Pop Star Tells Fans To Send Their Twitter Passwords, But It Might Be Illegal

Cyrus Farivar, reporting for Ars Technica: As a new way to connect with his fans, Jack Johnson -- one half of the pop-rap duo Jack & Jack, not to be confused with the laid back Hawaiian singer-songwriter of the same name -- has spent the last month soliciting social media passwords. Using the hashtag #HackedByJohnson, the performer has tweeted at his fans to send him their passwords. (Why he didn't go for the shorter and catchier #JackHack, we'll never know.) Then, Johnson posts under his fans' Twitter accounts, leaving a short personalized message, as them. While Johnson and his fans likely find this password sharing silly and innocuous, legal experts say that Jack Johnson, 20, may be opening himself up to civil or criminal liability under the Computer Fraud and Abuse Act, a notorious anti-hacking statute that dates back to the 1980s. "While the entertainer in question likely considers this password collection to be a harmless personalized promotional activity, there may indeed be legal implication of both the fans' and the entertainer's conduct," Andrea Matwyshyn, a law professor at Northeastern University, told Ars.

Nope. This involves active sharing and consent.

[aristotle-dude]

There is no "hacking" involved.

Re:Nope. This involves active sharing and consent.

[Opportunist]

But for once this insane law will hit "normal" people instead of just "computer geeks". And since people only start to think about insane laws when they have a "this could have been me!" experience, this might finally get something moving there.

Re:Nope. This involves active sharing and consent.

[vux984]

You might even be considered an "unauthorized user" from twitter's perspective

That is precisely what triggers the fraud and abuse act.

but by giving you their password,
the end-user has made you the defacto authorized user of that account.

The end user is not authorized to do that, per the Terms of Service.

Look, the point is that its is not an open and shut case. There is a valid legal argument, bolstered by recent court rulings that the CFAA can be triggered in this way. The most recent court cases was just such an example of an authorized user sharing their password with an ex-employee. Obviously that's not exactly the same thing.

But its close enough in a lot of ways, the twitter user, like the employee doesn't really 'own the account'. It is assigned to them and they aren't allowed to share it. So if they do share it the person they share it with is NOT an authorized user, and that in theory triggers the CFAA.

Yes, its all kinds of stupid... but the CFAA is all kinds of stupid too.

Re:Clinton VP vetting was doing same

[__aaclcg7560]

Vice President of the United States isn't your garden variety job. If this was an ordinary job that demanded my social media passwords, I would say, "Oh, hell no!"

On a related note, I'm still waiting for Donald Trump to release his tax returns.

Re:Um, what? It isn't that scary of a law

[93+Escort+Wagon]

No, we're being trolled by a law school professor who's trying to get some media exposure - and she's being aided and abetted by some person trying to get a paid at Ars Technica.

Re:If you think Twitter is bad...

[Frosty+Piss]

As an IT support technician, I had to prevent people from telling me their passwords. It never fails that find someone's password written on a Post-It note on their monitor or underneath their keyboard. Whenever a user compromises their password, I set their AD account to change password on next login

So, when you are talking to a non-IT / non-IT savvy network user who has to "remember" 20 (and that's not a high number for some folks) different UID/PAS combos, what exactly is your suggestion beyond writing it down and securing the written source?

This is an honest question that should not be poo-pooed by the "leet IT Dudes" as the fallout of moron netwrok users...