CFAA —

Court: Violating a site’s terms of service isn’t criminal hacking

Courts have struggled to interpret the vague Computer Fraud and Abuse Act.

Court: Violating a site’s terms of service isn’t criminal hacking
Jamie Grill / Getty

A federal court in Washington, DC, has ruled that violating a website's terms of service isn't a crime under the Computer Fraud and Abuse Act, America's primary anti-hacking law. The lawsuit was initiated by a group of academics and journalists with the support of the American Civil Liberties Union.

The plaintiffs wanted to investigate possible racial discrimination in online job markets by creating accounts for fake employers and job seekers. Leading job sites have terms of service prohibiting users from supplying fake information, and the researchers worried that their research could expose them to criminal liability under the CFAA, which makes it a crime to "access a computer without authorization or exceed authorized access."

So in 2016 they sued the federal government, seeking a declaration that this part of the CFAA violated the First Amendment.

But rather than addressing that constitutional issue, Judge John Bates ruled on Friday that the plaintiffs' proposed research wouldn't violate the CFAA's criminal provisions at all. Someone violates the CFAA when they bypass an access restriction like a password. But someone who logs into a website with a valid password doesn't become a hacker simply by doing something prohibited by a website's terms of service, the judge concluded.

"Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature," Bates wrote.

Bates noted that website terms of service are often long, complex, and change frequently. While some websites require a user to read through the terms and explicitly agree to them, others merely include a link to the terms somewhere on the page. As a result, most users aren't even aware of the contractual terms that supposedly govern the site. Under those circumstances, it's not reasonable to make violation of such terms a criminal offense, Bates concluded.

Courts disagree about how to interpret the CFAA

This isn't the first time a court has held that violating a website's terms of use is not a criminal hacking offense. In 2009, a California federal judge rejected a CFAA prosecution against Lori Drew, a woman who contributed to a MySpace hoax that led to the suicide of 13-year-old Megan Meier. Prosecutors had argued that Drew violated MySpace's terms of service.

In 2014, the Ninth Circuit Court of Appeals—which includes California—rejected another CFAA prosecution based on a terms-of-service violation. In that case, an employee had used a valid password to access confidential information, which the employee then used in ways that violated the employer's policies.

A 2015 ruling by the Second Circuit Court of Appeals interpreted the CFAA in a similar way. It overturned the conviction of a cop who had used a police database to look up information about women he knew personally. While his creepy behavior violated police department policies, the court held, that didn't make it a violation of the anti-hacking law.

"The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer," the appeals court concluded.

But some other courts have interpreted the CFAA more broadly. For example, in a 2010 case, the Eleventh Circuit ruled that a Social Security Administration employee had violated the CFAA when he used an SSA database to look up information about people he knew personally. The ruling runs directly counter to the Second Circuit's ruling a few years later.

In a 2006 ruling the Seventh Circuit Court of Appeals ruled that an employee, Jacob Citrin, had violated the anti-hacking law when, after quitting his job, he wiped an employer-owned laptop that contained information that was valuable to his employer—as well as data that would have revealed misconduct by Citrin. Citrin hadn't in any sense hacked into the laptop, but the court found that deleting the data nevertheless exceeded his authorized access.

Ultimately, these conflicting interpretations of the CFAA will need to be resolved by the Supreme Court, which has yet to rule on the question.

Last week's ruling only deals with criminal liability under the CFAA. There's a separate question about whether violating a website's terms of service could expose someone to a lawsuit from the site's owner. Here, too, the courts have yet to reach a clear answer.

A 2016 ruling by the Ninth Circuit sided with Facebook in a CFAA lawsuit against a startup that had logged in to Facebook credentials supplied by users in violation of Facebook's policies. On the other hand, the Ninth Circuit ruled last year that a small company, called hiQ Labs, didn't violate the CFAA when it scraped data from LinkedIn in violation of LinkedIn's terms of service.

Channel Ars Technica