Today, a subcommittee of the Committee On The Judiciary heard some fascinating testimony about the Computer Fraud and Abuse Act (CFAA). (We know what that sounds like, but bear with us.)
The hearing, titled "Cyber Security: Protecting America's New Frontier," really focused on big cyber threats to the country's infrastructure, but there was another juicier question that came out of the hearing: The way the Justice Department wants to interpret a current law, lying on the Internet would amount to a crime.
Richard Downing, deputy chief of the Computer Crime and Intellectual Property Section at the Department of Justice, argued that in order to properly protect the country, the part of the CFAA that says a person must exceed their "authorized access" to break the law should include a violation of the terms of service.
Here's how Downing put it in his testimony:
"These are just a few cases, but this tool is used routinely. The plain meaning of the term 'exceeds authorized access,' as used in the CFAA, prohibits insiders from using their otherwise legitimate access to a computer system to engage in improper and often malicious activities. We believe that Congress intended to criminalize such conduct, and we believe that deterring it continues to be important. Because of this, we are highly concerned about the effects of restricting the definition of 'exceeds authorized access' in the CFAA to disallow prosecutions based upon a violation of terms of service or similar contractual agreement with an employer or provider."
In English? When you sign up for a Web service, a dating one or even to attain the ability to comment on NPR.org, you usually agree to a long terms of service that we bet most people don't even read. The way the DOJ wants the law interpreted means breaking any of those terms would constitute a crime.
Orin Kerr, a professor of Law at George Washington University, also testified at the hearing and put it more concretely:
"In the Justice Department's view, the CFAA criminalizes conduct as innocuous as using a fake name on Facebook or lying about your weight in an online dating profile. That situation is intolerable. Routine computer use should not be a crime. Any cybersecurity legislation that this Congress passes should reject the extraordinarily broad interpretations endorsed by the United States Department of Justice."
CNET, which broke this story yesterday, reports that CFAA "has been used by the Justice Department to prosecute a woman, Lori Drew, who used a fake MySpace account to verbally attack a 13-year old girl who then committed suicide. Because MySpace's terms of service prohibit impersonation, Drew was convicted of violating the CFAA. Her conviction was later thrown out."
CNET also reports on opposition to the interpretation:
A letter (PDF) sent to the Senate in August by a left-right coalition including the ACLU, Americans for Tax Reform, the Electronic Frontier Foundation, and FreedomWorks warns of precisely that. "If a person assumes a fictitious identity at a party, there is no federal crime," the letter says. "Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation. This is a gross misuse of the law."
Downing defended the government's position in his prepared statement. Downing said while the government appreciates the concern that a wide interpretation of the law would allow prosecutions of "mere" violations of a website's terms of service, "we are concerned that that restricting the statute in this way would make it difficult or impossible to deter and address serious insider threats through prosecution."
Update at 3:39 p.m. ET. An Example:
Just as an example, here's a bit from Facebook's Terms of Service:
- You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
- You will not create more than one personal profile.
- If we disable your account, you will not create another one without our permission.