This post was also written by Chris Cwalina.

The theft of services has always been illegal in Tennessee. However, consumers in Tennessee, like those across the country, routinely share their passwords to online subscription-based services like Netflix, Rhapsody, Pandora, and Hulu. The Tennessee General Assembly has addressed this issue by amending the State’s theft of services statute. The newly-revised statute makes it a criminal act to help anyone obtain a service to which he or she is not entitled, including “entertainment subscription service[s]”. The revision has been signed by the Governor, and is immediately effective. See a copy of the enacted law (attached) as well as Legislative commentary.

While the measure was widely reported as making it illegal to share passwords to online services, in fact the word “password” is not used in the revision. Tennessee’s measure is neutral as to the technology used. Whether access to the online entertainment service is based on passwords or tokens or biometric data, now or in the future, paying customers cannot legally share their path to access with non-subscriber friends and family.

The Tennessee measure addresses only the tip of the iceberg when it comes to password sharing (hereafter, a term meant to include all sharing of methods of access online). A person stealing Netflix Instant access is no different from a cable thief, or a thief of physical goods. That much should be uncontroversial. The real, unanswered question is to what extent customers should be allowed to share passwords with third parties for purposes, not of theft, but of agency. More and more, consumers are entrusting third parties with the account numbers and passwords issued to them by their banks, credit card companies, retirement plans, and other holders of consumer accounts and lines of credit. This password-sharing may be for purposes of storing all passwords in one central location (like LastPass), or for purposes of having an agent retrieve financial information from multiple accounts to compile one snapshot for the consumer (like Mint.com or CashEdge), or even to have an agent arrange for automated bill payment. Consumers provide their account passwords to these third parties, who generally have not been vetted or approved by the companies issuing the password and holding the consumer account. The Tennessee statute does not address this circumstance. The next part of our Problems with Passwords series will deal with the privacy and competitive intelligence risks posed by the widespread (and growing) consumer practice of password sharing with third parties for purposes of agency.