The US 9th Circuit Court ruled that using someone else's password with their permission but without the permission of the site owner is a federal crime. from Jeffrey Walton on 2016-07-15 (public-webappsec@w3.org from July 2016)

From: Jeffrey Walton <noloader@gmail.com>
Date: Fri, 15 Jul 2016 13:40:11 -0400
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAH8yC8=H9pNVO4W-zck06F-Q3hZcm9fD3+O5AtzT0gLZrinR7w@mail.gmail.com>

This showed up in Schneier's newsletter at
https://www.schneier.com/crypto-gram/archives/2016/0715.html:

    In a truly terrible ruling, the US 9th Circuit Court ruled that using
    someone else's password with their permission but without the
    permission of the site owner is a federal crime. This means that
    if you give someone else your Netflix password without Netflix's
    permission, you're a criminal.

There seems to be an intersection with the Web Security model, where
interception is a valid use case. It appears the box performing the
interception cannot proxy the request without the origin's permission.
Otherwise, it seems to be resue of the user's password without
permission or consent.

I'm guessing it will apply to other sensitive information, too.

Jeff

Received on Friday, 15 July 2016 17:40:40 UTC