In the modern world passwords are ubiquitous. By the time we’ve finished our morning coffee we’ve likely used a password to check our email, access our computer, and even open the door to the office. In some contexts we understand (even if we don’t give it much thought), that the password doesn’t “belong” to us: the security code to the building where you work is a prime example. But in other settings a sense of personal ownership pervades. After all, we choose our own passwords for our email and social media accounts. The content of those accounts and even our choice of the password itself is often quite personal. Unfortunately, there is no clear-cut answer to the broad question of who “owns” a password. When personal and business contexts collide, however, one should keep these guidelines in mind:
The entity that owns the software likely owns the passwords protecting the software.
The case law in Oregon is sparse, but suggests that the owner of the system or software also owns the password that gives access to that system or software. Unauthorized use (for example, an employee’s withholding of the password) is analogous to theft from the owner. In State v. Schwartz a former employee of Intel was found guilty of theft when he copied access passwords which allowed access to the company’s computers. The court held that the term “property” as used in the theft statute, includes “anything of value,” and that the passwords had value. In concluding that theft had occurred, the question of whether that “property” belonged to Intel was never put at issue. Although these were passwords used to access individual computers they were Intel property and, one assumes, were not owned by the individuals to whom the passwords were assigned.
The software licensing agreement or an employee handbook can provide guidance to the ownership interest.
When a software program allows the user to choose their own password, the user may be under the mistaken assumption that they “own” the password they chose. Of course, just because I choose my Netflix password does not mean that I have an unbounded ownership interest in it: for instance, I am not under the impression that I can sell my password, and thus my Netflix access. Similarly, an employee handbook can make clear that the use of company computers necessarily involves a company interest. Understanding that a personal password on a company computer does not come with increased privacy rights can provide protection to the employer against potential litigation. This point was made in Thygeson v. US Bancorp, where the handbook warned that personal use of the computer was prohibited and monitored, and the employee therefore did not have a reasonable expectation of privacy. Of course, this doesn’t mean there can’t be overreaching. Oregon, like many other states has adopted legislation denying employers the right to even ask for an employee’s personal social media password.
The law of password ownership is still in its developing stages. As our reliance on technology and use of social media in the workplace continue to increase, password ownership is more likely to be at issue. At present, Oregon case law has been developing more through the criminal context (identity theft or unlawful searches) than on the intellectual property front. But while the contours of password ownership remain undefined, considerations of the underlying software ownership and restrictions in the licensing agreement may be the best guides.