Who Determines Computer Crimes? Court Says Congress. Congress Is Unclear.

The Ninth Circuit Court of Appeals has handed down its opinion in Facebook, Inc. v. Power Ventures, Inc., that seems to suggest, as George Washington University Law Prof. Orin Kerr writes, that “It’s a federal crime to visit a website after being told not to visit it.”

Although this case arose in the civil context, violations of the statute in issue, the Computer Fraud and Abuse Act (CFAA), can constitute both a civil wrong and a criminal offense, so judicial interpretations of the CFAA’s language in the context of a civil lawsuit may also be applicable in context of a criminal prosecution. Given the expansive interpretation given by the court to the terms of the CFAA, Congress may wish to narrow the scope of the statute before an overly-aggressive prosecutor utilizes this interpretation to initiate a criminal prosecution.

Congress enacted the CFAA in 1984 to keep government computer networks and the confidential government information stored on computers safe from hackers. In Facebook v. Power, however, there was no government computer and no hacker.

Power Inc. was (it is now defunct) an up-and-coming social media aggregator that let users access all of their social media from one platform. Power could have used a Facebook developer program to advertise to Facebook users, but chose not to. Instead, Power placed an icon on its website offering $100 to the first 100 Facebook users who would allow Power access to their Facebook data in order to send promotional e-mails or other messages to their Facebook contacts, if one of those contacts then joined Power’s network.

Facebook sent Power a cease-and-desist letter informing the company that it was violating Facebook’s terms of use policy and demanding that Power stop its advertising scheme, which Power ignored. After Facebook’s attempts to block Power’s access to its website failed, Facebook sued the startup for damages—the cost of legal fees in responding to Power’s activity—under civil provisions of the CFAA. A federal district court judge granted Facebook summary judgment, and the Ninth Circuit Court of Appeals affirmed, concluding that Power had accessed Facebook’s computers “without authorization” under the CFAA.

The principal issue in this appeal was what constitutes “unauthorized access” (the court addressed related issues in two other cases: Nosal I and Nosal II)? The court wrote:

[W]e distill two general rules in analyzing authorization under the CFAA.  First, a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly. Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability. Second, a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA.

The Ninth Circuit noted that it is debatable whether Facebook users ever “gave Power permission to use Facebook’s computers to disseminate messages” in the first place, but regardless, “Facebook expressly rescinded that permission when Facebook issued its written cease-and-desist letter.” Thus, Power’s continued use ran afoul of the CFAA.

Equally important, the court said what does not run afoul of the CFAA. While Facebook’s cease-and-desist letter “informed Power that it had violated Facebook’s terms of use and demanded that Power stop soliciting Facebook users’ information, using Facebook content, or otherwise interacting with Facebook through automated scripts,” the court said that a terms of use violation alone cannot trigger liability under the CFAA.

This should put to rest, at least in the Ninth Circuit, the concern raised by then-Ninth Circuit Chief judge Alex Kozinski in United States v. Nosal (9th Cir. 2012), that one day “millions of unsuspecting individuals would find that they are engaging in criminal conduct” by violating some aspect of the “terms of service” of an online service-provider, which are “lengthy, opaque, subject to change and seldom read.”

Professor Kerr and others describe the line between terms of use and cease-and-desist letters as “thin” if not “nonexistent.” It is a potentially dangerous line too. “Basing criminal liability on violations of private computer use polices,”Kozinski wrote, “can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved.” Now, it seems, if someone continues to violate computer use policies after receiving a cease-and-desist letter, that could be a crime. Is this really what Congress had in mind?

As it stands, the CFAA is an “egregiously overbroad” statute, says Columbia Law Professor Tim Wu, that has generated plenty of reasonable but differing interpretations. It is time for Congress to clarify the law so that those of us who make ubiquitous use of online social media–which is practically everybody these days–will have a clearer idea about what conduct can subject us to civil liability and what conduct can subject us to criminal prosecution.