine, but the servers are theirs. And the account is permission from them to use their servers using my chosen credential to access the money I entrusted them to hold for me... etc etc.

      But if it ever came down to it, and I wanted to give someone my bank account password for some reason, my only thought would be in terms of the risk that represents to the security of MY money. I wouldn't give a 2nd thought to whether or not I had the right to delegate access to the banks servers.

      Likewise with twitter... my only consideration in giving out my password would be the risk it represented to my 'reputation', the potential for greif to me from what they might say with it... etc.

      The notion that I would be delegating access to twitter's server infrastructure in a way analogous to Bob letting Jill use your pool...? That would NOT be a consideration at all. No normal person thinks of their twitter account in that sense. (even if technically and legally that's what it is.)

  2. Why stop there? by freeze128 · · Score: 2

    Give Jack your credit card number and ATM PIN to get a customized message from your bank about how you don't have any money anymore.

    1. Re:Why stop there? by omnichad · · Score: 2

      And why was the password required anyway?

      It really wasn't, since they could have granted posting privileges via OAuth without giving away the password. Don't pop stars have marketing teams to help them with technical details of this sort of thing?

  3. Re:Clinton VP vetting was doing same by __aaclcg7560 · · Score: 3, Insightful

    Vice President of the United States isn't your garden variety job. If this was an ordinary job that demanded my social media passwords, I would say, "Oh, hell no!"

    On a related note, I'm still waiting for Donald Trump to release his tax returns.

  4. Re:Um, what? It isn't that scary of a law by 93+Escort+Wagon · · Score: 4, Insightful

    No, we're being trolled by a law school professor who's trying to get some media exposure - and she's being aided and abetted by some person trying to get a paid at Ars Technica.

    --
    #DeleteChrome
  5. If you think Twitter is bad... by __aaclcg7560 · · Score: 2

    I've worked at many Fortune 500 companies in Silicon Valley. Each one has the same policy that users aren't supposed to share or write down their passwords. As an IT support technician, I had to prevent people from telling me their passwords. It never fails that find someone's password written on a Post-It note on their monitor or underneath their keyboard. Whenever a user compromises their password, I set their AD account to change password on next login. They always get mad at me when they have to change their password.

    1. Re:If you think Twitter is bad... by Frosty+Piss · · Score: 3, Insightful

      As an IT support technician, I had to prevent people from telling me their passwords. It never fails that find someone's password written on a Post-It note on their monitor or underneath their keyboard. Whenever a user compromises their password, I set their AD account to change password on next login

      So, when you are talking to a non-IT / non-IT savvy network user who has to "remember" 20 (and that's not a high number for some folks) different UID/PAS combos, what exactly is your suggestion beyond writing it down and securing the written source?

      This is an honest question that should not be poo-pooed by the "leet IT Dudes" as the fallout of moron netwrok users...

      --
      If you want news from today, you have to come back tomorrow.
  6. Dumb on two counts by wardrich86 · · Score: 2

    1. If he asks for your password, and you provide it... there's really no unlawful action there. He didn't force you to give it to him, and you had all the power and right in the world to not be an idiot and toss it out there. I wonder how long before somebody hacks Jack's email and scoops up all those yummy accounts.

    2. You fucking gave the guy your password. That's not hacking. He needs to change his hashtag to #PostedByJohnson or #ThisUserWasDumbEnoughToGiveMeTheirPassword

  7. Jack Johnson by doconnor · · Score: 2

    I don't know any of those Jack Johnsons. The only one I know is the Futurama Presidential candidate Jack Johnson who ran against his rival and clone, John Jackson.

  8. Re:Clinton VP vetting was doing same by PPH · · Score: 2

    Family members? I wonder how that would go over with adult children.

    "Son. I need to turn over your passwords in order to apply as Clinton's VP."

    "Fuck you, dad. By the way, I'm voting for Trump."

    --
    Have gnu, will travel.