Clarifying the Computer Fraud and Abuse Act
A federal court has ruled that violating a website’s terms of service is not “hacking” under the Computer Fraud and Abuse Act.
The plaintiffs wanted to investigate possible racial discrimination in online job markets by creating accounts for fake employers and job seekers. Leading job sites have terms of service prohibiting users from supplying fake information, and the researchers worried that their research could expose them to criminal liability under the CFAA, which makes it a crime to “access a computer without authorization or exceed authorized access.”
So in 2016 they sued the federal government, seeking a declaration that this part of the CFAA violated the First Amendment.
But rather than addressing that constitutional issue, Judge John Bates ruled on Friday that the plaintiffs’ proposed research wouldn’t violate the CFAA’s criminal provisions at all. Someone violates the CFAA when they bypass an access restriction like a password. But someone who logs into a website with a valid password doesn’t become a hacker simply by doing something prohibited by a website’s terms of service, the judge concluded.
“Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature,” Bates wrote.
Bates noted that website terms of service are often long, complex, and change frequently. While some websites require a user to read through the terms and explicitly agree to them, others merely include a link to the terms somewhere on the page. As a result, most users aren’t even aware of the contractual terms that supposedly govern the site. Under those circumstances, it’s not reasonable to make violation of such terms a criminal offense, Bates concluded.
This is not the first time a court has issued a ruling in this direction. It’s also not the only way the courts have interpreted the frustratingly vague Computer Fraud and Abuse Act.
EDITED TO ADD (4/13): The actual opinion.
La Abeja • March 31, 2020 12:20 PM
Webmasters who impose such terms and conditions are generally responsible for enforcing them with the appropriate technical means — without gratuitous service of legal process — in order to prevent the alleged abuse from taking place in the first place, rather than suing for it after the fact in hopes of a profit as a “way of doing business” through the courthouse.
It is usually the owner of the website or business, not the visitors or customers, who should be concerned with accusations of fraud.
I do not wish to patronize any kind of “store” or “shop” that has me effectively blacklisted and accused of shoplifting before I ever set foot on their damned brick-and-mortar property.
I suspect that the flood of junk terms and conditions are coming from the Las Vegas / Santa Cruz / SCO tech Mafia. Such voluminous T&C are usually intended to enforce the vice of the porno industry in districts of legal prostitution, legal marijuana, etc., etc.
Children and mentally disabled people have to be allowed to use the internet without disclosing too much identifying information about themselves or getting themselves in trouble with the law.