A US anti-hacker law has the potential to criminalize things like using a fake name on Facebook, putting false numbers on your Match.com profile or buying gold in World of Warcraft, says a former prosecutor.
The Computer Fraud and Abuse Act (CFAA), which was first implemented in the 1980s and has been reviewed four times, increasingly broadening its scope, can be interpreted in a way which outlaws mundane activities in which the majority of computer users are engaged every day.
“In the Justice Department’s view, the CFAA criminalizes conduct as innocuous as using a fake name on Facebook or lying about your weight in an online dating profile. That situation is intolerable,” Orin Kerr, George Washington University law professor and a former federal prosecutor of the Department of Justice argued at Congress subcommittee hearings on Tuesday.
He says the wordings in the law, which makes punishable actions that “exceed authorized access,” should be amended in a way which would exclude violation of website terms of use. Otherwise, for instance, teenagers using Google’s search would be committing a felony, because its Terms of Use say that you cannot use it if “you are not of legal age to form a binding contract with Google.”
Moreover, website terms of use can be arbitrary and even unconstitutional.
“Anyone can set up a website and announce whatever Terms of Use they like. Perhaps the Terms of Use will declare that only registered Democrats can visit the website; or only people who have been to Alaska; or only people named Frank. Under the Justice Department’s interpretation of the statute, all of these terms of use can be criminally enforced,” he explained.
Kerr cites a study estimating that 80 per cent of Americans using dating sites state false or misleading information in their profiles. The popular dating service Match.com explicitly forbids this in its terms of use, which implies that the majority of its users can be prosecuted under CFAA.
He cites the case of Missouri resident Lori Drew, who was charged in 2008 under the law for her role in cyber bullying incident which led to a teenage girl committing suicide. Prosecutors argued that Drew’s use of a fraudulent MySpace account in violation of the website’s terms of use was equivalent to computer hacking.
The woman was convicted on misdemeanor charges, but a judge subsequently overruled the verdict on the grounds that the CFAA was constitutionally vague and that upholding the verdict would set a dangerous precedent. Kerr was part of Drew’s defense team as pro bono co-counsel.
One of Kerr’s opponents at the hearings, DoJ Deputy Chief of Computer Crime and Intellectual Property Section Criminal Division Richard Downing, argued that limiting the CFAA in a way suggested by Kerr will impede prosecutors’ ability to fight crime.
“We are concerned that restricting the statute in this way would make it difficult or impossible to deter and address serious insider threats through prosecution,” Downing said. “Limiting the use of such terms to define the scope of authorization would, in some instances, prevent prosecution of exactly the kind of serious insider cases the department handles on a regular basis.”
Harvard Law School Lecturer James Baker, who was also giving his opinion to the subcommittee members, agreed that Kerr’s concern has grounds, but argued that “to the extent that Congress is concerned that such abuses might occur, it strikes me that it may make more sense to use your oversight powers to ensure that enforcement of the CFAA is properly focused on the worst offenders.”
He suggested that the Congress could legislate a reporting requirement to ensure that individuals or entities for exclusively know that they may be facing prosecution for violating the terms of service of a website.