If you fail to comply with the fine print found within the Terms of Service of an online agreement, have you committed a crime? That is the troubling question raised by increasingly broad interpretations of the acts sufficient to trigger a criminal action (or civil claim) under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.
In an interesting post entitled “Lie about your age … Steal a trade secret … It’s all criminal,” the Non-Compete Trade Secrets blog posits that failing to follow some of the broadly written and mundane Terms of Service provided by many websites could, in the wrong circumstances, be enough to justify an indictment by an overzealous prosecutor.  Orin Kerr, professor and author of the Volokh Conspiracy Blog, has also written about the potential for abuse in his blog and in a recent op-ed piece in the Wall Street Journal.  Their concerns arise from recent decisions expanding one of the critical prongs of the CFAA — whether a defendant “exceeded authorized access” of a protected computer.
The most noteworthy of these decisions is the Ninth Circuit’s recent holding in U.S. v. Nosal,  642 F.3d 781 (9th Cir. Apr. 28, 2011).  In that case, the Ninth Circuit held that the violation of a computer use policy that placed “clear and conspicuous restrictions on the employees’ access” to the employer’s computer system and the specific data at issue could be enough to qualify as conduct that exceeded authorized access. The Northern District of California has since applied Nosal’s reasoning to online agreements, at least in a civil dispute between commercial parties. In Facebook v. MaxBounty, Case No. CV-10-4712-JF (N.D. Cal, Sept. 14, 2011), that district court found that a violation of Facebook’s terms of use could qualify as access without authorization under the CFAA.
It’s not just lawyers musing about the implications of these decisions. Even the Wall Street Journal has chimed in, expressing concern that the proliferation of online agreements that many of us mindlessly click and accept could trigger a violation of the CFAA. For example, supplying the wrong age, height or weight in a profile for a dating website might qualify as a violation of the CFAA because you may have agreed not to provide inaccurate or misleading information to the website. And this does not even account for the fact that many of these online agreements reserve the right for the provider to change those Terms of Service without notice at their discretion.
Naturally, federal prosecutors dismiss such fears.  According to the WSJ, Richard W. Downing, deputy chief of the Computer Crime & Intellectual Property Section at the Justice Department’s Criminal Division recently testified that such fears were “unsubstantiated.” According to Downing, the Justice Department would not “expend its limited resources on trivial cases such as prosecuting people who lie about their age on an Internet dating site.” The problem, however, is that not that prosecutors will pursue everyone, but that they have the discretion to pursue anyone.
The tide may be turning. While Nosal was initially applauded by many in the trade secret community because it would bolster employers’ protections under the CFAA, libertarian groups such as the Electronic Frontier Foundation argued that Nosal could criminalize the very acts outlined above as violations of broadly written Terms of Service. Perhaps as a result of those arguments, the Ninth Circuit indicated on October 27, 2011 that it will rehear Nosal en banc and noted that in the meantime Nosal was not to be used as precedent in the meantime.
I have to agree with the commentators on this one.  Isn’t the correct question what did Congress intend to prohibit when it enacted the CFAA?  I have not burrowed into the legislative history, but is difficult to imagine that the CFAA was supposed to govern a consumer’s failure to follow the fine print in an online licensing or terms of use agreement.