Read this if you want to stay out of jail.

When my friend Aaron Swartz committed suicide in January, he'd been the subject of a DoJ press-release stating that the Federal prosecutors who had indicted him were planning on imprisoning him for 25 years for violating the terms of service of a site that hosted academic journals. Aaron had downloaded millions of articles from that website, but that wasn't the problem. He was licensed to read all the articles they hosted. The problem was, the way he downloaded the articles violated the terms and conditions of the service. And bizarrely -- even though the website didn't want to press the matter -- the DoJ decided that this was an imprisonable felony, under the Computer Fraud and Abuse Act, which makes it a crime to "exceed your authorization" on any online service.

The DoJ reasoned that if the law said that doing anything "unauthorized" was a crime, and if the long, gnarly hairball of legalese that no one reads before clicking "I agree" set out what you were allowed to do, then violations of that "agreement" were a felony.

Aaron's death galvanized some Congresscritters to do something about this oversight. The ancient CFAA predated the widespread use of terms of service in everyday activities like hanging out with your friends, reading the newspaper, getting an education or signing up for a dating service. Congress did not intend to create a situation where companies that provided services could put any unreasonable condition they wanted into an "agreement" you might never see ("By using this website, you accept all terms and conditions") and then ask the DoJ to put people in prison for decades if they violated them.

The reform to CFAA was welcome and long overdue. But the DoJ has asked some members of the House Judiciary Committee to make it worse.

Read the rest

Tim Wu's New Yorker piece on Aaron Swartz and the Computer Fraud and Abuse Act explains how Obama could, with one speech, fix the worst problem with the worst law in technology. The CFAA makes it a felony to "exceed your authorization" on a computer system, and fed prosecutors have taken the view that this means that if you violate terms of service, you're a felon, and they can put you in jail. As Wu points out, Obama doesn't need Congress to pass a law to fix this, he could just tell the DoJ that they should stop doing this. There's plenty of precedent, and it would be excellent policy.

When judges or academics say that it is wrong to interpret a law in such a way that everyone is a felon, the Justice Department has usually replied by saying, roughly, that federal prosecutors don’t bother with minor cases—they only go after the really bad guys. That has always been a lame excuse—repulsive to anyone who takes seriously the idea of a “a government of laws, not men.” After Aaron Swartz’s suicide, the era of trusting prosecutors with unlimited power in this area should officially be over...

There is a much more immediate and effective remedy: the Justice Department should announce a change in its criminal-enforcement policy. It should no longer consider terms-of-service violations to be criminal. It can join more than a dozen federal judges and scholars, like Kerr, who adopt a reasonable and more limited interpretation. The Obama Administration’s policy will have no effect on civil litigation, so firms like Oracle will retain their civil remedies. President Obama’s DREAM Act enforcement policy, under which the Administration does not deport certain illegal immigrants despite Congress’s inability to make the act a law, should be the model. Where Congress is unlikely to solve a problem, the Administration should take care of business itself.

All the Administration needs to do is to rely on the ancient common-law principle called the “rule of lenity.” This states that ambiguous criminal laws should be construed in favor of a defendant. As the Supreme Court puts it, “When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” So far, at least thirteen federal judges have rejected the Justice Department’s interpretation of the Computer Fraud and Abuse Act. If that’s not a sign that the law is unclear and should be interpreted with lenity, I don’t know what is.

Fixing the Worst Law in Technology

Of all the stupid clauses in the license "agreements" that the Internet crams down your throat, the cake-taker is "this agreement subject to change without notice." In other words, you're "agreeing" to anything and everything that the company dreams up, for the rest of time. This clause -- and its place in a "browsewrap agreement" that you supposedly agreed to just by visiting a website with "by visiting this website, you agree to our terms of service" on the bottom of it -- was found to be unenforceable by a federal judge in Nevada, who voided out the company's whole agreement on that basis, leaving the company vulnerable to lawsuits after a password leak affecting 24 million customers.

Eric Goldman's posted analysis:

Zappos can hardly be surprised by this adverse judicial ruling. We have known for years that browsewraps are unenforceable (see some of the cases discussed here) and judges clearly dislike unilateral amendment clauses (see, e.g., the uncited Ninth Circuit's Douglas ruling from 2007 and the cited 2009 ruling in the Blockbuster/Facebook Beacon case).

Still, the ruling leaves Zappos in a bad position. Its contract is legally irrelevant, meaning that all of the risk management provisions in its contract are ineffective--its disclaimer of warranties, its waiver of consequential damages, its reduced statute of limitations, its clause restricting class actions in arbitration...all of these are gone, leaving Zappos governed by the default legal rules, which aren't nearly as favorable to it. Losing its contract provisions meant Zappos is legally naked.

Avoiding this outcome is surprisingly easy. Use clickthrough agreements, not browsewraps, and remove any clauses that say you can unilaterally amend the contract.

That's pretty grim: you can load up nearly any BS you want in a EULA, and so long as you stick it in a clickthrough "agreement" and it's binding. Good time to remind you all of my own email sig, the original "Reasonable Agreement:

READ CAREFULLY. By reading this email, you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer.

Feel free to use this in your own contexts, of course!

How Zappos' User Agreement Failed In Court and Left Zappos Legally Naked (Forbes Cross-Post)

The next time you log into your Sony Playstation Network account, the company is going to ask you to click through a EULA whereby you promise not to sue them in a class action if they get hacked again, even if they're negligent, and even if you get screwed over as a result. If you don't agree, no more PSN for you. (Thanks, @sickkid1972!)