Last Friday’s news that Lori Drew (neighbor who posed on MySpace as potential teenage boyfriend) was being indicted under the Computer Fraud and Abuse Act represents yet another cyberlaw constitutional moment. Once again, we’re pressing laws intended to address X problem into service mending Y dispute. This time, however, the law is more sweeping than we might like to admit. In fact, courts have already read the CFAA to stretch awfully far – including to violations of agreements *not* found in the Terms of Service on a particular web site. The relevant question: Is this appropriate?
Background: As the news reports make clear, the CFAA was originally designed to address hacking of federal computers or financial industry systems. It was broadened in 1984 to add civil remedies (so anyone can use it, not just prosecutors), broadened again in 1996 to cover any protected computer (which essentially means any computer in interstate commerce – so any computer attached to the internet), and then broadened yet again in 2001 to include any computer outside the US that communicates with the US. So this is a statute that has migrated from protecting government computers to protecting all possible computers.
It’s a violation of the CFAA to (1) intentionally access a protected computer without authorization and (2) cause damage that adds up to at least $5,000. (Take a look at 18 U.S.C. Sec. 1030(a)(5)(A)(iii).) It’s very easy to come up with $5K in damages – you can use fees paid to consultants, or the cost of responding to the offense. Given the attention to the Myspace suicide, the company won’t have a problem showing damages. (I know this seems odd, but the damages don’t have to be directly related to fixing the actual break-in.)
What’s the break-in? The statute was written with classic hacking behavior in mind – guessing passwords, monkeying with files, etc. But here the “hack” is (apparently) to intentionally violate the Terms of Service posted by MySpace, which prohibit users from lying to MySpace or using their accounts to harrass other users. Here, the neighbor arguably breached these terms by saying she was a teenage boy and harrassing her teenage neighbor.
This may seem nuts to you. It does to many of us. A civil litigant can paint his/her opponent as a quasi-*criminal* by showing that he/she has violated some form contract on a site. Even odder things have happened under the CFAA.
For example, in EF Cultural Travel BV v. Explorica, Inc. (2001, 1st Circuit), an incumbent travel site upset that a former employee had scraped the site for pricing information sued under the CFAA, claiming that the former employee’s breach of a broad confidentiality agreement with the incumbent made his access to the site for scraping purposes an act that “exceeded authorized access.”
The argument in this case, as in lots of former-employee cases under the CFAA, is that employees “exceed authorization” to employer databases when they access them for purposes of serving new ventures. In Explorica, the argument seems to reach even further – that access to *public sites* with knowledge of how they work (in this case, where the pricing information is available) may amount to “unauthorized access.”
There’s an AOL Terms of Service case, AOL v. LCGM, Inc. (EDVA 1998), that says that use of an email address extractor program in AOL chat rooms violated the AOL terms and therefore was “unauthorized” under the CFAA.
What a litigation tool! The CFAA is extraordinarily powerful. You can bring a “theft of trade secrets case” under the CFAA without proving that you ever actually had a trade secret (which has to have value because it’s secret). Because everything is now stored on a computer, the CFAA gives a federal forum and a federal claim for an infinite array of disputes. It’s like a civil RICO for our era – expansive and powerful, and now quite popular.
Hard questions. The implications of the CFAA for the free flow of information across a globally-interconnected network are profound. Who gets to decide what “terms” are enforced by using the CFAA? Can a plaintiff just decide who gets to access “his” computer, and for what purposes? Is there any limitation to the coverage of the CFAA – some boundary of “reasonable expectations” of the site “owner”? Here, shouldn’t Myspace have anticipated that people would fudge in setting up their accounts?
Should the CFAA be used to shut down speech, as this indictment suggests?
Unless the CFAA is amended, it will continue to be used in this way. Its definitions are extraordinarily broad. Everything is a “protected computer,” losses of $5K are incredibly easy to prove, and it’s simple to slap up an anti-competitive, anti-speech set of online terms. We need some better legislative explanation of what “unauthorized access” or “exceeding authorization” mean.
This is a “bad facts” case – a suicide, a stunned populace, and a yearning for revenge are shaping interpretation of a broad federal statute. The problem is that some courts have already reached the conclusion that the CFAA can be used for almost any perceived online infraction.