February 6, 2017 | By Aileen Nguyen

Violating Terms of Use Isn’t a Crime, EFF Tells Court—Again

Have you ever violated a website’s terms of use, such as by using something other than your real name on a website that requires one, or by sharing your account password with a family member when doing so is prohibited? Probably. Have you ever clicked “I agree” without actually reading the terms in full? Again, highly likely. Violating corporate terms of use agreements should not be a crime—not only because people rarely read these agreements, but because the bounds of criminal law should not be defined by the preferences of website operators. And criminalizing terms of use violations would turn millions of people—practically all Internet users—into criminals on the basis of innocuous conduct.

We’ve convinced the Ninth Circuit Court of Appeals that the federal Computer Fraud and Abuse Act (CFAA) shouldn’t be read to criminalize corporate computer use restrictions, such as terms of use agreements. But last year, a federal district court in Nevada found a defendant guilty under both the California and Nevada state computer crime statutes for nothing more than that—violating Oracle’s website’s terms of use.

The case, Oracle v. Rimini Street, is on appeal to the Ninth Circuit, and we just filed an amicus brief explaining to the court why an overbroad interpretation of the state computer crime statutes would have the exact same disastrous outcome as an overbroad interpretation of the CFAA. The Ninth Circuit should listen to its own reasoning and avoid an interpretation of these statutes that turns innocent Internet users into criminals.

The computer crime allegations in the case involve a provision in Oracle’s terms of use prohibiting the use of automated methods to download support materials from the company’s website. Rimini, which provides Oracle clients with third party enterprise software support, violated that provision by using automated scripts instead of downloading each file individually. Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts. It did not, however, rescind Rimini’s authorization to access the files outright. Rimini continued to use automated scripts, and Oracle sued. The jury found Rimini guilty under both the California and Nevada computer crime statues, and the judge upheld that verdict—concluding that, under both statutes, violating a website’s terms of service counts as using a computer without authorization or permission.

Rimini Street appealed, and as we told the Ninth Circuit in our brief, the district court’s reasoning turns millions of Internet users into criminals on the basis of innocuous and routine online conduct. What’s more, by making it completely unclear what conduct is criminal at any given time on any given website, the district court’s holding is in violation of the long-held Rule of Lenity—which requires that criminal statutes be interpreted to give clear notice of what conduct is criminal.

You might be thinking that no prosecutor would try to prosecute everyone who has ever provided false personal information on Facebook. But a prosecutor could—under either law. This opens the possibility of arbitrary or discriminatory enforcement. For instance, assume you accidentally cut off your local district attorney in the turn lane. If terms of service violations were criminal, that prosecutor could turn around and go after you for listing an incorrect birth year on your Facebook profile. Avoiding this very situation is one of the reasons our Constitution requires our laws to be clear.

We hope the Ninth Circuit recognizes the dangers of the district court’s interpretation and reverses the ruling.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

This Wed 2/22 join EFF's @sheeyahshee at @PrototypePrime outside Atlanta to discuss surveillance and resistance https://www.eff.org/event/eff...

Feb 21 @ 6:19am

In Xilinx ruling, Federal Circuit suggests trolls still able to drag you to their distant lairs. https://www.eff.org/deeplinks...

Feb 17 @ 3:14pm

A ruling in Microsoft's fight against gag orders covering government requests for user data https://www.eff.org/deeplinks...

Feb 17 @ 2:14pm
JavaScript license information