Bill Tweaked in Senate: Terms of Service No Longer Terms of Felony
Yesterday, the Senate Judiciary Committee adopted an important amendment designed to ensure that civil and criminal actions under the Computer Fraud and Abuse Act (CFAA) are focused on hackers and identity thieves rather than on people who merely violate website terms of service.
The Committee adopted the amendment at a mark up of Chairman Patrick Leahy’s Personal Data Privacy and Security Act of 2011, S. 1151, a bill that addresses both data breach notification and penalties for computer criminals. The Chairman (D-Vt.) himself introduced a number of amendments in a manager’s substitute for the original bill, but perhaps the most interesting amendment to the bill was introduced by ranking member Sen. Chuck Grassley (R-Iowa), along with Sens. Al Franken (D-Minn.) and Mike Lee (R-Utah). As amended, the bill would fix a large part of the overbreadth problem in the CFAA that CDT and other groups on the left and right have recently suggested that Congress address.
As CDT and others recently wrote in a letter to the Chairman and Ranking Member:
The CFAA imposes civil and criminal liability for accessing a protected computer “without” or “in excess of” authorization, but fails to define “authorization.” This makes the definition of the precise activities that are punishable unavoidably vague. As a result of this lack of clarity, several courts have used companies’ network terms of use, which lay out contractual constraints on users’ use of those networks, to also define what constitutes criminal behavior on those networks. The consequence is that private corporations can in effect establish what conduct violates federal criminal law when they draft such policies.
In offering the amendment, Sen. Grassley noted that there was broad support across the political spectrum for addressing the issue, particularly as it related to prosecutions based on violations of online terms of service. Recent prosecutions by a couple of U.S. Attorneys’ Offices were of particular concern, he said. He also mentioned that his amendment addresses the major concern voiced by the Department of Justice (DOJ), which had argued that government needed the flexibility provided by the broader language to prosecute certain specialized categories of government employees who access sensitive information held in government databases and who may not be prosecutable under the other prongs of the statute. In order to ensure that such prosecutions are not inhibited, the new language permits contract-based “exceeds authorization” claims by governmental employers.
Sen. Franken, the amendment’s lead co-sponsor, noted that the revised bill would prevent everyday actions from being prosecuted as felonies. More specifically, he noted that the actions of a father logging onto his son’s Facebook account to check up on him, a 17-year old clicking through a screen requiring him to be 18 to shop for clothes at an online store, or an employee checking sports scores from his corporate desktop could be considered crimes under some interpretations of current law, and noted that the amendment was intended to prevent such prosecutions from occurring.
Several other senators, including Sen. Chris Coons (D-Del.) and Sen. Amy Klobuchar (D-Minn.) also spoke in favor of the amendment and indicated their intention to vote in favor, as did Chairman Leahy, who noted that his opposition to frivolous prosecutions spurred him to support the amendment. Sen. Sheldon Whitehouse (D-R.I.), the only member to speak against the Grassley/Franken/Lee language, stated that he, too, was concerned about contractual fine print creating criminal liability, but suggested that a better approach was to have DOJ author guidelines ruling out the use of the statute in such cases. However, Sen. Grassley noted that DOJ prosecutions had already been brought under the terms-of-service theory, and insisted upon a vote. Ultimately, the amendment was approved on a voice vote, with Sen. Whitehouse and one or two other Democratic senators signaling their opposition. The Committee is expected to consider other amendments and vote to report the bill next Thursday.
The Committee did not get to complete its work on the bill’s data breach provisions due to the lack of a quorum. CDT has been working with Sen. Leahy’s staff on those issues and expects the committee will take them up again when the mark up of the bill resumes.
