Are Facebook's terms of service the law of the land?
Connecting state and local government leaders
At the heart of the debate over the Computer Fraud and Abuse Act's "authorized access" provisions is the question of who gets to write federal law: Congress or corporations.
A head of the Justice Department’s computer crime section recently told a House panel that the department needs the authority to prosecute people who violate a website’s terms-of-service agreements.
The department has no intention of abusing that power, said Richard Downing, deputy chief of the Computer Crime and Intellectual Property Section of Justice's Criminal Division. “The DOJ is in no way interested in bringing action against people who may have lied about their age or anything of that sort” when signing up on Facebook.
But, under the department’s interpretation of the Computer Fraud and Abuse Act, the crime of “exceeding authorized access” to a protected computer includes violating those terms of agreement that you have to click to accept any time you use a Web-based service. Downing said the department uses this to prosecute insiders who steal sensitive information and warned the House Judiciary Committee's Crime, Terrorism, and National Security Subcommittee against narrowing the definition to exclude terms-of-service agreements.
Related story:
Senators: Don't make a federal case out of all cyber crimes
Downing no doubt is sincere when he says the feds are not out to get serial offenders who habitually click “agree” without reading the fine print they are agreeing to. But at the heart of the debate over authorized access is the question of who gets to write federal law: Congress or companies?
I’m not saying that the verbiage churned out by corporate lawyers is not impressive. Have you ever read Google’s terms of service? It runs on for 4,220 words in seven single-spaced pages. And if you have ever Googled anything, you already have, by Google’s definitions, agreed to those terms. And according to the Justice Department, you are bound by them as federal law under the CFAA.
Among those terms are, “You may not use the Services and may not accept the Terms if (a) you are not of legal age to form a binding contract with Google.”
This means that anyone under the age of 18 who has used Google has exceeded the authorized access and could reasonably be construed to have violated the CFAA. Of course, if you are under 18 you probably would not be tried as an adult and you probably would get off with just a slap on the wrist. Unless, of course, you had a prior offense for lying about your age on Facebook.
Whether this would stand up in court has not yet been clearly decided. One of the few (if not the only) instances of CFAA prosecution for violating a terms-of-service agreement was that of Lori Drew in the tragic cyber bullying case that resulted in the suicide of a young girl. Drew was convicted in 2008 of a misdemeanor for setting up a phony MySpace account in violation of the site’s terms of service.
The trial judge later granted Drew an acquittal on the charge, saying that to construe the law that broadly “would convert a multitude of otherwise innocent Internet users into misdemeanant criminals." The ruling was not appealed, and the trial judge’s ruling is not binding on other courts.
The Justice Department might have no intention of abusing this broad power, but if it really needs a legal tool for going after insiders and other cyber thieves, the authorized access provision could be crafted to apply to specific kinds of intrusions and specific types of personal and sensitive information.
Neither Google nor Facebook nor any other online company should have the authority to write federal criminal law under the guise of terms-of-service agreements.
NEXT STORY: Fast science: DOE turns on its 100-gigabit data network