[Editors Note: This is one in a of series of blog posts from CDT on the Cybersecurity Act, S. 3414, a bill co-sponsored by Senators Lieberman and Collins that is slated to be considered on the Senate floor soon.]
Congress is about to decide whether it is a crime to violate terms of service governing your use of Gmail, Facebook, Hulu, or any other on-line service.
One of the amendments to the Cybersecurity Act that the Senate is likely to take up this week would substantially increase already severe penalties for violations of the Computer Fraud and Abuse Act (CFAA), an important law designed to prevent malicious computer activity, such as hacking. The amendment would eliminate provisions setting lower sentences for first time offenders, establish mandatory minimum sentences for many offenders, make computer crimes “racketeering” predicates, and subject homes to civil asset forfeiture for computer crimes committed inside. The problem is, there is widespread agreement that the statute is already overly broad, sweeping in common online conduct, and the Department of Justice has interpreted it in a way that turns many – maybe most – Internet users into potential criminals.
A fix has been proposed, but the Justice Department is opposing it. The DOJ wants all the enhanced penalties, without narrowing the scope of the bill to focus on true hacking.
The CFAA makes it a crime to use a computer “in excess” of “authorization.” This has been read to mean that it is illegal to use a computer in a manner that violates contractual agreements. People regularly use websites with broad and ambiguous “Terms of Service” prohibitions, and violations of terms of service are commonplace. For example, Gmail’s Terms of Service bar users younger than age 13, but there is little doubt that thousands of pre-teens lie about their age so they can use Gmail. Under the reading of the Justice Department, they are all criminals and should be subject to the law’s harsh penalties.
As another example, the 150 million users of Facebook in the U.S. agree to a Statement of Rights and Responsibilities that ban:
• Accessing someone else’s Facebook account, even with their permission
• Sharing your Facebook password, or letting anyone else access your account
• Posting any false personal information on Facebook
• Using Facebook “to do anything malicious”
• Using Facebook “to do anything misleading”
Any of these actions would constitute a computer use that is in excess of authorization. As such, in the view of the Department of Justice, each action is a candidate to prosecuted as a federal crime punishable by a fine, asset forfeiture, or prison time.
Fortunately, lawmakers are attempting correct this problem, and ensure that Americans cannot be charged with a felony for actions that merely violate a website’s Terms of Service. In September, the Senate Judiciary Committee adopted unanimously an amendment by Senators Grassley (R-IA), Franken (D-MN) and Lee (R-UT) to fix the statute so that most terms of service violations are not CFAA crimes. Organizations and individuals from across the philosophical spectrum endorsed their amendment.
The Grassley/Franken/Lee language has been incorporated into the larger CFAA amendment mentioned earlier, which Senator Patrick Leahy has proposed to the Cybersecurity Act, soon to be taken up by the Senate.
Weighing in on the issue are a group of individuals and organizations from across the philosophical spectrum; CDT is among that group. The group sent a letter today to Senate leadership highlighting the flaws noted earlier and asking that, should the Leahy CFAA come to a vote, that it include the Grassley/Franklin/Lee provisions, which they called “an important step forward for security and civil liberties.”
However, the Justice Department is trying to strip out the common-sense amendment of Senators Grassley, Franken and Lee. The CFAA is an important law, but Congress should make sure that it does not criminalize fibbing about your age on the Internet.