A new federal appeals court ruling serves as a reminder that the Computer Fraud and Abuse Act (CFAA) is utterly awful and needs to be reformed, and that you have probably violated it as some point.
A new ruling revolves around a case where a former employee of a firm continued to access the client database of the firm as he planned to launch a competitor. The man was eventually charged with conspiracy, theft of trade secrets, and violations of the CFAA and eventually convicted.
One of the violations included sharing his password to others to access this database, so media coverage of the court's decision has suggested that it is "now" a federal crime to share passwords to things like your Netflix account (see this Fortune headline as an example).
While this media attention is welcome, it's worth pointing out that this is absolutely not a new thing, and under the wording of the CFAA has always been the case, which is why it's such a terrible law. The CFAA criminalizes any "unauthorized access" to a computer system of database to commit any sort of fraud. So, for example, letting somebody access your Netflix account or Steam account—or any sort of online service that charges access for movies, games, music, et cetera—in order to watch or play for free could be a violation of the law. That's a type of fraud.
This same sort of interpretation of the law was used to convict Matthew Keys for handing over the password to a person in Anonymous, allowing the second person to access and change the headline of a story at the Los Angeles Times. Keys was punished in part for facilitating this "unauthorized access." That this antihacking law has been pressed into service in situations where no "hacking" actually took place is not a new thing.
One judge, Stephen Reinhardt, objected to applying the CFAA to situations where passwords have been shared. He noted that the ruling "loses sight of the anti-hacking purpose of the CFAA, and despite our warning, threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens." (Read the ruling here)
The ability to interpret the prohibitions of the law extremely broadly has prompted the American Civil Liberties Union (ACLU) to file suit to block part of the law. They argue that the law's bans on unauthorized access or violating a site's terms of agreement make it a felony for researchers and journalists to investigate whether sites engage in discrimination in their use of consumer-driven algorithms by pretending to be somebody that they're not for auditing purposes. Read more about their suit here.