July 21, 2010 | By Marcia Hofmann

Court: Violating Terms of Service Is Not a Crime, But Bypassing Technical Barriers Might Be

Good news: another federal judge has ruled that violating a website terms of service is not a crime. But there's bad news, too — the court also found that bypassing technical or code-based barriers intended to limit access to or uses of a website may violate California's computer crime law.

The decision comes in Facebook v. Power Ventures, a case in which Facebook is suing a company that offers a tool for users to access and aggregate their personal information across social networking sites. Because Facebook's terms of service don't allow users to access their information through "automated means," Facebook claimed that Power accesses its service "without permission" in violation of California Penal Code Section 502. Facebook has also argued that Power broke the law by evading Facebook's effort to block the Power browser’s IP address, which was meant to try to keep users from accessing their Facebook accounts though the Power website.

EFF filed an amicus brief in this case, urging the court to reject Facebook's computer crime claims. We argued that turning any violation of terms of use into a crime would give websites unfettered power to decide what conduct is criminal, leaving millions of Internet users vulnerable to prosecution for everyday activities.

The court agreed with our position, relying heavily on our brief. This part of the ruling is great.

Unfortunately, the court also said that Power might be liable if it changed its IP address so that its browser could continue to interoperate with the Facebook service. In other words, it may be a crime to circumvent technological barriers imposed by a website, even if those measures are taken only to enforce the terms of service through code. There's nothing inherently wrong or unlawful about avoiding IP address blocking, and there are valid reasons why someone might choose to do so, including to sidestep anticompetitive behavior by other Internet services. As long as an end user is authorized to access a computer and the way she chooses doesn't cause harm, she should be able to access the computer any way she likes without committing a crime.

Overall, yesterday's opinion is an important precedent that aligns with United States v. Drew, a decision last year finding that a woman did not violate the federal hacking law when she created a fake MySpace profile, as well as recent Ninth Circuit cases. We welcome the court's rejection of terms of service violations as triggers for criminal liability, but will continue to work to demonstrate to courts that not all technological measures are created equal. If the measure seeks to control access to or use of data, then evasion of it is almost certainly criminal. But if the restriction merely seeks to impose owner preferences or terms of service on otherwise authorized users, bypassing it should not be a crime.

As other courts look at this issue, we hope that they will agree that code-based restrictions require a very fact-specific inquiry, and will remain open to the possibility that bypassing such measures should not necessarily be criminal.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Mayweather or Pacquiao? Regardless of who wins, Internet intermediaries are the losers: https://eff.org/r.qbeb

May 1 @ 5:09pm

How private DNA data led Idaho cops on a wild goose chase and linked an innocent man to a 20-year-old murder case https://eff.org/r.3832

May 1 @ 3:08pm

We think that YouTube should celebrate its 10-year anniversary by fixing ContentID eff.org/r.lc85

May 1 @ 11:08am
JavaScript license information