Clarifying the Computer Fraud and Abuse Act

A federal court has ruled that violating a website’s terms of service is not “hacking” under the Computer Fraud and Abuse Act.

The plaintiffs wanted to investigate possible racial discrimination in online job markets by creating accounts for fake employers and job seekers. Leading job sites have terms of service prohibiting users from supplying fake information, and the researchers worried that their research could expose them to criminal liability under the CFAA, which makes it a crime to “access a computer without authorization or exceed authorized access.”

So in 2016 they sued the federal government, seeking a declaration that this part of the CFAA violated the First Amendment.

But rather than addressing that constitutional issue, Judge John Bates ruled on Friday that the plaintiffs’ proposed research wouldn’t violate the CFAA’s criminal provisions at all. Someone violates the CFAA when they bypass an access restriction like a password. But someone who logs into a website with a valid password doesn’t become a hacker simply by doing something prohibited by a website’s terms of service, the judge concluded.

“Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature,” Bates wrote.

Bates noted that website terms of service are often long, complex, and change frequently. While some websites require a user to read through the terms and explicitly agree to them, others merely include a link to the terms somewhere on the page. As a result, most users aren’t even aware of the contractual terms that supposedly govern the site. Under those circumstances, it’s not reasonable to make violation of such terms a criminal offense, Bates concluded.

This is not the first time a court has issued a ruling in this direction. It’s also not the only way the courts have interpreted the frustratingly vague Computer Fraud and Abuse Act.

EDITED TO ADD (4/13): The actual opinion.

Tags: , , ,

Posted on March 31, 2020 at 7:51 AM10 Comments

Comments

La Abeja March 31, 2020 12:20 PM

A federal court has ruled that violating a website’s terms of service is not “hacking” under the Computer Fraud and Abuse Act.

Webmasters who impose such terms and conditions are generally responsible for enforcing them with the appropriate technical means — without gratuitous service of legal process — in order to prevent the alleged abuse from taking place in the first place, rather than suing for it after the fact in hopes of a profit as a “way of doing business” through the courthouse.

It is usually the owner of the website or business, not the visitors or customers, who should be concerned with accusations of fraud.

I do not wish to patronize any kind of “store” or “shop” that has me effectively blacklisted and accused of shoplifting before I ever set foot on their damned brick-and-mortar property.

I suspect that the flood of junk terms and conditions are coming from the Las Vegas / Santa Cruz / SCO tech Mafia. Such voluminous T&C are usually intended to enforce the vice of the porno industry in districts of legal prostitution, legal marijuana, etc., etc.

Children and mentally disabled people have to be allowed to use the internet without disclosing too much identifying information about themselves or getting themselves in trouble with the law.

Clive Robinson March 31, 2020 2:46 PM

@ Bruce, ALL,

It’s also not the only way the courts have interpreted the frustratingly vague Computer Fraud and Abuse Act.

I would say that the “frustratingly vague” act is written quite deliberatly that way.

Thus those who’s job it is to prosecute, have a much larger target area to score in.

There is no excuse for such legislation, if the law can not be made specific tgus fit for purpose[1] then it should not be made at all. Otherwise we end up with “You are guilty because I say you are” legislation, of which there is way to much in the US already (think the “lying to federal officers” catch all the FBI so frequently tack on).

[1] One of the founding rules of legislation is that it should provide clear guidence to all. That is there should be no doubt when and when not you have transgressed or will transgress. To make a piece of legislation such that people have to go to court to get clarification realy means that the law should be struck down, not in part but in whole, because it’s failed in it’s primary purpose.

La Abeja March 31, 2020 5:16 PM

One of the founding rules of legislation is that it should provide clear guidence to all. That is there should be no doubt when and when not you have transgressed or will transgress.

That is, or would have been, the 6th Amendment right of the accused “to a speedy and public trial, by an impartial jury of the state and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation …” There should have been no conviction in cases where an impartial jury would have had reasonable doubts.

To make a piece of legislation such that people have to go to court to get clarification realy means that the law should be struck down, not in part but in whole, because it’s failed in it’s primary purpose.

They explicitly include a boilerplate “severability” clause in every piece of legislation they pass, to prevent the whole law from being struck down if portions of it happen to be ruled unconstitutional in certain specific cases by “errant” “lower” courts.

Another standard boilerplate clause is always included as well, to ensure that the operative clauses of the law are always enforced to the last jot and tittle, regardless of its stated purpose, inferred intent, or jurisdictional pursuance of the U.S. Constitution.

Any review of the pursuance of federal, state, and local legislation to the U.S. Constitution has heretofore been too little too late to prevent the prevent the gross and cumulative misconstruction and horrific abuse of power especially by state and local governments to systematically deny and disparage the Constitutional, civil, and human rights of the people, on an unprecedented global scale.

Dysnomia March 31, 2020 6:56 PM

I think it’s very scary that it requires a court ruling to say that, if you’re 45 years old and falsely claim on Facebook that you’re 39 because you want to seem younger, you can’t be charged with a felony for that.

In addition to how vague the statute is and how it makes every webmaster a legislature of one, it also make felons of everybody. Everybody who uses the internet is guilty of violating some terms of service or another. When everybody’s guilty, the executive can selectively enforce the law and go after whoever they want.

This reminds me of the Lori Drew / Megan Meier case, where a woman made a fake Myspace account and cyberbullied a girl who ended up committing suicide, and the woman was charged under the CFAA on the grounds that creating that fake Myspace account made her a hacker.

La Abeja March 31, 2020 10:31 PM

@Dysnomia

if you’re 45 years old and falsely claim on Facebook that you’re 39 because you want to seem younger, you can’t be charged with a felony for that.

Felony or registered sex offender or something like that usually just means male.

hxxps://www.bop.gov/about/statistics/statistics_inmate_gender.jsp

Because if a lady is looking at guys’ mugshots on Facebook because she wants an older guy to date, but he’s too old, then of course she reserves the right to press charges — and of course Facebook, Twitter, Instagram are required to follow suit and ban the guy to hell pursuant to a Title IX // VAWA civil restraining order to protect her equal rights while the cops put him in prison with all the other bad guys, and make sure his gun rights are revoked for the rest of his life and he’s never allowed to have contact with kids.

So what kind of dumbass posts his own mugshot on the FBI’s most wanted pages or the Crimestoppers Amber Alert missing kids social network?

Or if a man is ≥18 and gets Facebooked into jail by a girl ≤17, how is city hall planning to protect the rest of the underage female population from him after he’s served his sentence and gets out of federal prison?

Better yet, just move on from Facebook to LinkedIn, polish your résumé and go to work. No shit. Go figure.

Curious April 1, 2020 6:18 AM

Hrm, I thought I had already posted here last night:

I wonder, are US “acts” typically just pieces of text strung togehter by various parties, and is interpreted “as is”, or, it is common, or even possible, that such “acts” are subject to pre existing studies, analysis, or other forms of elaboration and consideration as separate documents?

Now that I think about it, if an “act” is a bi partisan thing, then perhaps there is no analysis done on a text beforehand because the resulting text is by design maybe always meant to be a political document (as opposed to something academic and subject to review).

A dubious person April 1, 2020 11:57 PM

Bruce, why didn’t you link to the actual opinion? All by itself it’s far more informative (and MUCH better written) than the Ars article. (One link, from El Reg: hxxps://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2016cv1368-67)

The opinion notes that the federal circuits are split on their interpretations of the vague wording in the relevant CFAA sections. Unless I’m greatly mistaken, it doesn’t bind any of the dissenting circuits – I’m pretty sure only a Supreme Court opinion can do that – so it would only apply to this particular case (Sandvig v Barr). That makes it nothing like the magic bullet against criminal prosecution for violating bullshit T&Cs that it’s being presented as.

The opinion also contains what I feel are pretty sketchy analogies between information systems and real property, in addition to a naive focus on “a computer” rather than the kind of complex distributed systems, likely crossing many different domains, that underly modern web services. So while I think the opinion seems a good thing overall I suspect it’s full of whopping great loopholes, all ripe for exploitation.

Globaltel April 2, 2020 11:53 PM

Thanks for the clarification regarding the violating a website’s terms of service is not “hacking” under the Computer Fraud and Abuse Act. I always thought that kind of case is under the computer fraud act. Thanks for sharing this helpful information.

A dubious person April 6, 2020 5:24 PM

@Mod: the preceding comment from “Globaltel” is spamvertising.

@All:

While browsing bleepingcomputer to research the “malware damages computers” link I noticed a headline stating that the US DOJ is now threatening criminal prosecution for Zoombombing. I thought that might relate to this subject, since some instances of Zoombombing will likely devolve to terms-of-service violations. I can’t confirm that they would attempt to use CFAA in such a situation; the press release published on the DOJ website (linked to from the bleepingcomputer article, I won’t include the link here) merely lists “computer intrusion” as one potential charge:

Charges may include – to name just a few – disrupting a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud, or transmitting threatening communications. All of these charges are punishable by fines and imprisonment.

A dubious person April 30, 2020 5:44 PM

A Register item datelined April 201 suggests that the US Supreme Court has granted cert to a request to resolve longstanding inconsistencies in how various concepts in CFAA have been interpreted by different federal districts.

So it looks like the federal court ruling noted originally by OGH is, as I suggested at the time, not so much a “clarification” as just one more statement of principle from one of many participants in an ongoing debate.

(I’ll also post this to the latest Squid so that nobody has to dig back through OGH’s archives to see it. Just wanted to have a copy here with the original article.)

I am quite curious as to how this will turn out. I don’t have confidence that I’ll agree with whatever decision they come up with, but having a uniform theory of prosecution would at least be a good start.

Apologies in advance for only having a slightly stale El Reg article on this; if I can find anything better (like a link to US court documents) I’ll add that.

  1. h t t p s://www.theregister.co.uk/2020/04/20/supreme_court_cfaa/

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.