EFF, Orin Kerr Ask The Supreme Court To Prevent Turning The CFAA Into A Convenient Way To Punish Site Users, Security Researchers
from the another-way-to-break-the-internet dept
As we reported here earlier, the Supreme Court is examining a CFAA case that could have far-reaching implications for… well, just about anyone who uses any online service, website, platform, or device. The case deals with a cop who abused his access privileges to run unapproved searches of government databases in exchange for cash. Obviously, this is far from an ideal case to argue against overbroad readings of an overbroad law. But, given the abuses perpetrated under this law, non-ideal cases will have to do if we don't want to be turned into criminals by generous judicial interpretations of the phrase "unauthorized access."
Plenty of people and entities are lobbing briefs in the Supreme Court's direction, begging it to avoid criminalizing activities honest Americans participate in every day. It's not just about security research. But it definitely does affect researchers -- both those engaging in normal security research efforts, and those ignoring websites' terms of service in attempts to determine whether sites engage in biased practices.
The EFF's brief [PDF] focuses mainly on the negative effects on researchers -- security and otherwise. It points out security researchers are often threatened with CFAA prosecutions/lawsuits just because entities engaging in lax security practices don't like having their lapses noticed, much less pointed out publicly. These researchers perform a valuable public service.
Decades of experience have shown that independent auditing and testing of computers by members of the security research community—often in a manner unanticipated and even disapproved by the computers’ owners—is particularly effective at discovering serious vulnerabilities in widely used software and devices.
But far too often they're punished for providing this service.
In 2008, the Massachusetts Bay Transit Authority (“MBTA”) invoked the CFAA to try to enjoin two independent security researchers from presenting truthful information about vulnerabilities in the MBTA’s fare collection system at a security conference. And in United States v. McDanel, the government brought criminal CFAA charges against a defendant who discovered a security vulnerability, alerted the company, and then, when the company refused to fix the problem, alerted the company’s customers…
If arguments about security researchers are too esoteric, perhaps Orin Kerr's arguments [PDF] will hit closer to home. According to the Eleventh Circuit's interpretation of the CFAA, Kerr himself is a criminal.
Like the majority of American adults, I have a Facebook account. Facebook’s terms of service require its users to “[p]rovide accurate information about” themselves. See Facebook Terms of Service, https://www.facebook.com/legal/terms/plain_text_ terms (last visited July 1, 2020). I recently violated that term by listing my home city as Sealand. Sealand is an offshore platform in the North Sea near England built during World War II to host anti-aircraft guns. It’s not actually my home city. I list it only to make a point about the CFAA. But under the government’s position, my joke is no laughing matter. It is a federal crime.
Interpreting the CFAA this way makes every website owner a jokester and every website user the punchline. If you think the thousands of federal laws are arbitrary, just wait until you run into the whims of the thousands of people running sites and platforms.
Part of the problem is that written restrictions placed on computers can be entirely arbitrary. These days, anyone can run a website. Anyone can buy a computer for another person to use. And the computer owners or operators can impose whatever restrictions they want. Their limits don’t need to serve an important interest. They don’t even need to make sense.
Kerr cites the Lori Drew case as a real world example of how the law can be abused by federal prosecutors. Back in 2006, a teen girl committed suicide after being duped into an online relationship with a nonexistent 16-year-old male.
The Drew prosecution started with a terrible tragedy in a suburb of St. Louis, Missouri. In October 2006, a 13-year-old girl named Megan Meier committed suicide. Meier had regularly used the social media networking site MySpace, a then-popular forerunner to today’s Facebook. In the weeks before her death, Meier had communicated with a MySpace profile of what appeared to be a handsome 16-year-old boy named Josh Evans. The Evans account had befriended Meier, and Evans expressed his admiration and affection for Meier.
But the online friendship soured. In messages sent soon before Meier committed suicide, Evans had abruptly ended the relationship. According to one witness, the last message Evans had sent to Meier had said, “You’re a shitty person, and the world would be a better place without you in it.” Lauren Collins, The Friend Game, The New Yorker, Jan. 14, 2008.
An investigation into Meier’s suicide revealed that Josh Evans did not exist. The account was fake. It had been created by a group that knew Meier and used it to learn what Meier was saying about her friend Sarah Drew. The senior member of the group was Sarah’s mother, Lori Drew. Other participants included Ashley Grills, an 18-year-old employee of Mrs. Drew who actually devised the idea and used the account, and Sarah Drew herself.
This was abhorrent behavior by a bunch of adults who discovered the internet provided an avenue for the complete destruction of a person's life. But was it a criminal act? Local prosecutors said being an asshole isn't a crime, no matter how much we'd like it to be.
Despite intense public demand to punish Drew, Missouri state prosecutors declined to file charges. A law enforcement spokesperson explained that decision straightforwardly: Drew’s conduct “might’ve been rude, it might’ve been immature, but it wasn’t illegal.”
With Drew facing intense criticism for her actions, the federal government stepped in with the CFAA in hand to engage in a prosecution for the clicks.
The terms of service gave prosecutors a hook. Because Josh Evans did not exist, using the account violated MySpace’s terms of service. According to prosecutors, this rendered every use of the Evans account an unauthorized access in violation of 18 U.S.C. § 1030(a)(2). And because MySpace’s computer servers were in Los Angeles County, federal prosecutors could bring charges in California even though everyone involved was in Missouri.
Ultimately, Drew was only convicted of misdemeanors. But the feds did such a good job convincing everyone she had broken the law that jury members expressed disappointment in their own verdict.
This -- along with Kerr's example about lying to Facebook about his personal info -- is the reality facing everyone if the Supreme Court decides the Eleventh Circuit is right about this and every other circuit that disagrees with it is wrong. It won't just be the Lori Drews of the world at the mercy of federal prosecutors. It will be everyone who ignores certain parts of terms of service agreements or engages with sites in ways the owners' did not anticipate or explicitly approve.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, scotus, security, security researchers, supreme court, terms of service
Reader Comments
Subscribe: RSS
View by: Time | Thread
The law doesn't belong in citizen's hands, except for...
The biggest problem with this law and the ways it's being used is that it quite literally allows anyone to write their own laws. Not just any laws, either, but federal laws.
This is insane. How on earth can anyone reasonably argue that that's ok?
[ link to this | view in chronology ]
Re: The law doesn't belong in citizen's hands, except for...
No less august personages than the Founders of the United States of America allowed citizens to write federal laws. They called it Congress.
[ link to this | view in chronology ]
But
I thought weaponization was the intended outcome of overly broad badly written laws.
[ link to this | view in chronology ]
TOS: you may not view this website under any circumstances. To do so violated the website’s TOS.
[ link to this | view in chronology ]
Re: The first rule of TOS Club
Is no-one can even mention the TOS.
[ link to this | view in chronology ]
Re:
galambosian dot com
https://en.wikipedia.org/wiki/Andrew_Joseph_Galambos#Intellectual_property
[ link to this | view in chronology ]
Even when this case has come up before, i have not understood the nuance where illegally using a government information system is similar enough to... all the bad uses and attempted uses of the CFAA.
The CFAA is awful and was born of sheer idiocy to begin with, but i am not seeing the relationship of the ruling in thus particular case to all the problematic and bad applications of a bad CFAA moreso than... well, all the other opportunities previously created to argue or file briefs. Why is this ruling, and not others, going to ratchet up the bad regarding normal internet behavior or research?
And yes i am sure there are other laws under which this asshat could have been prosecuted, but prosecutors love glorious sounding charges and charge-stacking.
[ link to this | view in chronology ]
Re:
The reason that this ruling would be especially bad is that none of the others reached the Supreme Court. If the Supreme Court rules that these abuses of the CFAA are allowed then that becomes the standard in the entire country overnight and we can expect this type of charge to pop up everywhere. As it currently stands, some judges see this type of charge for what it is, nonsense.
[ link to this | view in chronology ]
Video/DND/all game concept
If there is a BFG, then everyone will want it, or get it.
If there is a TRICK in game to take advantage, THEY WILL DO IT.
If there is a backdoor, anywhere in life, we will try it.
If the insurance corps, after all these years would make the contracts EASIER to read and comprehend, we wouldnt take them.
If Credit card corps, lowered the Rates to Lower paid workers, the workers would Have incentive to pay them back, and not DUMP that 24% interest card..
[ link to this | view in chronology ]
Also of note is how TOS can change at any time, without consent from the user. Giving them the force of law through CFAA would allow for a bigger potential for abuse than one might think at first sight.
[ link to this | view in chronology ]