I don't think this necessarily sets a bad precedent on its own, and I think it would take a lot of work to expand it into the consumer world from the corporate issue directly faced in the trial. The judge may not know the criteria of how deep this goes, but using a physical analogy actually helps in this case, I think:
A worker gave a key to an ex-employee to the company's front door and the company keeps the file cabinets unlocked (or uses the same key). That worker did not have consent from her employers to give that key to a non-current employee. That employee especially did not have consent to give access to the file cabinets to the ex-employee.
From a physical analogy perspective, I think it's a lot harder to shift the precedent to something like Netflix: Someone sharing a Netflix password is roughly like lending your apartment key to a friend or relative with consent that they might stop over and watch TV sometimes (in exchange for maybe watering the flowers or taking out the trash or whatever). In this analogy Netflix is essentially your landlord and pays the building's cable utility bill. It's possible your landlord might object to your friends stopping by and watching your TV, but that's generally considered an overbearing landlord and people will move to a kinder building to avoid that sort of micro-management.
In real terms, you see Netflix (and HBO GO and Hulu and everybody) cracking down on and setting explicit maximums on number of connected devices or number of simultaneous streams rather than "number of password holders to an account", because A) that's technically easier, and B) it's a lot less overbearing and "big brother landlord".
*in the Ninth Circuit, so: Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, Washington, Guam, and the Northern Mariana Islands. So if you're not in those areas, don't panic so much yet.
This is a blatant misreading of the ruling in this case; the actual explicitly stated rationale for finding that the use of the system was without authorization is not password sharing, it is affirmative revocation of authorization by the system owner. Password sharing was the mechanism by which access was achieved after the revocation, but it is not that mechanism, but the revocation, that was key to the ruling. [0]
Incidentally, the schneier.com post has basically no original content, its just excerpting from one highly-editorialized report of the ruling [1] and then excerpting from the EFF response to the ruling (which also flat-out ignores the explicitly-stated basis for the ruling) [2].
[0] http://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/05/14... -- "once authorization to access
a computer has been affirmatively revoked, the user cannot
sidestep the statute by going through the back door and
accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and
the back door." (pp. 4-5)
3 comments
[ 6.1 ms ] story [ 18.9 ms ] threadA worker gave a key to an ex-employee to the company's front door and the company keeps the file cabinets unlocked (or uses the same key). That worker did not have consent from her employers to give that key to a non-current employee. That employee especially did not have consent to give access to the file cabinets to the ex-employee.
From a physical analogy perspective, I think it's a lot harder to shift the precedent to something like Netflix: Someone sharing a Netflix password is roughly like lending your apartment key to a friend or relative with consent that they might stop over and watch TV sometimes (in exchange for maybe watering the flowers or taking out the trash or whatever). In this analogy Netflix is essentially your landlord and pays the building's cable utility bill. It's possible your landlord might object to your friends stopping by and watching your TV, but that's generally considered an overbearing landlord and people will move to a kinder building to avoid that sort of micro-management.
In real terms, you see Netflix (and HBO GO and Hulu and everybody) cracking down on and setting explicit maximums on number of connected devices or number of simultaneous streams rather than "number of password holders to an account", because A) that's technically easier, and B) it's a lot less overbearing and "big brother landlord".
*in the Ninth Circuit, so: Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, Washington, Guam, and the Northern Mariana Islands. So if you're not in those areas, don't panic so much yet.
This is a blatant misreading of the ruling in this case; the actual explicitly stated rationale for finding that the use of the system was without authorization is not password sharing, it is affirmative revocation of authorization by the system owner. Password sharing was the mechanism by which access was achieved after the revocation, but it is not that mechanism, but the revocation, that was key to the ruling. [0]
Incidentally, the schneier.com post has basically no original content, its just excerpting from one highly-editorialized report of the ruling [1] and then excerpting from the EFF response to the ruling (which also flat-out ignores the explicitly-stated basis for the ruling) [2].
[0] http://cdn.ca9.uscourts.gov/datastore/opinions/2016/07/05/14... -- "once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. Unequivocal revocation of computer access closes both the front door and the back door." (pp. 4-5)
[1] https://motherboard.vice.com/read/password-sharing-is-a-fede...
[2] https://www.eff.org/deeplinks/2016/07/ever-use-someone-elses...