There’s also precedent that violating TOS alone is not a CFAA violation. So don’t panic yet.
This occurred after the company had expressly revoked Nosal’s own login credentials to prevent him from accessing the database.
I would say that’s kind of an important detail.
This wasn’t a service for which you could pay $10 to obtain a password. So this isn’t a case of some people who would otherwise be allowed access taking a shortcut. These people were decidedly and knowingly barred from using the service.
Requisite faulty real world analogy: if I give the dog walker a key, they are not free to share copies of that key with their friends and stop by to borrow some sugar.
I had hoped that this would not come from the EFF. The exact issue here is that there was explicitly revoked access, and the defendants chose to violate that. I’m not so sure that this would hold up for anyone attempting to use someone else’s password, but rather, it might hold up if anyone who was banned from a site deliberately and knowingly used someone else’s password to get on the site. Even that, though, I think is a stretch. I think this really only applies where access is restricted to explicitly authorized individuals (for example, employees), and access has been explicitly revoked. There’s too much at play here to claim the precedent set from this case to be “sharing passwords is illegal.”