America’s main anti-hacking law is the federal Computer Fraud and Abuse Act (CFAA), which makes it illegal to “access a computer without authorization or exceed authorized access.”
Across the U.S., courts have come to different conclusions about what is prohibited. Would knowingly violating a website’s terms of service be considered exceeding authorized access?
In 2009, federal prosecutors tried to hold a California woman criminally responsible for violating MySpace’s terms of service. The woman participated in a hoax that led to a 13-year-old girl’s suicide. A federal judge, however, rejected the theory and ruled that violating MySpace’s terms of service did not violate the CFAA.
In 2015, the Second Circuit Court of Appeals rejected the prosecution of a police officer who, in violation of department policy, used a state database to gather information about women he knew. The court ruled this did not constitute a violation of the CFAA.
But other courts have ruled the other way. In 2010, the Eleventh Circuit upheld the CFAA conviction of a Social Security Administration employee. Like the police officer, he had looked up the personal information of people he knew.
And, in 2006, our own Seventh Circuit ruled that an employee did violate the CFAA when he quit his job and wiped his employer-owned hard drive, which would have revealed his misconduct. The appeals court upheld the conviction even though the man had not hacked the hard drive.
So it was with some trepidation that a group of academics and journalists sued the government to determine if they were about to criminally violate the CFAA.
The activists wanted to investigate race discrimination in online job markets. In order to do so, they needed to set up accounts for fake employers and job seekers. However, this would violate the terms of service of many of the sites they wanted to investigate. The activists worried that they could be criminally prosecuted.
The case came before a federal district court in Washington, D.C., and that court ruled that the activists’ plan, although violating the sites’ terms of service, would not criminally violate the CFAA.
“Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature,” wrote the judge.
He also noted that terms of service are often long and complex, and they change frequently and without notice. Most users are unaware of the precise terms, and therefore it would be unreasonable for violating the terms to be considered criminal.
The ruling does not overrule previous appellate court rulings, however, so the question of whether violating terms of service is a CFAA violation remains unclear. Ultimately, the Supreme Court may have to decide.