Don’t call it password sharing, because it’s not

Have you heard the latest? Sharing passwords is illegal. At least that’s what the headlines are telling us:

Password Sharing is a Federal Crime, Appeals Court Rules

US appeals court upholds conviction over shared password

Chap fails to quash ‘shared password’ ‘hacking’ conviction

Let’s see if we can’t dissect the story to find out what’s really going on.

A man named David Nosal left his job to start his own company. He had a ‘non-compete’ clause that stipulated that he couldn’t work for a competitor for one year – which is what his startup was going to be. During that year, he worked as a consultant for his old company. While working in that capacity, he was not given access to certain data systems; in other words, he was restricted from getting to the data in those systems.

So far, there doesn’t seem to be a problem.

Well, during his time working as a consultant for his old company, it seems that he actively recruited his coworkers to leave their employer and join him in his company. In addition, he was able to get several of these coworkers to give him their access credentials to the accounts to which he did not have access to. He used those credentials to steal information from the company.

That’s the gist of it.

This isn’t a case of his buddies letting him log in for convenience (e.g. “I haven’t got my password, yet.”), but of accomplices knowingly giving him access to data that was safeguarded by passwords that they had been entrusted to protect. His partners in crime knowingly violated corporate policy that was in place to protect data. And then they left the company and signed up with Mr Nosal’s new company.

Does that sound like password sharing that you and your girlfriend / boyfriend / husband / wife / grandparent / child / brother / sister do on your email, Facebook or Netflix account?

Mr Nosal’s lawyers are making this out to be a case of password sharing, when it’s a pretty clear case of actual theft of privileged corporate data: it’s corporate espionage.

Why this is being made out to be a case of a big company coming down on password sharing by the little folk is beyond me.

One of the problems with security, in general, and, more specifically, passwords is that we’re loose with the terminology. By accepting that this case has anything to do with ‘sharing’ of passwords, we’re confusing the security discussion. Systematically stealing corporate data with intent on misusing that data (against your former employer) is a far cry from sharing your Yahoo! password with a relative. (Note: Sticky Password does not advise sharing of passwords.)

Using Mr Nosal’s case to create new ‘anti-password sharing’ laws or as a precedent for broader enforcement of ‘violations’ of password sharing as it is commonly understood – as is suggested in the articles, above – would be to misunderstand his willful breaking of existing corporate data theft laws. By shaping the argument as simple password sharing, his attorneys are pushing for enhanced enforcement of harmless activities. His gain would be our loss.

The result of which can only be more security confusion and more bad passwords.