If you’re online a lot in Texas, you may soon need the advice and services of a Dallas criminal defense attorney, because a recent court ruling by the U.S. Court of Appeals for the Ninth Circuit just made sharing your Netflix password – and lying about your age on Facebook – potentially criminal acts. In July 2016, a three-judge panel determined that David Nosal had used computer passwords “without authorization” and upheld his 2013 federal conviction on a six-count indictment for violations of the Computer Fraud and Abuse Act of 1986 (CFAA).

Precisely what were the judges deciding in United States v. David Nosal, and does the ruling really prevent you from sharing your Netflix password with others? In 2004, David Nosal resigned from Korn Ferry, an executive search and recruiting company based in Los Angeles. Nosal agreed not to compete with the company for one year. Soon after resigning, however, Nosal persuaded three Korn Ferry employees to help him launch a new executive search and recruiting business. Before resigning from Korn Ferry, the three downloaded “highly confidential and proprietary” information from the company’s computers – for their own use.

In 2008, the federal government indicted Nosal and the three employees for twenty violations of the Computer Fraud and Abuse Act of 1986. Federal prosecutors charged that the four had no authorization to download data “knowingly and with intent to defraud” from Korn Ferry’s computers. Nosal’s attorneys insisted the CFAA was designed to target hackers and “does not cover employees who misappropriate information or who violate contractual confidentiality agreements.” Nosal’s lawyers pointed out that as Korn Ferry employees, Nosal’s associates did not “act without authorization.”


The Computer Fraud and Abuse Act is both a criminal law and a civil law that creates a private right of civil action. It allows individuals and companies to sue for damages caused by violations. The CFAA makes liable anyone who “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value.”

The U.S. District Court for the Northern District of California agreed with Nosal and dropped the counts based on the CFAA from the indictment. Prosecutors appealed this move, arguing that Nosal and his accomplices indeed acted without authorization because Korn Ferry’s computer policy restricts the “use and disclosure of all information, except for legitimate Korn Ferry business.”

When the Ninth Circuit Court heard the appeal in 2011 and rendered their decision in 2012, the judges ruled that an employee “exceeds authorized access” under the CFAA when an employee violates an employer’s written access policies and restrictions. Since Korn Ferry had computer use restrictions in place which the defendants violated, the Ninth Circuit Court overturned the District Court’s ruling and ordered the District Court to reinstate the five counts based on the CFAA.


Nosal’s attorneys argued that Ninth Circuit Court would turn millions of us into criminals because almost everyone occasionally uses their computer at work to check their personal email, a sports score, or a news or weather story. These small and harmless acts are in fact technical violations of most employers’ computer policies. Some legal observers voiced similar concerns, fearing the prospect of federal prosecutions for actions like lying about your age on Facebook – a violation of Facebook’s terms of service.

The court’s response is that such small and harmless acts lack any “intent to defraud” and are not “furthering fraud by obtaining something of value” as required for prosecution under the CFAA. However, other parts of the Computer Fraud and Abuse Act of 1986 do not include such requirements, so the current ruling may in fact still allow for the prosecution of harmless behaviors that had previously been considered out of the range of the CFAA.

After the U.S. District Court for the Northern District of California tried the case again in 2013, Nosal was convicted on six charges. He appealed his conviction to the Ninth Circuit Court, and in July 2016, a three-judge panel affirmed the conviction by a 2-to-1 vote and found that Nosal had acted “without authorization.” In this second decision, the Ninth Circuit Court “rejected the defendant’s contentions regarding jury instructions and sufficiency of the evidence in connection with the CFAA counts, as well as his sufficiency-of-the-evidence, instructional, and evidentiary challenges….”


So, does David Nosal’s conviction make it illegal to share your Netflix password? Probably not, although the courts haven’t directly ruled on the question. Yes, “Terms of Service” violations and password sharing could potentially be seen as violations of the Computer Fraud and Abuse Act of 1986. However, Judge Stephen Reinhardt of the Ninth Circuit, the dissenting judge on the three-judge panel that affirmed Nosal’s conviction, wrote in his dissenting opinion, “In my view, the Computer Fraud and Abuse Act (“CFAA”) does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.”

“This case is about password sharing. People frequently share their passwords, notwithstanding the fact that websites and employers have policies prohibiting it,” Judge Reinhardt added. But Judge Reinhardt is not the only person who thinks that sharing your Netflix password should not result in a criminal prosecution. Early in 2016, Netflix CEO Reed Hastings even encouraged password sharing and called it a “positive” thing.

In a world where plenty of murderers, terrorists, drug lords, and other violent criminals still terrorize the innocent, it’s hard to imagine that a United States Attorney would prosecute anyone for sharing a Netflix password or lying about his or her age on Facebook. Yet stranger things have happened. Some internet crime defendants have been wrongly accused, or they simply made a mistake, went to the wrong site, or downloaded the wrong item.

In fact, virtually anyone could be prosecuted because almost everyone has made a mistake online at some point – or has used an employer’s computer to check personal email. While you probably won’t be prosecuted for sharing your Netflix password, you’re going to need the counsel of an experienced Dallas criminal defense attorney if you are charged with any computer-related crime in the Dallas-Fort Worth area.