When Sharing Passwords Becomes a Federal Crime
How a Ninth Circuit ruling turned routine password sharing into potential exposure under the Computer Fraud and Abuse Act.
Many people share passwords every day, whether it is to stream movies, check a joint bank account, or help a colleague finish a project. Yet under certain circumstances in the United States, password sharing can cross a line from harmless convenience into a violation of federal anti-hacking law. This shift is largely tied to how courts interpret the phrase “accessing a protected computer without authorization” in the Computer Fraud and Abuse Act (CFAA), and a key decision by the Ninth Circuit Court of Appeals has made that line both clearer in some ways and more worrying in others.
Understanding the Law Behind the Password
The central statute in this debate is the Computer Fraud and Abuse Act, codified at 18 U.S.C. § 1030. Originally enacted in 1986 to combat serious hacking involving government and financial systems, the CFAA now applies to almost any internet-connected device or service classified as a “protected computer.” Because nearly all modern servers and platforms fall within that category, its reach is extremely broad.
Among other things, the CFAA makes it a crime to:
- Intentionally access a computer without authorization or by exceeding authorized access, and thereby obtain information from any protected computer.
- Access a protected computer without authorization with intent to defraud, and by such conduct obtain anything of value.
Employment Benefits for Domestic Partners >
Two phrases drive most controversy:
- “Without authorization” – accessing when you have no valid permission at all.
- “Exceeds authorized access” – going beyond the scope of permission you do have.
Congress did not define these terms with precision in the statutory text, leaving courts to determine what counts as unauthorized access in practice. That judicial interpretation is where password sharing becomes legally risky.
The Nosal Case: A Turning Point on Authorization
The Ninth Circuit’s key decision on password sharing arose from a long-running prosecution of a former employee of an executive search firm, often referred to as the Nosal case. After leaving the company, the former employee allegedly persuaded current staff to use their still-valid login credentials to access the firm’s proprietary database, even though the firm had revoked his own access.
In the final appellate decision, the Ninth Circuit held that once an employer clearly revokes an individual’s access to its systems, that person acts “without authorization” under the CFAA if he later gains entry using someone else’s username and password. The court described the situation in straightforward terms: when authorization is affirmatively revoked, a user cannot “go through the back door” by borrowing another employee’s login to reach the same system.
This ruling affirmed criminal convictions under provisions of the CFAA that require proof of unauthorized access combined with intent to defraud and acquisition of information or value. Although the facts involved a business database, the reasoning raised an immediate question: Does this logic also apply to everyday password sharing for consumer services?
Why Everyday Users Started Worrying
Following the Nosal decision, several media outlets ran headlines implying that sharing a streaming password—such as a Netflix or HBO account—had suddenly become a federal crime. These stories seized on the idea that using a password issued to someone else could be viewed as accessing a protected computer “without authorization” when the platform’s terms of service bar credential sharing.
Legal analysis, however, has been more cautious. Scholars and practitioners have noted key differences between the conduct in Nosal and common personal password sharing:
- The Nosal case involved commercial misuse of a company’s proprietary database for competitive advantage.
- The defendants allegedly acted with intent to defraud and obtain valuable trade secrets, triggering specific CFAA provisions.
- The company had explicitly revoked the former employee’s permission to use its systems.
In contrast, typical personal password sharing for entertainment services usually does not involve fraud or competitive misuse, and providers often tolerate the practice in limited forms. According to detailed academic commentary on the Nosal ruling, the Ninth Circuit would likely treat casual streaming password sharing differently under the CFAA, although the law in this area remains unsettled because no comparable cases have yet reached the appellate courts.
How Courts Read “Without Authorization”
One central dispute is whose permission actually matters. Does authorization come only from the system owner (for example, a company or platform), or can a legitimate account holder grant someone else valid permission to use their credentials?
In Nosal, the Ninth Circuit’s majority approach gave significant weight to the owner’s revocation of access. Once the company withdrew the former employee’s rights, any access to its database by him—whether direct or through shared passwords—was considered unauthorized. Some judges and commentators worried that this reasoning risked criminalizing common scenarios in which password sharing occurs with user consent but contrary to a site’s policies.
However, a later Ninth Circuit case involving Facebook narrowed that concern somewhat. In a decision addressing a third-party service that accessed Facebook accounts using user-provided credentials, the court acknowledged that a legitimate user can authorize another person or entity to use their username and password, even if doing so violates a platform’s terms of service. In that situation, the service initially acted with user authorization, and Facebook’s computers were accessed lawfully until Facebook itself sent a clear notice revoking consent.
When Facebook later blocked access and sent a formal cease-and-desist, any continued login attempts became “without authorization” under the CFAA. This decision suggests two important principles:
- A legitimate user’s consent may create valid authorization for a third party, at least until the system owner explicitly revokes permission.
- Once the owner clearly withdraws consent, further access—whether by the user or their delegate—can be treated as unauthorized and potentially criminal.
Business Systems vs. Consumer Accounts: A Legal Comparison
| Context | Typical Purpose | Owner’s Role | CFAA Risk Level |
|---|---|---|---|
| Employer proprietary database (e.g., Nosal) | Access to trade secrets, client lists, or confidential business data. | Employer grants and revokes access; policies and revocation notices are usually explicit. | High – especially after access is revoked or when intent to defraud is present. |
| Social media accounts | Personal communication and social networking. | Platform sets terms of service; may tolerate limited password sharing but can block or revoke. | Moderate – risk increases if platform sends clear revocation notice and access continues. |
| Streaming services (e.g., Netflix) | Media consumption, often with multi-user plans. | Provider controls system and account-level rules; often allows household sharing. | Unclear – expert analysis suggests casual sharing is unlikely to be treated as criminal under current Ninth Circuit law. |
| Online banking or health records | Highly sensitive financial or medical data. | Institution strictly defines access; sharing credentials may violate contracts or regulations. | High – beyond CFAA, other civil and regulatory consequences are likely. |
Key Factors That Turn Password Use Into a Crime
Because the CFAA is both broad and heavily interpreted by courts, no single rule covers every situation. However, several factors strongly influence whether password sharing can expose someone to criminal liability:
- Clear revocation of access: If the system owner has expressly revoked your access—through termination, a written notice, or blocked credentials—and you regain entry by using another person’s password, courts are more likely to view that as “without authorization” under the CFAA.
- Intent to defraud or obtain value: Sections of the CFAA require proof that the defendant acted with intent to defraud and obtained something of value, such as proprietary data, trade secrets, or financial benefit. Casual use of a shared password to watch a movie typically does not involve this kind of fraudulent intent.
- Nature of the system accessed: Accessing a corporate database containing confidential business information raises different legal concerns than using a shared login for entertainment media. Courts are more likely to scrutinize commercial misuse or competitive exploitation.
- Owner’s response: Where platforms or employers explicitly notify users or third parties that continued access is forbidden—such as through a cease-and-desist letter or technical blocking—later attempts to log in carry greater risk.
- Policy vs. law: Violating a company’s internal policies or a website’s terms of service does not automatically equal a CFAA crime. Several courts have emphasized that mere breaches of contractual rules should not be transformed into federal hacking offenses.
Practical Implications for Employees and Businesses
For employers, the Nosal line of cases underscores the importance of managing access rights clearly and consistently. Once a company revokes an employee’s access to its systems, any attempt by that person to reconnect using someone else’s credentials may support both criminal allegations under the CFAA and civil claims under trade secret or contract law.
Companies can strengthen their position by:
- Providing written notice to departing employees that access has been revoked and that any further use of company systems is unauthorized.
- Enforcing strict rules against sharing corporate login credentials, supported by training and monitoring.
- Implementing technical controls to quickly disable accounts and log unusual login patterns that suggest indirect access.
Employees—particularly those leaving an organization—should understand that using a colleague’s password after termination is not merely a policy violation. In the Ninth Circuit, such behavior has already led to criminal convictions.
What This Means for Everyday Internet Users
For ordinary users, the legal risk profile is different but worth considering. Academic legal analysis suggests that the Ninth Circuit would likely treat typical subscription video-on-demand password sharing—such as allowing a family member to use your account—as outside the scope of criminal CFAA liability, at least under current case law. There are several practical reasons:
- Streaming providers often design their plans to accommodate multiple simultaneous users and household sharing.
- There is usually no intent to defraud the platform in the sense contemplated by the CFAA’s fraud provisions.
- No court has yet upheld a criminal CFAA conviction based solely on personal password sharing for consumer media services.
Nonetheless, users should be aware that:
- Service providers may still view extensive password sharing as a violation of contract and could respond by canceling accounts or limiting access.
- If a platform sends a clear notice that continued access is prohibited for a specific account or user, ignoring that notice while continuing to access could move closer to the kinds of behavior courts have found problematic under the CFAA.
- Sharing credentials to access systems containing financial, medical, or sensitive work-related information may create much higher legal and practical risk, irrespective of whether the CFAA applies.
Frequently Asked Questions
Does the Ninth Circuit decision mean all password sharing is illegal?
No. The decision focuses on situations where a system owner has revoked someone’s access and that person later returns using another user’s credentials, especially in a commercial or fraudulent context. It does not declare that all password sharing is automatically a crime.
Is it a federal crime to use my spouse’s streaming password?
Under current Ninth Circuit case law and expert legal commentary, casual streaming password sharing in a household is unlikely to be treated as a criminal CFAA violation, though it may violate the service’s terms in some cases. There is no reported appellate decision criminalizing that specific behavior.
What if I log in with a co-worker’s permission after I leave a job?
This scenario resembles the Nosal case. When your employer has terminated your access, using a co-worker’s credentials to reach the employer’s systems can be treated as accessing “without authorization” under the CFAA, even if the co-worker consented.
Can a legitimate user give me valid permission to use their account?
In some contexts, yes. A later Ninth Circuit decision involving Facebook recognized that a user can authorize a third party to access their account with their username and password. However, once the system owner explicitly revokes that access, continued use becomes unauthorized.
Are violations of terms of service the same as CFAA crimes?
No. Multiple courts, including the Ninth Circuit, have warned against treating every breach of a website’s rules or a company policy as a federal hacking offense. To trigger criminal CFAA liability, the conduct typically must involve unauthorized access combined with additional elements such as fraud or obtaining value.
How to Reduce Legal Risk While Using Shared Passwords
Individuals and organizations can take practical steps to avoid turning everyday digital habits into legal problems:
- Respect revocation notices: If a company or platform tells you that you no longer have permission to access a system, do not attempt to log in using anyone else’s credentials.
- Limit sharing to low-risk contexts: Restrict password sharing to services specifically designed for multi-user or household access, and avoid sharing credentials for systems that contain sensitive or proprietary information.
- Use built-in sharing features: Many platforms offer family accounts, team workspaces, or delegated access tools that allow sharing without credential reuse.
- Employers should clarify policies: Clear, well-communicated rules about login sharing and post-termination access reduce ambiguity and support both security and legal compliance.
References
- United States v. Nosal (Nosal II), No. 14-10037 — U.S. Court of Appeals for the Ninth Circuit. 2016-07-05. https://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/05/14-10037.pdf
- Computer Fraud and Abuse Act Ruling: Did the Ninth Circuit Just Criminalize Password Sharing? — Seyfarth Shaw LLP (Trade Secrets Law Blog). 2016-07-11. https://www.tradesecretslaw.com/2016/07/articles/computer-fraud-and-abuse-act/computer-fraud-and-abuse-act-ruling-did-the-ninth-circuit-just-criminalize-password-sharing/
- Password Sharing Isn’t a Crime, EFF Tells Ninth Circuit — Electronic Frontier Foundation. 2016-04-15. https://www.eff.org/password-sharing-is-not-a-crime
- Is Using a Shared Netflix Password a Federal Crime? — NYU Journal of Intellectual Property & Entertainment Law. 2017-03-01. https://jipel.law.nyu.edu/is-using-a-shared-netflix-password-a-federal-crime/
- Latest On Password Sharing From The Ninth Circuit — Chase Law Group. 2017-05-01. https://chaselawmb.com/latest-on-password-sharing-from-the-ninth-circuit/
- Password Sharing Is Now a Crime — Schneier on Security. 2016-07-08. https://www.schneier.com/blog/archives/2016/07/password_sharin_1.html
Read full bio of Sneha Tete





