Wednesday, November 6, 2013

Even Reprehensible Terms of Service Violations Do Not Yield CFAA Claim

Although the Computer Fraud and Abuse Act frequently has been described as extremely broad in reach, it's also important to recognize its limitations.

One of the most substantive, sweeping limitations involves potential violations of website "Terms of Use" or "Terms of Service." Largely as a result of the case law that has developed out of the Ninth Circuit Court of Appeals, courts have recognized that pursuing a CFAA claim (or prosecuting a CFAA crime) on the basis of TOS violations poses significant problems.

The CFAA, somewhat famously, prohibits access to a protected computer without authorization or (critically) in a manner that "exceeds authorized access." Shoehorning a TOS violation into the "exceeds authorized access" framework has caused a great deal of handwringing among academics, prosecutors, defense attorneys, and judges.

The most well-known case involved Lori Drew, the MySpace Mom who created a fake account to contact a 13-year-old girl with whom her daughter was friends. The girl later committed suicide after corresponding with a person she thought to be a 16-year-old boy, the identity Drew assumed online with the fake account. After the U.S. Attorney's Office prosecuted Drew under the CFAA for a TOS violation, the district court judge threw out the conviction and held that the CFAA - as applied in the case - was void for vagueness. (Professor Orin Kerr represented Drew in this case.)

A similar dust-up ensued in an Oregon middle school recently, when a number of students created fake Facebook and Twitter accounts under the name of their assistant principal, Adam Matot. The students would then invite children to be friends with "Matot", and upon receiving an acceptance of the invitation, they would send the children obsene material (including pornographic images).

Matot's grievance, however sympathetic, simply did not state a CFAA claim for many of the same reasons the government couldn't maintain a conviction against Drew. The TOS violation, under Ninth Circuit law (Matot filed suit in Oregon), was not enough to demonstrate that the children exceeded their authorized access to a computer, since that statutory term restricts only access to a protected computer - not the misuse of information contained within the protected computer.

It is important to remember what function website terms of service play in commerce. As Professor Kerr mentioned in testimony before the U.S. House of Representatives, "[c]ompanies write those [TOS] conditions broadly in part to avoid civil liability if a user of the computer engages in wrongdoing....Those terms are not designed to carry the weight of criminal liability."

The same analysis generally will apply to civil claims involving the CFAA. In a majority of federal jurisdictions, courts will look at whether an individual had permission to use a protected computer in the first place and will not focus on whether the individual's use of information was wrongful.

No comments:

Post a Comment