A Fizzled Debate Raises an Interesting Question About the Computer Fraud and Abuse Act

Exciting times over at the Volokh Conspiracy.

Stewart Baker posted about Michael Vatis’ post (which seems to have been removed).  Baker argued that the Obama Campaign’s practice of having workers log in to Facebook and use the campaign website’s software to create and send messages to their undecided friends constitutes a violation of the Computer Fraud and Abuse Act (CFAA).  Baker thought that this could be the makings of a new scandal for the administration.   

Orin Kerr then chimed in and pointed out that there was probably no violation of the CFAA, noting that the violation would probably only have occurred under a broad reading of the law that the Department of Justice holds.  Kerr notes that under the DOJ’s interpretation – that illegal, “unauthorized” access occurs whenever a user violates the terms of service on a website – everybody is probably guilty of violating the CFAA.

Baker ended up retracting his original post, noting that upon further review of Facebook’s terms of service, it appeared that the Obama Campaign had complied and did not violate the CFAA even under the DOJ’s broad interpretation.

While it appears that Baker’s original concerns about violating the statute were misguided, I feel like had Facebook’s terms of use not authorized the campaign’s practice, this situation would have been a harder case than Kerr argued.

While a little bit old, I think that Kerr’s article, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596 (2003), provides a good explanation of the problems with the CFAA and how these problems could be solved.  The problem I would like to focus on here is the CFAA’s use of the term, “unauthorized access.”  The CFAA prohibits unauthorized access to computers and websites.  This terminology is vague and has led to a variety of approaches by the courts in determining when a defendant has gained unauthorized access.  The statute’s application becomes more controversial when it applies to activities that seem more commonplace, such as violating the terms of service of a website or using computer programs to enter and download information using publicly available website addresses.

In his article, Kerr argues that “unauthorized access” should not be construed to cover violations of website terms of use and accessing publicly available websites.  Kerr argues that there needs to be some sort of action that gets around a barrier to access, such as guessing a password to get through a password requirement.  When defendants actively bypass barriers to a computer or website, this action should be construed as unauthorized access.

I think that the Facebook scenario about which Baker was originally concerned presents a tough case for Kerr’s approach to unauthorized access.  In this situation, each user’s account is protected by a password, so parties cannot access that portion of the website without entering the password.  A user would clearly violate the CFAA by developing a program that could guess a user’s password.  But what about accessing a password-protected page in violation of the website’s terms of service?  Say, for example, Facebook’s terms of use grant each registered user access to their own Facebook page, but prohibit these users from allowing others to access these personal pages.  If one user grants a third party access to his Facebook page by giving his password to that the third party, the third party would be bypassing a password barrier in a manner that is prohibited by the website’s terms of use.  This is not as obvious a violation as developing software to guess or derive a user’s password as a means of bypassing account protections.  But it is also not obvious that this conduct is authorized, since the content that the third party would access is protected by password and the third party is prohibited from using the user’s password by the site’s terms of use.

This Facebook scenario shows that even if one does not agree with the DOJ’s strict construal of the CFAA, website terms of service may still be relevant to determining whether unauthorized access has occurred.