Understanding the Computer Fraud and Abuse Act: can you go to jail for violating a clickthrough agreement?

The Computer Fraud and Abuse Act (CFAA) is a creaking, 1986-vintage US anti-hacking law. It makes it a felony to "exceed authorized access" on a computer you don't own, and some federal prosecutors (including Carmen Ortiz, who prosecuted Aaron Swartz) claim that this means that any time you violate the terms of service on website, that you commit a felony and can be imprisoned.

The Electronic Frontier Foundation has published detailed, user-friendly documentation for the CFAA, including the relevant case-law. It's a must-read for anyone who cares about justice in the 21st century. We click through dozens of impossible terms-of-service every day, and if violating them is a felony, we'll all vulnerable to threats of a long sentence.

The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, is an amendment made in 1986 to the Counterfeit Access Device and Abuse Act that was passed in 1984 and essentially states that, whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication shall be punished under the Act. In 1996 the CFAA was, again, broadened by an amendment that replaced the term “federal interest computer” with the term “protected computer.”18 U.S.C. § 1030. While the CFAA is primarily a criminal law intended to reduce the instances of malicious interferences with computer systems and to address federal computer offenses, an amendment in 1994 allows civil actions to brought under the statute, as well.

Computer Fraud and Abuse Act (CFAA) (Thanks, Julian!)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: aaronsw • eff • happy mutants • law • security • usausausa

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

hartboy

“some federal prosecutors (including Carmen Ortiz, who prosecuted Aaron Swartz) claim that this means that any time you violate the terms of service on website, that you commit a felony”

Do you have a citation showing Ortiz claims this?
- Paul Renault
  
  From the EFF CFAA info page (the clickable link above:
  ”The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, is an amendment made in 1986 to the Counterfeit Access Device and Abuse Act that was passed in 1984 and essentially states that, whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication shall be punished under the Act.” [ emphasis mine]
  
  Given that the terms of service define what access is authorized, whatever other reason(s) did Ortiz charge Swartz, if not for violating the terms of service?
  - hartboy
    
    You can read the indictment yourself to see the other reasons.
    
    Orin Kerr has also written recently on this topic: http://www.volokh.com/2013/02/18/no-aaron-swartz-was-not-charged-with-violating-jstors-terms-of-service/
http://twitter.com/digitalArtform Joseph Francis

So you can commit a felony by exceeding authorized access to your own computer.

Awesome.

By the way – you are not authorized to click this link
Ipo

I always cross my fingers when I click “I agree”, so it doesn’t count.
jansob1

“Show me the man and I’ll find you the crime.” Beria

This is not an oversight or a mistake…it’s quite intentional. It makes sure the govt can find a “legitimate” crime to charge ANYONE with if they need to ruin them.
That_Anonymous_Coward

But when the government does it, its no big deal.
Heevee Lister

“if the President does it, it is not a crime.”
— Richard Nixon
sirgoofs

Retroactive policing… welcome to the digital age, where everyone is a criminal, waiting to be charged for crimes they didn’t know they were committing. The data is being collected and stored, you’re already guilty.
class_enemy

Here’s your problem (from the EFF link)

Congress did not define the phrase ‘without authorization,’ perhaps assuming that the words speak for themselves.

When Congress does not define the “crime”, leaving it up to bureaucrats and prosecutors, abuse is guaranteed.

Failure for the criminal act to be explicitly defined in the legislation should be automatic grounds for acquittal or ideally non-prosecution.

I would certainly acquit if on the jury for any undefined crime.
- sirgoofs
  
  But how much would it cost the accused to defend themselves?
CygnusXII

So in effect they’ll be able to criminalize just about every net user that has joined a forum, or any other type of site that has a TOS to join? I mean everyone crosses a line somewhere eventually and runs afoul of a mod, or a censor, or a TOS term eventually, even if it was by accident. Isn’t that the purpose though? They criminalize everyone so that they can justify exceptional measures and take control of everything and place gatekeepers in place that we all have to buy into, to have net access.
http://www.facebook.com/bkort Barry Kort

Here is a case where FBI agents clearly “exceeded authorization” of a protected system (their government-issued BlackBerry devices) and were sanctioned for it. But they were not indicted under CFAA or branded felons. They only lost one or two week’s pay.

“FBI battling ‘rash of sexting’ among its employees.”

“When you are given an FBI BlackBerry, it’s for official use. It’s not to text the woman in another office who you found attractive or to send a picture of yourself in a state of undress. That is not why we provide you an FBI BlackBerry.” ~FBI Assistant Director Candice Will