Rebooting Computer Crime Law Part 1: No Prison Time For Violating Terms of Service
In the wake of social justice activist Aaron Swartz's tragic death, Internet users around the country are taking a hard look at the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking law. As we've noted, the CFAA has lots of problems. In this three-part series, we'll explain these problems in detail and why they need to be fixed. For more details about our proposal for CFAA reform, see part 2 and part 3.
Here is the CFAA's greatest flaw: the law makes it illegal to access a computer without authorization or in a way that exceeds authorization, but doesn't clearly explain what that means. This murkiness gives the government tons of leeway to be creative in bringing charges.
For example, overzealous prosecutors have gone so far as to argue that the CFAA criminalizes violations of private agreements like an employer's computer use policy or a web site's terms of service. Thankfully, some federal courts have recognized the absurdity of this argument, but Congress needs to fix the law to make it crystal clear. Vague laws are dangerous precisely because they give prosecutors and courts too much discretion to arbitrarily penalize normal, everyday behavior.
So, under the government's theory, what innocuous activities could the CFAA criminalize? Here are a few things that could violate the CFAA under the government's misguided interpretation of the law:
- Lying about your age on Facebook. Facebook's Rights and Responsibilities make users promise not to "provide any false personal information on Facebook." So don't even think about RSVPing to an event you can't attend, or posting a misleading status update, or telling people you're married when you're not. These are all activities that could violate Facebook's terms, and have you facing a years-long prosecution if the government decides to make an example of you.
- Saying you're "tall, dark and handsome" on Craigslist when you're actually short and homely. Under Craigslist's Terms of Service, a user can't post "false or fraudulent content" on the site. And that's not all. Flagging something multiple times or encouraging others to flag content is also a violation of terms—not exactly the sort of dangerous activity the CFAA was meant to criminalize.
- Buying a lotto ticket with Square. Square's Wallet User Agreement bans tons of different types of transactions, from making purchases "in connection with" membership clubs, identity theft protection services, lotto tickets or "occult materials." Does that mean you can't use Square to buy copies of the Twilight books? Only Square and federal prosecutors could tell you for sure.
- Posting impolite comments on the New York Times' Web Site. The New York Times has an almost Victorian Terms of Service (1/24/13), which admonishes users to "be courteous" and "use respectful language" and "debate, but don't attack." So before you engage in a late night impassioned discussion in a comment thread on an article, check to make sure your language doesn't edge into "impolite" and land you in the Big House.
- Using Hootsuite to update your Google Plus page. The social media management tool Hootsuite lets users manage their Twitter and Facebook accounts, and it has been happily promoting its new Google Plus integration. But be wary: Google's Terms of Service warn that you mustn't "misuse our Services" and specifically cautions that users should not "try to access them using a method other than the interface and the instructions that we provide." Since Google doesn't provide Hootsuite, using the Hootsuite dashboard to update your Google Plus account could be cause for criminal liability.
- Sending a sexy message on eHarmony. eHarmony may be about finding love, but don't even think about sending a sexually suggestive missive to someone through the service. eHarmony's Terms of Service ban individuals from using the service to send messages that are "sexually oriented." The terms also ban users from submitting content that is "off-topic" or "meaningless." So, stay focused but not too sexy in your eHarmony communications or your search for love might attract the attention of a government prosecutor.
Internet users shouldn't live in fear that they could face criminal liability for mere terms of service violations—especially given that website terms are often vague, lopsided and subject to change without notice. Security testing, code building, and free speech—even if unabashedly impolite—are fundamental parts of the Internet's character. Supporting these types of innovation helps keep the Internet dynamic and interactive. Regardless of whether you think that people ought to send sexy messages on eHarmony or post impolite comments on NYTimes.com, one thing is certain: violating a private agreement or duty should not carry the grim shadow of criminal liability. No one should face criminal charges, go to jail, or face fines as a result of a contractual violation like using a pseudonym on Facebook.
Representative Zoe Lofgren (D-CA) has started the conversation and advocacy groups like Demand Progress have joined us in working to fix the vague, dangerous and overly punitive sections of CFAA that were misused to persecute Aaron Swartz. Please join EFF in calling on Congress to fix the glaring problems with CFAA by sending an email to Congress now.