from the legislation-inspired-by-a-fictional-movie dept.
Court: Violating a site's terms of service isn't criminal hacking
A federal court in Washington, DC, has ruled that violating a website's terms of service isn't a crime under the Computer Fraud and Abuse Act[*], America's primary anti-hacking law. The lawsuit was initiated by a group of academics and journalists with the support of the American Civil Liberties Union.
[...] rather than addressing that constitutional issue, Judge John Bates ruled on Friday that the plaintiffs' proposed research wouldn't violate the CFAA's criminal provisions at all. Someone violates the CFAA when they bypass an access restriction like a password. But someone who logs into a website with a valid password doesn't become a hacker simply by doing something prohibited by a website's terms of service, the judge concluded.
"Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature," Bates wrote.
[...] This isn't the first time a court has held that violating a website's terms of use is not a criminal hacking offense. In 2009, a California federal judge rejected a CFAA prosecution against Lori Drew, a woman who contributed to a MySpace hoax that led to the suicide of 13-year-old Megan Meier. Prosecutors had argued that Drew violated MySpace's terms of service.
In 2014, the Ninth Circuit Court of Appeals—which includes California—rejected another CFAA prosecution based on a terms-of-service violation. In that case, an employee had used a valid password to access confidential information, which the employee then used in ways that violated the employer's policies.
A 2015 ruling by the Second Circuit Court of Appeals interpreted the CFAA in a similar way. It overturned the conviction of a cop who had used a police database to look up information about women he knew personally. While his creepy behavior violated police department policies, the court held, that didn't make it a violation of the anti-hacking law.
"The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer," the appeals court concluded.
From the Wikipedia article on the Computer Fraud and Abuse Act, I would observe . . .
The original 1984 bill was enacted in response to concern that computer-related crimes might go unpunished.[2] The House Committee Report to the original computer crime bill characterized the 1983 techno-thriller film WarGames—in which a young teenager (played by Matthew Broderick) from Seattle breaks into a U.S. military supercomputer programmed to predict possible outcomes of nuclear war and unwittingly almost starts World War III—as "a realistic representation of the automatic dialing and access capabilities of the personal computer."[3]
The CFAA was written to extend existing tort law to intangible property, while, in theory, limiting federal jurisdiction to cases "with a compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature.", but its broad definitions have spilled over into contract law. (see "Protected Computer", below). In addition to amending a number of the provisions in the original section 1030, the CFAA also criminalized additional computer-related acts.
[*] Computer Fraud and Abuse Act.
It's a good thing the courts protect us from ever expanding legislation created out of fear from watching a movie.
Related Stories
https://arstechnica.com/tech-policy/2024/03/charges-against-journalist-tim-burke-are-a-hack-job/
Caitlin Vogus is the deputy director of advocacy at Freedom of the Press Foundation and a First Amendment lawyer. Jennifer Stisa Granick is the surveillance and cybersecurity counsel with the ACLU's Speech, Privacy, and Technology Project. The opinions in this piece do not necessarily reflect the views of Ars Technica.
Imagine a journalist finds a folder on a park bench, opens it, and sees a telephone number inside. She dials the number. A famous rapper answers and spews a racist rant. If no one gave her permission to open the folder and the rapper's telephone number was unlisted, should the reporter go to jail for publishing what she heard?
If that sounds ridiculous, it's because it is. And yet, add in a computer and the Internet, and that's basically what a newly unsealed federal indictment accuses Florida journalist Tim Burke of doing when he found and disseminated outtakes of Tucker Carlson's Fox News interview with Ye, the artist formerly known as Kanye West, going on the first of many antisemitic diatribes.
[...]
According to Burke, the video of Carlson's interview with Ye was streamed via a publicly available, unencrypted URL that anyone could access by typing the address into your browser. Those URLs were not listed in any search engine, but Burke says that a source pointed him to a website on the Internet Archive where a radio station had posted "demo credentials" that gave access to a page where the URLs were listed.The credentials were for a webpage created by LiveU, a company that provides video streaming services to broadcasters. Using the demo username and password, Burke logged into the website, and, Burke's lawyer claims, the list of URLs for video streams automatically downloaded to his computer.
And that, the government says, is a crime. It charges Burke with violating the CFAA's prohibition on intentionally accessing a computer "without authorization" because he accessed the LiveU website and URLs without having been authorized by Fox or LiveU. In other words, because Burke didn't ask Fox or LiveU for permission to use the demo account or view the URLs, the indictment alleges, he acted without authorization.
(Score: 3, Informative) by Runaway1956 on Wednesday April 01 2020, @09:27AM (4 children)
"Hacking" into a computer is comparable to breaking and entering into a business, or a home. Violating a TOS is comparable to something like smokind on Dad's property, when he has banned smoking on the property. Dad can tell you that if you want to visit, obey the rules, if you won't obey the rules, don't visit. But, Dad can't have you thrown in jail for lighting up. Not even if it's a doobie you've lit up!
(Score: 4, Informative) by DannyB on Wednesday April 01 2020, @02:19PM
no-brainer is the correct subject line.
Anything done by legislators is a 'no-brainer', if you get my meaning about having no brains.
It is amusing to see that Wargames inspired fear in legislators. OMG!!! Then a ridiculous and vague new law. That has been misused. Expanded several times over the decades. Misused some more. Aaron Swartz. Etc.
Finally a bit of pushback from courts.
Of course the travesty known as DMCA still exists. Written by Jack Valenti, head of MPAA at the time. Bought and paid for by private industry. To bypass due process with a mechanism ripe for abuse.
Every performance optimization is a grate wait lifted from my shoulders.
(Score: 2) by shortscreen on Wednesday April 01 2020, @03:04PM
I know I shouldn't be giving them ideas, but I wonder if a TOS isn't good enough to get somebody locked up, if the person can't be sued for copyright infringement instead. A lot of software EULAs contain ridiculous nonsense like "You agree that you will not eat nachos while using The Software, and you agree that The Company's agent may inspect your kitchen to verify that nachos are not present upon having given 3 minutes prior notice of such inspection." so what happens when the website's javashit code comes with an EULA attached to it?
(Score: 0) by Anonymous Coward on Wednesday April 01 2020, @03:11PM (1 child)
What if you typed a random URL that takes you to a page bypassing the password logon?
(Score: 2) by Runaway1956 on Wednesday April 01 2020, @03:21PM
That's how I log in here! I forgot my password long ago, so I go to the backdoor, knock a short code, and the bots open the door to let me in. At that point, I announce that I'm Runaway1956, and Exec whistles and beeps agreement, Starwars style, and I'm logged in.
Just don't tell TMB, or he's likely to lock the backdoor.
(Score: 3, Informative) by crafoo on Wednesday April 01 2020, @03:22PM (5 children)
It seems pretty clear that a TOS is a contract, and falls neatly under civil courts, not criminal courts.
A contract you cannot amend, have a "meeting of the minds", and which is usually extremely lopsided in favor of the service provider. So, invalid and unenforceable if our civil courts actually worked correctly. Same with EULAs.
(Score: 4, Interesting) by nitehawk214 on Wednesday April 01 2020, @03:56PM (2 children)
Don't forget that it is a contract that the provider can modify at any time, effectively making the agreement retroactive.
It is no wonder corporations want these to have criminal law backing it.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2) by krishnoid on Wednesday April 01 2020, @11:51PM (1 child)
That sounds pretty criminal already.
(Score: 1) by nitehawk214 on Wednesday April 08 2020, @07:29PM
The laws they purchased say it is perfectly fine.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 1) by Jay on Wednesday April 01 2020, @07:02PM (1 child)
It's abundantly clear that TOS are not a contract, and there's nothing contractual about the arrangement between the parties. TOS are polite requests at best.
First, for there to be a contractual relationship between two parties, both need to be aware of the terms, and both must agree to them. (By reading this sentence crafoo agrees to the terms and conditions laid out on this paper on my desk.) If a contract changes, both need to be aware of the changes and agree to them.
You can't win a criminal nor civil case if someone did something you didn't like. "Dave walked on my lawn the other day." doesn't get you anywhere. You need to show damages. So any website where their TOS were violated, if it came to a trial, would be demonstrating how the defendant's actions caused them harm. They wouldn't talk about the TOS, because those aren't in any way legally binding.
When someone is putting up stupid shit on their website between me and what I'm going there to look at, I generally just toggle off JS and there's the content. Sometimes I make a quick uBlock Origin filter. Sometimes it's an ad, sometimes it's "sign up for this newsletter", sometimes it's a baffling attempt to steer me to something I didn't come there for, and sometimes it's to make me aware of their TOS. Doesn't matter, I banish it, and go read what I want to read.
If that ever went to court, the questions would be, 1) Prove that those were the terms that you presented to me. 2) Prove that I saw them and agreed to them.
That's the sort of case that gets laughed out of a courtroom. "Your honor, I swear he agreed to those exact terms. I can just feel it in my bones!"
(Score: 2) by crafoo on Saturday April 04 2020, @04:35PM
Well, unfortunately they have not been laughed out of court, they have generally been upheld by the courts.
(Score: 0) by Anonymous Coward on Wednesday April 01 2020, @08:32PM
Wait. I thought that unauthorized access to a "protected computer" violated the Title VIII of the USA PATRIOT Act based on Barbara's uncited provision therein. And now it is apparently the CFAA? This is all so confusing.
(Score: 3, Interesting) by mobydisk on Wednesday April 01 2020, @09:32PM (1 child)
You have to be super careful reading these things. The summary says two similar, but importantly different things:
but then it says:
So which of these things did the judge rule? This is really important! Previously, violating the TOS was considered something punishable under the CFAA. See the Aaron Schwartz [bostonmagazine.com] example. So did the judge rule that violating a TOS isn't a CFAA violation, which would be huge, or did the judge rule that this particular set of actions didn't violate the CFAA. Which is it?
I'm reading this summary by Bruce Schneier [securityboulevard.com] and I'm still unclear. Are there cases where merely violating the the TOS is a CFAA violation too?
(Score: 0) by Anonymous Coward on Thursday April 02 2020, @02:52AM
The CFAA interpretation has changed over time. More courts are now using the public-private dichotomy for these kinds of cases. As the court puts it here:
(but do note that Swartz was charged with violating the provision in a different way).
They then go on to say that "In other words, terms of service do not constitute “permission requirements” that, if violated, trigger criminal liability." because of a multitude of reasons, including lack of notice, the nondelegation doctrine in re. a private party, and the rule of lenity. So, violating the TOS isn't a violation in itself. Instead, you have to look at the actions taken while violating the TOS.