Understanding the Computer Fraud and Abuse Act: can you go to jail for violating a clickthrough agreement?

The Computer Fraud and Abuse Act (CFAA) is a creaking, 1986-vintage US anti-hacking law. It makes it a felony to "exceed authorized access" on a computer you don't own, and some federal prosecutors (including Carmen Ortiz, who prosecuted Aaron Swartz) claim that this means that any time you violate the terms of service on website, that you commit a felony and can be imprisoned.

The Electronic Frontier Foundation has published detailed, user-friendly documentation for the CFAA, including the relevant case-law. It's a must-read for anyone who cares about justice in the 21st century. We click through dozens of impossible terms-of-service every day, and if violating them is a felony, we'll all vulnerable to threats of a long sentence.

The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, is an amendment made in 1986 to the Counterfeit Access Device and Abuse Act that was passed in 1984 and essentially states that, whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication shall be punished under the Act. In 1996 the CFAA was, again, broadened by an amendment that replaced the term “federal interest computer” with the term “protected computer.”18 U.S.C. § 1030. While the CFAA is primarily a criminal law intended to reduce the instances of malicious interferences with computer systems and to address federal computer offenses, an amendment in 1994 allows civil actions to brought under the statute, as well.

Computer Fraud and Abuse Act (CFAA) (Thanks, Julian!)

13

  1. “some federal prosecutors (including Carmen Ortiz, who prosecuted Aaron Swartz) claim that this means that any time you violate the terms of service on website, that you commit a felony”

    Do you have a citation showing Ortiz claims this?

    1. From the EFF CFAA info page (the clickable link above:
       “The Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, is an amendment made in 1986 to the Counterfeit Access Device and Abuse Act that was passed in 1984 and essentially states that, whoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication shall be punished under the Act.” [ emphasis mine]

      Given that the terms of service define what access is authorized, whatever other reason(s) did Ortiz charge Swartz, if not for violating the terms of service?

      1. You can read the indictment yourself to see the other reasons.

        Orin Kerr has also written recently on this topic: http://www.volokh.com/2013/02/18/no-aaron-swartz-was-not-charged-with-violating-jstors-terms-of-service/

  2. “Show me the man and I’ll find you the crime.”  Beria

    This is not an oversight or a mistake…it’s quite intentional. It makes sure the govt can find a “legitimate” crime to charge ANYONE with if they need to ruin them.

  3. “if the President does it, it is not a crime.” 
                           — Richard Nixon

  4. Retroactive policing… welcome to the digital age, where everyone is a criminal, waiting to be charged for crimes they didn’t know they were committing.  The data is being collected and stored, you’re already guilty.

  5. Here’s your problem (from the EFF link)

    Congress did not define the phrase ‘without authorization,’ perhaps assuming that the words speak for themselves.

    When Congress does not define the “crime”, leaving it up to bureaucrats and prosecutors, abuse is guaranteed.

    Failure for the criminal act to be explicitly defined in the legislation should be automatic grounds for acquittal or ideally non-prosecution.

    I would certainly acquit if on the jury for any undefined crime.

  6. So in effect they’ll be able to criminalize just about every net user that has joined a forum, or any other type of site that has a TOS to join? I mean everyone crosses a line somewhere eventually and runs afoul of a mod, or a censor, or a TOS term eventually, even if it was by accident. Isn’t that the purpose though? They criminalize everyone so that they can justify exceptional measures and take control of everything and place gatekeepers in place that we all have to buy into, to have net access.

  7. Here is a case where FBI agents clearly “exceeded authorization” of a protected system (their government-issued BlackBerry devices) and were sanctioned for it.  But they were not indicted under CFAA or branded felons.  They only lost one or two week’s pay.

    FBI battling ‘rash of sexting’ among its employees.

    “When you are given an FBI BlackBerry, it’s for official use. It’s not to text the woman in another office who you found attractive or to send a picture of yourself in a state of undress. That is not why we provide you an FBI BlackBerry.” ~FBI Assistant Director Candice Will

Comments are closed.