Senate Judiciary Committee Passes Amendment to Prohibit Prosecutions for Terms-of-Service Violations

Kashmir Hill writes at her Forbes blog on the good news from yesterday’s Senate Judiciary Committee hearing markup of amendments to the Computer Fraud and Abuse Act: No, Faking Your Name On Facebook Will Not Be A Felony.

Legal scholar Orin Kerr wrote an alarming op-ed in the Wall Street Journal yesterday, warning people that “faking your name on Facebook could be a felony” when the law is changed. But a lot changed since yesterday morning. An amendment was added to the bill during a Senate Judiciary Committee hearing Thursday morning, so that people who violate website’s terms of service are not considered felons.

Senators Al Franken and Chuck Grassley proposed new language for the bill (thanks in part to Kerr’s urging) to exempt those guilty only of TOS violations. Franken, in urging his fellow senators to adopt the amendment, said that without it, the following people would be felons: “A father who uses his son’s Facebook password to log into his Facebook account to check his messages and photos” (ed. note: Creepy and invasive but not criminal); “a 17 year-old who claims she is 18 in order to sell her knitted scarves on Etsy,” and “a struggling businessowner who secretly creates a Yelp account to give his restaurants favorable reviews” (ed. note: Again, uncool and deceptive, but not felony behavior).

The Committee then added an amendment to the bill that specifies that felony-level unauthorized access not “include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.” The bill will now move forward to be considered by the Senate.

The amendment it here. It would amend the definition of “exceeds authorized access” in the CFAA, to the following, with the new language in bold:

the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.

I think this is a very good fix, and would be a very important addition to the CFAA. As I read this, the language says that mere breach of a contract or warning such as a Terms of Service cannot be the basis for liability in three instances: with websites, ISPs ,and non-government employers. So the government could still prosecute government employees who misused sensitive government databases, such as by accessing tax or social security databases for personal or nefarious reasons. On the other hand, the Government could not prosecute private sector employees for breaching private sector employer computer use restictions (as they’re trying to do in United States v. Nosal, still pending in the Ninth Circuit) and they could not prosecute Internet users for Terms of Service violations (as they tried to do in United States v. Drew). The language isn’t exactly perfect, as there are some minor definitional questions. But this is really a very strong effort, and I’m just delighted that the Judiciary Committee passed this.

Of course, the fact that it’s out of Committee doesn’t mean it has passed into law. DOJ may target this provision along the way, and there are still a number of hurdles to pass. But this is a very promising step.