This weekend, New York Times tech journalist Jenna Wortham made a confession that could be used to send her to prison for a year or more. What was the startling criminal admission? She uses someone else’s password to sign into the cable-subscriber-only HBO Go app to watch ‘Game of Thrones.’
[Some friends and I] all had the same plan: to watch the season premiere of “Game of Thrones.” But only one person in our group had a cable television subscription to HBO, where it is shown. The rest of us had a crafty workaround.
She says “crafty.” A federal prosecutor might substitute “illegal” there.
We were each going to use HBO Go, the network’s video Web site, to stream the show online — but not our own accounts. Our behavior — sharing password information to HBO Go, Netflix, Hulu and other streaming sites and services — appears increasingly prevalent among Web-savvy people who don’t own televisions or subscribe to cable.
While Wortham was aware that the companies she contacted for comment about this might not be happy about her accessing their services for free, she seems wholly unaware that the activity was potentially illegal. Just like the many BitTorrenters who have made Game of Thrones the most pirated show on the Internet, Wortham is getting her content in a way that could put her on the wrong side of the law.
After the New York Times got a flood of complaints about Wortham committing piracy by jumping over entertainment providers’ pay walls, New York Times public editor Margaret Sullivan addressed the issuein a column. Strangely Sullivan only addressed the ethics of password-sharing not the legality of the practice, concluding by saying that Wortham might write another column “exploring the ethical issues” and might now instead watch ‘Game of Thrones’ at a bar.
It was left then to Mike Masnick at TechDirt to point out that Wortham had admitted to violating federal laws, including the Computer Fraud and Abuse Act (or CFAA) which has been the target of heated debate given its use in the controversial prosecutions of AT&T iPad hacker Andrew “weev” Auernheimer and public document hacker Aaron Swartz. The CFAA makes it a crime “to obtain without authorization information from a protected computer.” It’s a misdemeanor with a maximum one-year prison sentence. What Wortham describesis unauthorized access, in that it violates the companies’ terms of service.
“[I]f someone is violating Netflix or HBO Go’s TOS to stream they are guilty of a misdemeanor CFAA right off the bat,” says Hanni Fakhoury of the EFF. And if the worth of the stolen information or damage caused in its procurement reaches $5,000 (that’s a lot of HBO episodes!), it could be a felony with multiple potential years of prison time.
HBO Go’s TOS are strict; they say you must be a “subscriber with an account in good standing with an authorized distributor of HBO” to use the app. Netflix is far more lenient in its TOS recognizing that a “household” will share an account. Though it doesn’t define what a “household” means, it does say in all caps that its users can watch Netflix on six different devices, and stream shows on up to two of those devices at the same time.
“It would also probably be a violation of 18 USC 1028, which generally criminalizes identity theft,” says Fakhoury, pointing to the part of the statute that prohibits providing identification to others “that will be used to commit, or to aid or abet, unlawful activity.”
Masnick writes that the problem with the CFAA is that it “criminalize[s] things that most people don’t really think are bad or illegal. That is, they often criminalize someone (or at least make them open to huge civil awards) for the types of things plenty of people do everyday without thinking twice about it.”
Wortham’s confession has led others to come clean, including our own Dave Thier who calls password-swapping “legalish, simple, and very difficult for companies to police.” Actually, it might be better to call it “illegalish” given that, unless the CFAA is reformed, TOS violations are criminal behavior. And it shouldn’t actually be that hard for companies to police; they’re just ignoring the issue for now.
Wortham talked to a representative at HBO who said the network doesn’t see password sharing as a “pervasive problem at this time.” Wortham speculates that part of the reason they’re not policing this is “because they can’t,” with the HBO rep telling her that they “have little ability to track and curtail their customers who are sharing account information.” That seems less believable to me than that Robb Stark is going to survive this season of Game of Thrones.
“It’s extremely unlikely that providers wouldn’t be able to ascertain how many unique browsers/users/ip addresses are logged in via the same user account,” says security researcher Ashkan Soltani. “It’s possible that some of these implementations are not monitoring for these types of events but technically, the ability to do this is afforded by even the most simple of authentication system designs. I think it’s just a factor of how much of a priority it is for a company.”
It sounds like HBO Go is not going after the non-subscribers who are finding their way to subscription content for now. (Not that that necessarily matters in the eyes of the law. Even when JSTOR dropped its case against Aaron Swartz for hacking into its system to download academic papers, federal prosecutors continued to pursue him.) But it’s worth noting that password sharing isn’t a legal grey area, or simply unethical. As the law stands now, the many, many people who are sharing passwords to get their dragon and swords fix are actually committing a misdemeanor — and potentially, with some creative accounting, a felony. That’s even crazier than the justice meted out to Ned Stark.