How sharing a Netflix password could land you on a federal terrorism watchlist

If there is one single significant indication that our computer crimes laws are in serious need of reform, it's this: Sharing a Netflix password could land you on a federal terrorism watchlist.

It may sound absurd, but it's true, according to a guidebook leaked by former NSA contractor Edward Snowden and published last year by the news website The Intercept.

The guidebook is a set of instructions given to various federal government agencies throughout the United States about the criteria used to determine whether a person is included on a handful of anti-terrorism watchlists. 

Those lists include the infamous "Do Not Fly" list that the TSA uses to screen passengers before they are allowed to board airplanes in the United States. They also include lists that federal law enforcement agents use to conduct surreptitious surveillance on individuals considered to pose a threat to homeland security.

Three pages of the document, which you can access here, detail what the federal government considers to be a terrorism-related activity. Such activity includes destruction of aircraft, use of chemical weapons against a civilian population and assassination attempts against the president.

It also includes "damaging a protected computer used in interstate or foreign commerce" as defined by the Computer Fraud and Abuse Act, the federal anti-hacking statute that criminalizes, among other things, accessing a website or a web service without the permission of the website or service operator and the sharing of usernames and passwords.

In fact, the guidebook specifically points to government code 18 USC 1030(a)(5)(A), which criminalizes "transmitting of a program, information, code or command" and therefore accessing or damaging a "protected computer."

To the average person, it might sound silly that sharing a Netflix password or using someone else's HBO Go login would be consider "transmission of a code" as defined by federal law.

But that's exactly what prosecutors argued in USA v. Keys, the criminal case that recently ended with a three-count felony conviction. In that case, prosecutors alleged that using a username and a password to log on to a website was "transmission of code," and therefore a violation of the Computer Fraud and Abuse Act.

That's a problem, because using someone else's username and password to watch Netflix or HBO is something that has become relatively common among Internet users. And while most users would admit that sharing a Netflix or HBO password is probably something they shouldn't be doing, they might also be surprised to learn that it's a crime the government considers to be so serious, it could land them on a terrorism watchlist.

Worst, the guidelines say that the placement of a name on the terrorism watchlist is not just limited to the person believed to have committed the offense, but their associates as well. Translation: Sharing a Netflix password could have a dramatic effect on a person's friends, their family, their boss and their co-workers — anyone the government wishes to target — simply because a person violated an antiquated and draconian computer crimes law.

The entire process of placing a name on the terrorism watchlist is shrouded in secrecy, making it virtually impossible to know how often the government creates terrorists out of people who share Netflix or HBO credentials. 

But the mere fact that the government has that ability is startling — and indicative of just how broken federal computer crimes laws have become.

To make matters worse, the Obama administration is proposing toughening the CFAA to make even more routine offenses punishable by years in prison. It could even criminalize research that security experts and journalists alike depend on to keep the public informed and safe.

One such provision would make it an immediate felony to share a Netflix password — an offense that not only lands a person on a terrorism watchlist, but could also land them behind bars for years. Another provision would criminalize the downloading and dissemination of material posted online by hackers, meaning journalists who access the data as part of their research into a story on security breaches could also be labeled a terrorist and imprisoned.

There is some hope though: Recently, President Obama acknowledged that the criminal justice system is in serious need of reform, that taxpayers are spending an absurd amount of money on prosecutions that yield severe punishments for low-level, non-violent offenders. President Obama has focused mainly on reforming the justice system with respect to drug offenses, and that's a nobel start. 

But President Obama should also reconsider his administration's stance with regard to computer-related offenses. Computer hacking laws are necessary to protect the public from bad actors — nobody wants their credit card information stolen or their phone turned into a paperweight — but the current anti-hacking statute is too broad and goes too far in criminalizing what everyday netizens have come to know as routine online behavior like the sharing of user credentials to streaming video services.

President Obama needs to re-consider his proposals with respect to how everyday Americans use the Internet, and bring the federal anti-hacking statute in line with such behavior. And the federal government should reform their terrorism criteria so that it is limited only to the most-egregious threats and offenses committed against the United States.

Nobody should be labeled a terrorist simply for watching Netflix.

---

Matthew Keys is the managing editor for a digital news startup and a freelance reporter covering media and the intersection of technology and policy. For his federal criminal case, USA v. Keys, he is represented by attorneys Tor Ekeland, Jay Leiderman and Mark Jaffe. His conviction is pending appeal to the Ninth Circuit Court of Appeals, where a ruling on the case could help narrow the application of the Computer Fraud and Abuse Act. His legal team is fundraising for the appellate effort here.