If you are reading this column online at work, you may be committing a federal crime. Or so says the Justice Department, which reads the Computer Fraud and Abuse Act (CFAA) broadly enough to encompass personal use of company computers as well as violations of fine-print website rules that people routinely ignore.
Last week, the U.S. Court of Appeals for the 9th Circuit rightly rejected this view of the CFAA, which Chief Judge Alex Kozinski noted could make a criminal out of "everyone who uses a computer in violation of computer use restrictions -- which may well include everyone who uses a computer." Unfortunately, other appeals courts have been more receptive to the Justice Department's interpretation, which gives U.S. attorneys the power to prosecute just about anyone who offends or annoys them.
Congress passed the original version of the CFAA in 1984, when the Internet was in its infancy and the World Wide Web did not exist, to protect government computer systems and financial databases from hackers. As a result of amendments and technological developments, George Washington University law professor Orin Kerr explains in a 2010 Minnesota Law Review article, "the law that began as narrow and specific has become breathtakingly broad," potentially regulating "every use of every computer in the United States."
The 9th Circuit case involved David Nosal, who left the executive search firm Korn/Ferry International in 2004 and allegedly enlisted two former colleagues to feed him proprietary client information with an eye toward starting a competing business. In addition to conspiracy, mail fraud and trade secret theft, Nosal was charged with violating the CFAA, which criminalizes unauthorized computer access in various circumstances.
Although Nosal's confederates were authorized to use Korn/Ferry's database, federal prosecutors argued that improperly sharing information with him retroactively rendered their access unauthorized. As Judge Kozinski noted, "The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer."
The felony Nosal was accused of committing involves unauthorized access "with intent to defraud." But the CFAA also makes someone guilty of a misdemeanor, punishable by up to a year in jail, if he "intentionally accesses a computer without authorization or exceeds authorized access" and "thereby obtains ... information."
Based on the government's definition of unauthorized access, Kozinski observed, that provision would apply to "large groups of people who would have little reason to suspect they are committing a federal crime," such as employees who violate company policy by using workplace computers to play games, answer personal email, read blogs, watch YouTube videos or check sports scores. Even people using their own computers on their own time could be prosecuted for violating "terms of service" they have never read by fibbing about their age or weight on dating sites, posting photos of other people without their permission or sharing content that Facebook deems offensive.
Kerr notes that terms of service "are written extremely broadly to give providers a right to cancel accounts and not face any liability." Hence, "violating the TOS is the norm," and criminalizing such violations "would give the government the ability to arrest anyone who regularly uses the Internet."
That danger is not merely theoretical. Remember Lori Drew, the Missouri woman who was widely vilified in 2007 after she played a MySpace prank on a 13-year-old girl who later committed suicide? Although Missouri prosecutors concluded that Drew had broken no laws, Thomas O'Brien, then the U.S. attorney in Los Angeles, took it upon himself to prosecute her for violating the CFAA by disregarding MySpace's terms of service.
In 2009, U.S. District Judge George Wu threw out Drew's conviction, ruling that O'Brien's reading of the CFAA would make the law unconstitutionally vague, giving grandstanding prosecutors like him unbridled discretion while leaving their potential targets -- pretty much everyone -- uncertain about how to comply with the law. As Kozinski put it, "We shouldn't have to live at the mercy of our local prosecutor."