Pop star tells fans to send their Twitter passwords, but it might be illegal

As a new way to connect with his fans, Jack Johnson—one half of the pop-rap duo Jack & Jack, not to be confused with the laid back Hawaiian singer-songwriter of the same name—has spent the last month soliciting social media passwords.

Using the hashtag #HackedByJohnson, the performer has tweeted at his fans to send him their passwords. (Why he didn’t go for the shorter and catchier #JackHack, we’ll never know.) Then, Johnson posts under his fans’ Twitter accounts, leaving a short personalized message, as them.

Here's one example:

. @JackJ today hacking @niallsstitches Twitter #HackedByJohnson pic.twitter.com/X5b64S1C4Y

— Jack and Jack (@jacksmeup) July 12, 2016

While Johnson and his fans likely find this password sharing silly and innocuous, legal experts say that Jack Johnson, 20, may be opening himself up to civil or criminal liability under the Computer Fraud and Abuse Act, a notorious anti-hacking statute that dates back to the 1980s.

"While the entertainer in question likely considers this password collection to be a harmless personalized promotional activity, there may indeed be legal implication of both the fans’ and the entertainer’s conduct," Andrea Matwyshyn, a law professor at Northeastern University, told Ars.

Recent years have seen a number of high-profile CFAA criminal prosecutions, including Matthew Keys, Chelsea Manning, and the late Aaron Swartz. An effort to reform that law has languished in Congress. (Keys is likely to report for a two-year prison sentence next month after he was convicted of criminal charges under the CFAA of having handed over a password that resulted in a defacement of a Los Angeles Times article for 40 minutes.)

In a recent profile, The New York Times described Johnson’s efforts as a "minor act of youthful rebellion. The whole encounter delivers a heady mix of intimacy and transgression—the closest digital simulation yet to a teenage crush." For now, Johnson's activities have prompted no reports of misuse.

Regardless of the legalities, Matwyshyn added that this is simply not a very smart practice.

"From a security standpoint, the promotion’s structure needlessly exposes both fans and the entertainer to risk," she e-mailed. "Encouraging fans to engage in bad password practices and to expose themselves to increased risk of identity theft is not looking out for fans’ best interests. Password hoarding also places a bullseye on the entertainer as an attractive target for malicious attackers, further potentially placing fans at risk."

By making it known that his account is a repository of teenagers' Twitter passwords, Johnson has made his own account a target. For what it’s worth, Johnson’s attorney, Eric Galen, told Mic that his client deletes the passwords the same day they are sent and that he uses 2-factor authentication on his own account. There is no way to independently verify this.

Galen did not immediately respond to Ars’ request for comment.

Twitter users who hand over their passwords are breaking Twitter’s Terms of Service. But there’s no evidence that the company has punished Johnson for enticing his fans to send him passwords or his fans for sending them, even privately. Twitter spokesman Nu Wexler did not respond to Ars’ inquiries as to whether anyone had been disciplined as a result of the #HackedByJohnson campaign.

"Irrespective of ultimate liability, this probably opens the door to complaints and headaches for @JackJ," Paul Ohm, a law professor at Georgetown University, told Ars.

"What happens when a fan who has sent him a password has his or her account hijacked? Will he/she blame @JackJ? Finally, I’m annoyed as a parent about this. It’s hard enough to teach kids how to navigate online security and safety without celebrities inviting bad practices."

For his part, Jay Leiderman, one of the attorneys for Matthew Keys, quipped to Ars: "if you give us your password, [fellow attorney Tor Ekeland] and I will tweet unicorns and rainbows from your Twitter account."