On Tuesday, the federal Ninth Court of Appeals ruled that violating a "terms of service" agreement is not a criminal offense. At the heart of the debate were concerns that violating a terms of service agreement, despite being a set of privately held rules, could trigger a criminal violation of the Computer Fraud and Abuse Act of 1984. As a result, anyone who's ever violated a website's terms of service can rest a little easier tonight.
According to accounts, a former employee of an executive recruiting firm had convinced co-workers to abuse their access to the company's system. Those employees then went on to download personal identity-related information from the firm's confidential database.
Prosecutors indicted the former employee on grounds of mail fraud, conspiracy, theft of trade-secrets and exceeding authorized access of a computer system -- a provision found in the CFAA. It's that last one which is of particular interest and how the court ruled has broad implications for nearly everyone in an age of computer ubiquity.
"Under the government’s proposed interpretation of the CFAA, posting for sale an item prohibited by Craigslist’s policy, or describing yourself as ‘tall, dark and handsome,’ when you are actually short and homely, will earn you a handsome orange jumpsuit," the court ruled, adding in a footnote that the government’s interpretation of the law opens employees up to be arrested, not merely fired, for playing Farmville at work.
Since former employees already had authorization to access the company's database, the lower court dismissed the CFAA charges. It did so on the premise that those employees merely violated their employer's usage restrictions and didn't need to break into the system. The prosecution appealed the decision, but the appeal was dismissed and the original determination was upheld.
However, two judges who disagreed with the decision criticized their colleagues as parsing the CFAA in a "hyper-complicated way".
"The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer," Alex Kozinski, chief judge for the San Francisco-based appeals court, wrote for the nine-judge majority. "This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer."
Interestingly, Wired also points out that this ruling may prove troublesome for the Obama administration who's attempting build a case against Wikileaks around the CFAA and Espionage Act of 1917.