Exciting times over at the Volokh Conspiracy.
Stewart Baker posted about Michael Vatis’ post (which seems to have been removed). Baker argued that the Obama Campaign’s
practice of having workers log in to Facebook and use the campaign website’s
software to create and send messages to their undecided friends constitutes a
violation of the Computer Fraud and Abuse Act (CFAA). Baker thought that this could be the makings
of a new scandal for the administration.
Orin Kerr then chimed in and pointed out that there was probably no violation of the CFAA, noting that
the violation would probably only have occurred under a broad reading of the
law that the Department of Justice holds.
Kerr notes that under the DOJ’s interpretation – that illegal,
“unauthorized” access occurs whenever a user violates the terms of service on a
website – everybody is probably guilty of violating the CFAA.
Baker ended up retracting his original post,
noting that upon further review of Facebook’s terms of service, it appeared
that the Obama Campaign had complied and did not violate the CFAA even under
the DOJ’s broad interpretation.
While it appears that Baker’s original concerns
about violating the statute were misguided, I feel like had Facebook’s terms of
use not authorized the campaign’s practice, this situation would have been a
harder case than Kerr argued.
While
a little bit old, I think that Kerr’s article, Cybercrime’s Scope:
Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78
N.Y.U. L. Rev. 1596 (2003), provides a good explanation of the problems with
the CFAA and how these problems could be solved. The problem I would like to focus on here is
the CFAA’s use of the term, “unauthorized access.” The CFAA prohibits unauthorized access to
computers and websites. This terminology
is vague and has led to a variety of approaches by the courts in determining
when a defendant has gained unauthorized access. The statute’s application becomes more
controversial when it applies to activities that seem more commonplace, such as
violating the terms of service of a website or using computer programs to
enter and download information using publicly available website addresses.
In
his article, Kerr argues that “unauthorized access” should not be construed to
cover violations of website terms of use and accessing publicly available
websites. Kerr argues that there needs
to be some sort of action that gets around a barrier to access, such as
guessing a password to get through a password requirement. When defendants actively bypass barriers to a
computer or website, this action should be construed as unauthorized access.
I
think that the Facebook scenario about which Baker was originally concerned
presents a tough case for Kerr’s approach to unauthorized access. In this situation, each user’s account is
protected by a password, so parties cannot access that portion of the website
without entering the password. A user
would clearly violate the CFAA by developing a program that could guess a
user’s password. But what about
accessing a password-protected page in violation of the website’s terms of
service? Say, for example, Facebook’s
terms of use grant each registered user access to their own Facebook page, but
prohibit these users from allowing others to access these personal pages. If one user grants a third party access to
his Facebook page by giving his password to that the third party, the third
party would be bypassing a password barrier in a manner that is prohibited by
the website’s terms of use. This is not
as obvious a violation as developing software to guess or derive a user’s
password as a means of bypassing account protections. But it is also not obvious that this conduct
is authorized, since the content that the third party would access is protected
by password and the third party is prohibited from using the user’s password by
the site’s terms of use.
This
Facebook scenario shows that even if one does not agree with the DOJ’s strict
construal of the CFAA, website terms of service may still be relevant to
determining whether unauthorized access has occurred.
No comments:
Post a Comment