CNET has learned that the Justice Department will ask Congress to make sure "terms of service" violations are illegal, imperiling anyone who dares to fib about their weight, age, or name on social networks.
The U.S. Department of Justice is defending computer hacking laws that make it a crime to use a fake name on Facebook or lie about your weight in an online dating profile at a site like Match.com.
In a statement obtained by CNET that's scheduled to be delivered tomorrow, the Justice Department argues that it must be able to prosecute violations of Web sites' often-ignored, always-unintelligible "terms of service" policies.
The law must allow "prosecutions based upon a violation of terms of service or similar contractual agreement with an employer or provider," Richard Downing, the Justice Department's deputy computer crime chief, will tell the U.S. Congress tomorrow.
Scaling back that law "would make it difficult or impossible to deter and address serious insider threats through prosecution," and jeopardize prosecutions involving identity theft, misuse of government databases, and privacy invasions, according to Downing.
The law in question, the Computer Fraud and Abuse Act, has been used by the Justice Department to prosecute a woman, Lori Drew, who used a fake MySpace account to verbally attack a 13-year old girl who then committed suicide. Because MySpace's terms of service prohibit impersonation, Drew was convicted of violating the CFAA. Her conviction was later thrown out.
What makes this possible is a section of the CFAA that was never intended to be used that way: a general-purpose prohibition on any computer-based act that "exceeds authorized access." To the Justice Department, this means that a Web site's terms of service define what's "authorized" or not, and ignoring them can turn you into a felon.
On the other hand, because millions of Americans likely violate terms of service agreements every day, you'd have a lot of company.
A letter (PDF) sent to the Senate in August by a left-right coalition including the ACLU, Americans for Tax Reform, the Electronic Frontier Foundation, and FreedomWorks warns of precisely that. "If a person assumes a fictitious identity at a party, there is no federal crime," the letter says. "Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation. This is a gross misuse of the law."
Orin Kerr, a former Justice Department computer crime prosecutor who's now a professor of law at George Washington University, says the government's arguments are weak.
Kerr, who is also testifying tomorrow before a House Judiciary subcommittee, told CNET today that:
Kerr's testimony gives other examples of terms of service violations that would become criminal. Google says you can't use its services if "you are not of legal age to form a binding contract," which implies that millions of teenagers would be unindicted criminals. Match.com, meanwhile, says you can't lie about your age, criminalizing the profile of anyone not a model of probity.
"I do not see any serious argument why such conduct should be criminal," Kerr says.
The Justice Department disagrees. In fact, as part of a broader push to rewrite cybersecurity laws, the White House has proposed (PDF) broadening, not limiting, CFAA's reach.
Stewart Baker, an attorney at Steptoe and Johnson who was previously a Homeland Security assistant secretary and general counsel at the National Security Agency, has suggested that the administration's proposals to expand CFAA are Draconian. Uploading copyrighted YouTube videos twice "becomes a pattern of racketeering," with even more severe criminal penalties, "at least if Justice gets its way," Baker wrote.
In a kind of pre-emptive attack against Kerr's proposed fixes, the Justice Department's Downing says the CFAA properly criminalizes "improper" online activities.
"Businesses should have confidence that they can allow customers to access certain information on the business's servers, such as information about their own orders and customer information, but that customers who intentionally exceed those limitations and obtain access to the business's proprietary information and the information of other customers can be prosecuted," Downing's prepared remarks say.
Update, November 18, 8 p.m. PT: A Justice Department representative contacted us today and sent over a transcript from the congressional hearing. Here's an excerpt:
Mr. Downing: There have been a lot of characterizations of what the Department of Justice's position is on the 1030(a)(2) question, and that it exceeds authorized access.
Let me be very clear that the DOJ is in no way interested in bringing cases against the people who lie about their age on a dating site or anything of the sort. We don't have time or resources to do that. And in fact, no court has in fact ruled that that's an appropriate use of the statute, and quite to the contrary, the one case that's addressed it ruled that it is not an appropriate use, and the government has not brought any further cases. So we're a little bit concerned whether this is truly a problem.
Given all that, however, we recognize that this is an issue and we are very much interested in working with the committee to resolve this question in a way that's proper for all. What we do need to be careful about is to make sure that as we do that, that we don't harm the ability to bring cases that everyone in the room would agree are proper and appropriate ones, and so that as we think about what sort of solution might be available here, that we do it in a way that isn't going to cause other harm and actually harm our ability to create deterrents in this area, which is so important.