Wednesday, 16 November 2011

DOJ Says Lying on the Internet Is a Federal Crime

Written by 

The U.S. Department of Justice (DOJ) is backing a controversial component of an existing computer fraud law that makes it a crime to use a fake name on Facebook or embellish your weight on an online dating profile such as eHarmony. The Computer Fraud and Abuse Act (CFAA), a 25-year-old law that mainly addresses hacking, password trafficking, and computer viruses, should enforce criminal penalties for users who violate websites’ terms of service agreements, alleges the Justice Department.

In a hearing before the House Judiciary Committee’s subcommittee on crime, terrorism and homeland security, federal officials deliberated over cyber threats to the country’s infrastructure and a perplexing interpretation of the law that makes lying on the Internet a crime. During the hearing, titled "Cyber Security: Protecting America’s New Frontier," the DOJ’s deputy computer crime chief Richard Downing addressed Congress, asserting that the CFAA law must allow "prosecutions based upon a violation of terms of service or similar contractual agreement with an employer or provide[r]."

"Businesses should have confidence that they can allow customers to access certain information on the business's servers, such as information about their own orders and customer information, but that customers who intentionally exceed those limitations and obtain access to the business's proprietary information and the information of other customers can be prosecuted," said Downing’s prepared remarks.

This interpretation of the law was applied by the DOJ in 2008 to prosecute Lori Drew, a woman who created a fake MySpace account and cyber attacked a 13-year-old girl who then committed suicide. The department contended that MySpace’s terms of service restricts users from creating fraudulent profiles, so Drew was convicted of violating the CFAA (although her conviction was dismissed in 2009). "It basically leaves it up to a website owner to determine what is a crime," U.S. District Judge George Wu indicated in his 2009 verdict, which acquitted Drew of the charges. "And therefore it criminalizes what would be a breach of contract."

The DOJ justified the move by enforcing a dubious section of the CFAA that was supposedly never intended to be used in that manner, which is a general-purpose prohibition on any computer-related action that "exceeds authorized access" — meaning, a website’s terms of service determines what is "authorized" or not. This is how Downing put it in his testimony:

These are just a few cases, but this tool is used routinely. The plain meaning of the term 'exceeds authorized access,' as used in the CFAA, prohibits insiders from using their otherwise legitimate access to a computer system to engage in improper and often malicious activities. We believe that Congress intended to criminalize such conduct, and we believe that deterring it continues to be important. Because of this, we are highly concerned about the effects of restricting the definition of 'exceeds authorized access' in the CFAA to disallow prosecutions based upon a violation of terms of service or similar contractual agreement with an employer or provider.

Advertisement

In an August letter to the Senate, the ACLU, FreedomWorks, the Electronic Frontier Foundation, and Americans for Tax reform, warned that this convoluted interpretation of the law could make ignoring such "terms" a felony. "If a person assumes a fictitious identity at a party, there is no federal crime," the letter read. "Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation. This is a gross misuse of the law." Orin Kerr, a former DOJ computer crime prosecutor and now law professor at George Washington University, says the government’s contentions are anemic, as he told CNET prior to the hearing:

The Justice Department claims to have an interest in enforcing Terms of Use and computer use policies under the CFAA, but its examples mostly consist of cases in which the conduct described has already been criminalized by statutes other than the CFAA. Further, my proposed statutory fix… would preserve the government's ability to prosecute the remaining cases DOJ mentions while not raising the civil liberties problems of the current statute.

In combating the statute, Kerr is requesting that Congress follow the Senate Judiciary Committee’s lead, which recently approved an amendment to a pending bill that would narrow the "exceeding authorized access" interpretation of the CFAA. The amendment says the law would "not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized." Downing and the DOJ requested that the House not approve the amendment.

However, beyond the devious doings of Facebook users and online dating prowlers are countless other terms of service stipulations that are littered throughout the World Wide Web. For instance, many Internet media outlets disclose various restrictions for users posting comments under articles, blogs, and forums. But how many people read the terms of service under the comments section of a website? What happens if a website’s terms of service contains a clause that prohibits users from posting opposing viewpoints? According to the DOJ, such actions are subject to prosecution.

"Terms of Use can be arbitrary and even nonsensical," said Kerr, relaying the above note. "Anyone can set up a website and announce whatever Terms of Use they like. Perhaps the Terms of Use will declare that only registered Democrats can visit the website; or only people who have been to Alaska; or only people named "Frank." Under the Justice Department’s interpretation of the statute, all of these Terms of Use can be criminally enforced… I do not see any serious argument why such conduct should be criminal."

Lying on the Internet may be immoral, but should it really be criminalized by law? Moreover, is this the same DOJ headed by Attorney General Eric Holder who's admitted lying about the "Fast and Furious" gunrunning scandal?

Indeed, the Big Brother police state, which continues to assail Americans’ civil liberties, strikes yet again.