Appeals Court: Violating ToS Shouldn’t Make You a Criminal
This week, the U.S. Ninth Circuit Court of Appeals ruled that it is not a federal crime to violate an employer’s computer use policy or a website’s terms of service. The opinion offers a clear expression and confirmation of our serious policy concerns regarding the Computer Fraud and Abuse Act (CFAA).
The CFAA is, as originally conceived, an important piece of federal cybersecurity policy. A broad interpretation of the statute, however – which some courts have endorsed – allows private parties to wield the authority of criminal law through their computer usage policies, thereby criminalizing commonplace Internet behaviors. As Congress considers cybersecurity proposals that amend the CFAA, we urge clarification of the CFAA’s scope to reflect the Ninth Circuit’s important opinion.
To recap: the CFAA is a federal law that imposes civil and criminal liability for an array of hacking offenses. The trouble with the law is that it’s vague and has been stretched by recent court decisions. At the crux of each CFAA violation is the act of obtaining “access” to a computer without (or in excess of) “authorization.” For example, one prong of the CFAA makes it illegal to “intentionally access a computer without authorization or exceed authorized access, and thereby obtain information.”
This prohibition clearly applies to a hacker breaking into a computer or database. But what about a person who has every right to access a computer or database, but then proceeds to use it in a way that violates a use policy, like an employer’s policy on employee computer use or a commercial website’s Terms of Service? Does the violation of the policy make the person’s access “in excess of authorization” – and therefore a violation of the CFAA?
Some courts, agreeing with the Justice Department, have held that it does. But as the Ninth Circuit explained this week, the consequences of that interpretation are dramatic and dangerous. The Ninth Circuit’s Judge Kozinsky explained that this interpretation transforms the CFAA from a hacking statute into a “sweeping Internet-policing mandate” for prosecutors.
When you surf the Internet, your access to the websites (and thus the computers delivering them) are governed by a series of private agreements, like terms of service. These are agreements of the sort that, as Judge Kozinsky said, “most people are only dimly aware of and virtually no one reads or understands.” For example, Google forbids minors from using its services; the dating website eHarmony prohibits users from supplying false or misleading information; and Facebook prohibits users from allowing other users to access their account.
Should a violation of these terms of service be considered federal crimes? Of course not. Judge Kozinsky explained it this way: “Under the government’s proposed interpretation of the CFAA … describing yourself [on a dating website] as ‘tall, dark and handsome’ when you are actually short and homely, will earn you a handsome orange jumpsuit.”
Accordingly, the Court adopted a narrow, sensible interpretation of the CFAA, holding that the “exceeds authorized access” language is limited to violations of restrictions on access to information, not to its use. This means that while hacking into a computer or database one shouldn’t have access to is a criminal offense, merely using a computer or service in an “unauthorized” way isn’t (as long as you haven’t hacked past a technological barrier).
It’s important to note that there are many other federal crimes to cover the theft and misuse of information—we don’t need the CFAA for these.
The dissent argued that the majority reasoned too broadly, writing “[t]his case has nothing to do with playing sodoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values.” Even if this is so, the dissent doesn’t dispute there are many problems with the CFAA. And it is emphatically the job of Congress to deal with them.