CFAA: The gun at a knife fight?

The Computer Fraud & Abuse Act, 18 U.S.C. § 1030, (CFAA) presents a number of interesting issues both for criminal law and the future of internet regulation. The law was passed in 1986 and was designed primarily to criminalize certain unauthorized computer access such as hacking government computers, hacking financial institutions, and using computers to commit interstate crimes. Questions exist as to whether the CFAA adequately addressed these issues. One of the main criticisms of the CFAA is that it was written by legislators with a “simplistic” understanding of computers, and from an examination of U.S. v. Drew, 259 F.R.D. 449, C.D. Cal., 2009, that criticism may have valid roots.

Drew involves a tragic fact pattern. The victim was a 13-year old girl who committed suicide in response to MySpace communications exchanges. The defendant, the mother of a classmate of the victim, created a MySpace profile for a fictitious person: a 16-year-old boy named Josh Evans. The defendant and others used this fictitious profile to flirt with the victim, then eventually to tell her that “the world would be a better place without her in it.” On the same day that this last message was sent, the victim killed herself, and upon learning of her suicide, the defendant deleted the fictitious profile and told another minor who knew about the exchanges to “keep her mouth shut.” Notably, the defendant’s actions violated a number of provisions in the MySpace terms of service (MSTOS), including knowingly posting false information, posting a picture of a person without his consent, and various provisions involving privacy and harassment. Further, it should be noted that although both the victim and defendant at all times resided and acted only in the state of Missouri, MySpace’s servers were located in California, so any messages between the victim and defendant necessarily crossed state lines before reaching the intended recipient. Although at trial the jury was deadlocked on some issues, and found the defendant not guilty of others, the defendant was found guilty of the misdemeanor of “accessing a computer involved in interstate or foreign communication without authorization or in excess of authorization to obtain information in violation of Title 18, United States Code, Section 1030(a)(2)(C) and (c)(2)(A).”

The overarching issue presented in this case was whether and, if so, under what conditions will violations of a website’s ToS constitute a crime under the CFAA. The misdemeanor of which Drew was convicted at trial involves three elements, which can be summarized as follows: 1) intentionally accessing a computer in a manner that is unauthorized or exceeds the authorization granted, 2) involving an interstate or foreign communication, and 3) resulting in the defendant obtaining information from a computer used in interstate or foreign commerce.

The court notes that because the Internet is treated like a telephone network in the eyes of the law, the second and third elements of the crime are per se met any time a person uses a computer to make contact with the Internet and reads any information on the website. This raised a red flag for me. I understand that the idea of interstate commerce has taken many definitions over time, and has waxed and waned in response to various breakthroughs in technology and resulting changes in public opinion. But should two people communicating with one another in the same state really be treated as engaging in interstate commerce simply because their means of communication is the Internet? I understand the devotion to precedent and stare decisis, but this feels like an antiquated approach to what is becoming (if it hasn’t already become) the most popular means of communication on the planet. How far does this go? If I communicate with my roommate via a local area network because I don’t feel like yelling across the house, does that constitute interstate commerce merely because it uses the same technology as the internet?

Regardless of the answers to these questions, the law is relatively settled on this issue at least for the time being, and consequently, most discussion in the opinion is devoted to the first element. In particular, the definitions of the terms “access” and “unauthorized” are of critical importance, and are inconveniently not defined in the CFAA. There are two prevailing definitions of access: the broad definition, referring to “any interaction between two computers,” and the narrow one, meaning “conduct by which one is in a position to obtain privileges or information not available to the general public.” The court notes that although the narrow definition is probably more useful and better reflects the congressional intent of the Act, no courts have followed it. Again, I feel the broad definition belies the nature of the technology because two computers can (and indeed very often do) interact without information flowing both ways. Certainly, in the case of a one-way message, nobody would seriously argue that the sending party had any “access” to the receiving party’s information, but yet, the prevailing definition of “access” in this respect leads to the opposite conclusion.

With respect to the concept of “without authorization,” the court acknowledges that many decisions employ inconsistent approaches in defining and applying the term, but most are accomplished through analogy based on the particular facts of each case. Some opinions have relied on agency or trespass principles, while others resort to a contract analysis. The court hesitates to adopt any of these as the preferred approach, but notes in discussion of the contract analysis that it is unlikely that Congress, in passing the CFAA, intended to criminalize the breach of state law contracts. Despite this, most courts which have considered the issue have held that conscious violations of a website’s ToS will render the access unauthorized or in excess of the granted authorization. This court, following precedent, held that a conscious violation of the MSTOS can potentially constitute unauthorized access, based on the prevailing definitions of these terms.

But thankfully, the analysis does not end there. The court next addresses whether this application of the CFAA violates the void-for-vagueness doctrine. The doctrine “has two prongs: 1) a definitional/notice sufficiency requirement and, more importantly, 2) a guideline setting element to govern law enforcement.” In an extended analysis of these prongs, the court determines that this particular application of criminal enforcement violates the void-for-vagueness doctrine. The first prong is not met because 1) the statute fails to provide sufficient notice to users that it could be a crime to violate a website’s ToS, 2) the MSTOS does not make clear whether any and all violations constitute unauthorized access or if only some of them do, 3) the effect of this application is to let website operators define criminal conduct and change it without notice, and 4) it results in conflicts in applying contract law. Personally, I felt the third reason was the most persuasive (not to mention frightening), but the court spent little time discussing it.

The second prong also fails because it would result in too much discretion in the hands of law enforcement, and would “convert a multitude of otherwise innocent Internet users into misdemeanant criminals.” Because the 2nd and 3rd elements of the crime are automatically met upon using a computer to view the internet, the only element in question is again the first. The lack of clear guidelines and objective criteria in the CFAA is fatal to the constitutionality of allowing a conscious violation of a website’s ToS, without more, to constitute a crime. The court notes that if this argument were valid, it would add criminal color to many innocuous internet uses, particularly on free websites like MySpace. As a result, the defendant’s motion to dismiss was granted.

In sum, I thought the court did a good job of wading through the legislative and decisional quagmire that interpreting this statute must have been. The inconsistencies among jurisdictions in applying the CFAA and various term definitions to virtual crime issues is alarming and leaves internet users justifiably unsure about what is allowed and what is not.

I agree with the criticism that many of the current laws addressing virtual crime issues, including the CFAA, appear to have been drafted by people with an inadequate understanding of the technology and the consequences of such laws. The result is that, like launching a nuclear missile at a jaywalker, the scope covers far more than it needs to and represents a fundamental misunderstanding of the underlying problem. From Ted Stevens’s infamous “series of tubes” speech to the wildly overbroad interpretation of the CFAA advocated by the government in Drew, it appears clear that the next generation of legislators, lawyers, and judges faces an uphill battle in attempting to align laws governing virtual crimes with those of the traditional criminal system. The court even notes at the outset in Drew that there isn’t even a consensus among jurisdictions on whether to capitalize the word “Internet” or if “website” should be one word or two. Should we really expect thorough and knowledgeable answers to tougher questions like whether two people communicating with one another in the same state via the internet should really be treated as engaging in interstate commerce? Should we have a system where website operators can effectively shape criminal law based on their own Terms of Service? How can we balance the competing interests in controlling one’s own website and the interest of the public in reasonable use of the Internet?

I look forward to the evolution of these issues over time, especially once people experienced in modern technology obtain a more meaningful role in shaping its application to the law.


~ by nickufl on September 13, 2010.

16 Responses to “CFAA: The gun at a knife fight?”

  1. I agree with you that the most persuasive reason for failing the first prong was the third: allowing websites to create their own criminal law. That is quite the scary thought. However, I do think TOS violations would be criminalized very often. Only in the cases with the worst facts (like this one) would invite criminal prosecution. This case is the very reason people say bad facts make bad law. It’s so compelling to find a way to prosecute Nancy Drew. That being said, I completely agree the prosecutors were overreaching here.

    It will be interesting to see how judges interpret laws relating to internet. A lot of judges are not nearly as internet savvy and some downright dislike computers and the internet. How will those attitudes the shape of laws such as the one involved here.

    The Drew case is a very interesting one and I was glad to see that the court came out the way it did. Slippery slope arguments often get used when there is no other argument, but here, it appears the precedent established by a decision the other way would have been dangerous.

    • Lori Drew*

      But Nancy Drew made me laugh. Why would anyone want to prosecute that teenage detective?

      • Tampering with crime scenes, trespassing, stalking, etc. the list goes on. Don’t be fooled by that pretty smile and youthful exuberance….Nancy Drew has ulterior motives.

  2. Response to: The misdemeanor of which Drew was convicted at trial involves three elements, which can be summarized as follows: 1) intentionally accessing a computer in a manner that is unauthorized or exceeds the authorization granted, 2) involving an interstate or foreign communication, and 3) resulting in the defendant obtaining information from a computer used in interstate or foreign commerce.
    This is something I have gleaned over in other classes as well and it is troubling to think that simple use of the internet means 2 of the 3 elements of a crime are met. By using the internet, the prosecutor’s job is as simple as finding a witness to say the D had no authorization to do x, y, or z.
    I think the Commerce Clause got taken a little too far here. It seems that the Court took the lazy way out by saying “yeah we don’t really want to get into the details of packets of information so we are just going to say that all use of the internet crosses state lines because there is a pretty good chance that it actually did.” What if we applied that logic to other areas of law? Especially in the Age of the Internet, the Court should articulate a standard that requires something more than mere use of the internet; perhaps a requirement that the use of the internet play a substantial role in the alleged crime. This standard probably doesn’t narrow the scope that much either, but it’s better than the current standard.
    On that note, the broad definition of “access” seems to have opened up a can of worms. It makes sense logically if the government wants to get at crimes that involve use of the internet but do not involve non-public information. However, I think they should have erred on the side of narrow construction for the sake of preventing virtually everything a crime that otherwise meets prong 1.
    In any event, one of the articles we read talks about the defense attorney slamming on the prosecutors for pursuing such a novel theory. I think they had to in order to have any hopes of prompting legislation that would proscribe cyber bullying. Whether such laws resulted is beyond the scope of my knowledge, but logically it seems like they had no other choice. If we never fought uphill battles, we probably wouldn’t have the United States (wow, what a leap!).

    Good job analyzing this nick.

  3. So if I sell a book to my next door neighbor on Craigslist, is that interstate commerce?

  4. I think the biggest stretch there is labeling that use as “unauthorized access.” The statute, as you say, is very clearly aimed at a person who breaches restrictions and gains access to a system despite those access restrictions. Drew didn’t do that because MySpace doesn’t have those types of access restrictions, merely Terms of Use that apply to its users, who for all intents and purposes, can be anyone. I see Drew’s access as that which MySpace might aim to eliminate or later restrict but not “unauthorized access” under the statute. MySpace offered drew “access” and sought merely to control her conduct through the ToS. This sounds like semantics to me making the argument, but what more can you do with an outdated, poorly-drafted statute?
    Congress might also be running into a constitutional issue through the government’s proposed interpretation of the statute by effectively giving away the power to criminalize conduct to private parties through contract.

  5. I think the two topics that stood out to me the most were the regulation of internet activities intended to act solely within one state being regulated as interstate activities, and your fear of giving website companies the ability to regulate what is and isn’t criminal conduct.

    First, it seems, on its face to be very simple that the internet is not only interstate but worldwide. It is after all called the worldwide web. However, there is something that doesn’t seem right about wholly intrastate intended activities being regulated by the federal government. I think though that the court was correct in its ruling because Myspace is nationwide and the court has the power to regulate wholly intrastate activities when they threaten interstate commerce.

    Second, I believe your fear of website companies having too much power to regulate criminal conduct is a very valid one. I think the scariest part is most people have no idea what the TOS says. I know ignorance is no excuse for the law but there’s no real way to know what it includes or what it means. In regards to most criminal laws, citizens grow up learning over time what is right and what is wrong to do in society. However, it seems that a recurring theme in our readings is that people don’t necessarily treat the internet and its platforms as extensions of society. The dragon sword example and Drew show people that acted outside of their normal behavior to act in a way that is really unknown to be illegal, and in both cases found to be not illegal.

    The question then becomes how do you regulate behavior on the internet so that people understand when their behavior is illegal? The easiest solution would be to regulate all internet behavior the same as we would regular behavior. However, that prevents many role playings games such as WoW from existing. In WoW, it sounds like you can fight then take your opponents equipment when you win. In real life that is called, Robbery. Clearly, we wouldn’t want to create laws that effectively eliminate the platforms they try to control. In the end, it appears the best solution is for the website or role playing community to try to regulate itself with a terms of service agreement. I think the best way would be to supplement the TOS with a short tutorial that walks new users through what the TOS agreement says instead of just a long contract form when you first sign up.

  6. I agree with the point regarding internet communication and interstate commerce. It seems counter-intuitive to treat internet communication in the same manner as a telephone line when the functions of the two technologies can be very different. This seems to be an example where technology novices have “created” the law and lumped the two technologies in a single category simply because an Ethernet cord may look very similar to a telephone cord. However, even as a technology novice myself, I realize there is a difference between communicating with someone by phone who is across the country versus communicating by internet with someone who lives directly downstairs from me. It doesn’t seem logical to just draw an arbitrary line in the sand and categorize internet communication of any kind as interstate commerce as it defeats the purpose of categorizing crimes that have taken place across state borders and those that have taken place in a single state. Looking at the Drew case, I felt that much of the case was an attempt to point a finger of blame after a horrendous tragedy, however, no criminal laws were broken and the Drew case raises the question of whether new “crimes” should be created to keep up with technology.

    • I agree here. If I call my parents, who have an Illinois number, but who live in Florida, am I crossing state lines in any significant way? The same logic seems to apply here in my opinion.

  7. I find two points interesting here:
    1. The idea that websites can control criminal standards through their terms of access is a very complex one indeed. You could argue that state contract law allows this sort of control for property owners in the real world (irl) – you can negotiate the terms by which an individual has access to your land, business, or home. Anyone who violates those terms becomes a trespasser and is thereby subject to state criminal sanctions. If imposing a criminal sanction on those who would violate terms of access irl is acceptable, why not move the standard onto the net – is it really such an expansion of state discretion?

    2. The idea that the commerce clause applies to all things internet (that’s right, not Internet) reminds me of the particular difficulty of sorting out jurisdiction with regard to online actions. In Bochan v. LaFontaine (a case I read for Cyberlaw) defendants were subject to the jurisdiction of Virginia solely on the basis that they used AOL to connect to the internet and AOL’s servers were located in Virginia. While it could be argued that the defendants had sufficient contacts with Virginia by using AOL’s servers, I think this is a far stretch for a court to make in order to claim jurisdiction. Similarly, I think that applying the commerce clause to transactions that occur in state because they happened on the internet is a stretch of Congress’ commerce power.

    But is there a better solution? Should Congress be the one to regulate the internet – or should some actions be left to the states? I think there’s a balance that can be struck, and that the CDAA is not necessarily a good fit for solving the unique issues presented by crimes on the internet.

  8. I agree and am concerned with the fact that the second and third elements of the crime are met simply by using a computer to make contact with the Internet and reading any information on the website. I may be misunderstanding the stated purpose of the Computer Fraud & Abuse Act, however it seems as though the law was passed in order to deter or prevent individuals from obtaining certain “private” information that could be used by those without authorized access to “harm” others. That being said, the crime Drew was charged with doesn’t even focus on the information she obtained. Simply checking off that third element based on the broad definitions that have been used in the past is very likely to cause problems. Online communication has become one of the primary forms of communication in today’s society, and there needs to be change in the interpretation of laws or definitions in order to properly and fairly regulate its use. Holly stated it well in discussing the need for a standard, “perhaps a requirement that the use of the internet play a substantial role in the alleged crime.” The information obtained from the unauthorized access should play a substantial role in the alleged crime. Especially when many people do not read the ToS, or read them but do not understand what they are agreeing to, and may unintentionally do something that can constitute a crime.

  9. When I read that Drew was found guilty of three counts of gaining unauthorized access to MySpace, my first thoughts were that this case was turning breach of contract into criminal trespass. Signing an online TOS is equivalent to signing a contract, and the only remedies available should be specific performance (not applicable here) or monetary damages. While this may seem heartless when dealing with a girl who commits suicide, it’s scary to set the precedent that TOS are anything more than a contract, since people violate them every day.

    If this is treated as criminal trespass, and not breach of contract, new issues come up. Criminal trespass requires someone to “knowingly” enter and remain unlawfully on a premises. Arguing that MySpace is the premises, Drew would have to read and understood the TOS in order to be guilty of criminal trespass. Until sites find a way to ensure users actually read the TOS, people don’t know what they’ve agreed to, and don’t know when they’ve exceeded their access. If the legislature wants to be able to prosecute for anything beyond breach of contract, they need to write new law, not try to deal within the CFAA.

  10. I have so many issues with this case.

    First: users who access the internet cannot reasonably foresee being dragged to court in another state outside their domicile to face criminal charges. They have not purposely availed themselves to the forum state by entering a URL into their computers and should not be forced to face a foreign court’s processes. Most people who access the internet do not consider that each website they access could potentially result in their acknowledging jurisdiction in that server’s state. This basically creates the result that if a person so much as agrees to create a profile on a website, they have acquiesced to jurisdiction- which would defeat the guidelines set forth by the courts of this country to define jurisdiction in the first place.

    Second, the MySpace TOS apply to any person 13 or over in order to access MySpace. To criminalize the violation of the TOS would create a new class of criminal where even minor children who are not normally permitted to enter into contracts could potentially have to face criminal charges for innocently, absentmindedly, or purposely refusing to place their real personal information on a website accessible to millions of people. Where does it say on a Website’s TOS that failure to follow these benign rules could result in federal criminal charges?

    Third, it is absurd to assume that a person who wants to keep their real identity private to protect their privacy on a social networking site would be subject to criminal charges. Sure, what Lori Drew did was reprehensible, but what about a writer who chooses to use a pseudonym when writing a blog? A minor who wants to keep herself safe and doesn’t put her real information on her profile? A professional who doesn’t want her employers accessing her profile so she changes her name?

    Fourth, it would be against public policy to permit a website’s operators to define what is considered criminal behavior. The lack of consistency and the trivialization of criminal charges that would ensue from such a policy would create a floodgate to our court systems, who would be forced to deal with website operators trying to enforce the law, users trying to avoid prosecution, and a general inconsistency that would result from having so many different, subjective, persons determining the criminal law.

    Fifth, the “unauthorized access” definition is lacking in a multitude of ways. If Lori Drew was granted access to the MySpace account by MySpace itself and she never committed any clandestine acts (i.e. hacking) to obtain access to their servers without their consent, it can hardly be said that she had unauthorized access. That is the equivalent of saying that a person who tweaks their resume to get a job is a trespasser in the building where he is employed. That MySpace did not complete their due diligence in verifying her information hardly qualifies as an unauthorized intrusion on her part.

    Moreover, I agree that it is absolutely frightening that the elements required to “prove” the violations are 1) intentionally accessing a computer in a manner that is unauthorized or exceeds the authorization granted, 2) involving an interstate or foreign communication, and 3) resulting in the defendant obtaining information from a computer used in interstate or foreign commerce. These requirements basically remove the need for evidentiary support in a criminal proceeding. “Innocent until proven guilty beyond reasonable doubt” becomes “innocent until you make a mistake on your membership application and anyone notices.”

    Lastly, I find it absolutely ludicrous that our government had an easier time extending this outdated, overbroad statute to Lori Drew than extending the existing bullying, harassment, and stalking statutes in the books. How is it that this law was more applicable?

  11. This analysis was basically dead-on my reaction to our assigned readings. One thing that really stood out to me was the interstate commerce issue. Personally, I would say I probably use the Internet as my primary form of communication and to think that me Skyping with my mom in Tampa or IMing Holly, who is sitting across the table in class (not in THIS class, of course), constitutes interstate commerce just because we happen to be using the Internet as our chosen form of communication seems absurd. In the Drew case, it is completely understandable to me why the prosecution would raise this issue. In my opinion, Lori Drew got far less than she deserved. But, simply put, it was hard to find a law Lori Drew was technically breaking.
    Another issue that stood out to me (and apparently a lot of my classmates), was the power given to the websites to decide for themselves what constitutes criminal behavior. I couldn’t even begin to count the amount of times I clicked the “agree” button on a Terms of Service contract without reading it. And most likely, I have violated some portion of those ToS on more than one occasion. Obviously the facts of the Drew case are incomparable to my minor ToS violations, but the recurring issue that the courts seemed to be faced with in regards to virtual crime is where to draw the line? Where do they draw the line with regards to prosecuting for ToS violations? Where do they draw the line between interstate and intrastate commerce? These are questions for the courts but I think that maybe in such a rapidly expanding world like the internet, the laws that govern it need to be equally as dynamic.

  12. It would seem that federal legislators have taken the simple design of the Internet as carte blanche to make all laws affecting the usage of the Internet Federal. Additionally, as Laura observed, civil procedure cases have shown time and again that either through accidental or intentional misunderstanding courts will extend jurisdiction to parties in Internet-related litigation for some of the most cursory reasons.

    These ongoing issues, as problematic as they are, pale in comparison to the criminalization of what is essentially a breach
    of a private agreement. To assert that the law will automatically back a website owner and his/her terms of service with the force of the CFAA betrays the misunderstanding that legislators bring to “Internet law.” It’s frustrating at best and damaging to the future of the Internet at worst.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: