Skip to main content

You’re probably unknowingly breaking laws online thanks to the CFAA

Computer crime sceneThe tragic death of Internet activist Aaron Swartz, who killed himself last Friday amidst prosecution for downloading 4.8 million academic articles from JSTOR, has brought one of the primary U.S. computer crime laws under intense public scrutiny. Known as the Computer Fraud and Abuse Act, or CFAA, the law was the basis for 11 of the 13 felony charges against Swartz, who faced more than three decades in prison and a potential $1 million fine for his actions. Some of these CFAA-related charges partially stem from the fact that Swartz violated JSTOR’s Terms of Service – you know, the type of absurdly long document we all agree to but never read.

If Swartz could be charged with nearly a dozen felonies for violating a ToS, does that mean anyone who violates such terms could be charged with federal crimes?

What is the CFAA?

Enacted in 1986 as an amendment to the Counterfeit Access Device and Abuse Act, the CFAA makes it illegal to do a whole bunch of stuff related to computers and computer networks, from stealing government documents and committing fraud to sending out spam emails. It’s an extremely broad law, which means a lot of activities can get pushed under its umbrella by federal prosecutors. And it’s been amended so many times that it’s completely unruly.

Why the CFAA is problematic

Much of this breadth is due to the fact that the CFAA prohibits anyone from accessing a computer “without authorization” or by “exceeding authorized access” for certain purposes, which includes attempts to “obtain information” from a “protected computer” if doing so includes “interstate or foreign … communication”.

Now, this probably sounds like a bunch of legal blather – and it is – but it is legal blather that could potentially affect anyone who uses the Web. Here’s why:

“Without authorization”

While the CFAA does explicitly define what a computer is (“an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device”) it does not define what “authorization” means. And that’s a big problem; because of this, prosecutors can (and have) interpreted this to mean that violations of a website’s Terms of Service are tantamount to accessing that website’s computers “without authorization.”

“Obtain information”

“Obtaining information” could mean a whole swath of things, from downloading top-secret nuclear launch codes to loading a Web page. And again, this legalese could be used to argue that someone has violated the CFAA, and has therefore committed a felony.

“Interstate or foreign communication”

You are almost certainly engaging in “interstate or foreign communication” by reading this article, since Digital Trends’ servers are probably not in the same state (or country) where you live. In other words, using the Internet is, almost by definition, “interstate or foreign communication” with a computer.

“Protected computer”

A “protected computer” under the CFAA is any computer that is connected to a government network, or is used for “interstate or foreign commerce or communication.” So if the computer is connected to the Internet, it is “protected.”

To read the full text of CFAA click here.

How CFAA applies to Terms of Service

Okay, so now that we’ve sifted through the most troubling parts of the CFAA, let’s look at how this applies to websites’ Terms of Service.

Every website you go to, every social network you’ve joined, every Internet-connected service you use has a Terms of Services that you had to agree to before using it. Even your Internet service provider has a Terms of Service. And chances are you didn’t read any of them.

Having read through quite a few myself, however, I know that many of them include a big list of rules – things you can’t do, or ways in which you are expected to conduct yourself. For example, most websites – including behemoths like Google – prohibit access by people under the age of 13. On Facebook, users are barred from using pseudonyms, or doing anything “misleading.” Many websites prohibit the posting of sexually suggestive content, or “harassing” anyone.

If a prosecutor so chooses, she can use the CFAA to argue that anyone who violates a Terms of Service is committing a felony. That means every 12-year-old who uses Google Search (or Facebook, for that matter) could technically be targeted under CFAA.

Case in point

This argument was made most famously in United States v. Drew – a case you’ve probably heard of even if it doesn’t ring a bell. In this case, defendant Lori Drew was accused of violating the CFAA when she made a fake MySpace profile, and used it to torment one of her teenage daughter’s enemies. The girl Drew was bullying, 13-year-old Megan Meir, eventually, tragically, took her own life. Prosecutors argued that Drew’s MySpace communications led to her suicide. Drew was later convicted of a misdemeanor violation of the CFAA.

A judge eventually vacated Drew’s conviction, arguing that it was inappropriate to interpret the CFAA. “But other criminal defendants haven’t been so lucky,” writes Marcia Hofmann, staff attorney for the Electronic Frontier Foundation. Hofmann points to AT&T “iPad hacker” Andrew Auernheimer, who was recently convicted under the CFAA for his role in downloading more than 120,000 email addresses of iPad users that AT&T had left unsecured on its network. (He plans to appeal the conviction.)

“It’s possible that Auernheimer’s unsympathetic reputation as an Internet troll played a role in the government’s decision to indict him,” writes Hofmann. “And the CFAA’s vague and over-broad language gave the jury an excuse to punish someone who didn’t carry out anything remotely resembling a serious computer intrusion, even though that’s the concern that caused Congress to criminalize ‘unauthorized’ access in the first place.”

Will you go to jail for violating a Terms of Service?

Not likely. History shows us that you really have to do more than just use a fake name on Facebook to have the feds pounding down your door.That said, the cases against Swartz, Drew, Auernheimer, and many others proves that you could be targeted, if the federal government views you as a threat. And being able to use CFAA to take down undesirables is a power the U.S. Department of Justice desperately wants to have (PDF).

Relief on the horizon

The death of Swartz has spurred Washington politicians into tackling the absurdity that is the CFAA. Earlier this week, Rep. Zoe Lofgren (D-CA) announced plans to introduce a bill (PDF) that would change the CFAA to explicitly decriminalize Terms of Service violations. But until that bill is signed into law – and there’s no good reason at this point to believe it will – I’d make sure to give those Terms of Service a read before you click “agree.”

Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
The 5 best websites like Craigslist in 2024

For years, Craigslist has been the go-to website for scoring a free sofa or finding an apartment. But there are plenty of other alternatives to Craigslist that do an equally fine job, oftentimes with a more attractive interface and fewer spam postings. The 5 best Craigslist alternatives are:

Facebook Marketplace
OfferUp
Locanto
Mercari
Recycler

Read more
How to stop spam emails in Outlook, Gmail, and more
A person sitting on the grass and taking notes at a laptop.

Spam and other unwanted emails are a nuisance, and it can seem like keeping them away from your inbox is a losing battle. But while you won't be able to prevent every piece of spam from landing in your inbox, it is possible to significantly reduce the number of messages that show up.

In this guide, we'll show you how to use filters, blocking, and spam reporting features to help stop spam from invading your inbox. We'll also go over a few more tips on how to reduce unwanted messages overall.
How to stop spam in Gmail
If you use Gmail, the most popular email client, you will eventually start getting spam. Here are our two favorite ways to deal with it.
Block spam in Gmail

Read more
How to add a signature in Gmail on desktop and mobile
how to file for stimulus

Email signatures are a great way to automatically include your contact information to your email correspondence. If you'd like to add a signature to your emails in Gmail, it's easy enough to add one. You'll just need to go through your Gmail settings to do it.

In this guide, we'll show you how to add a signature in Gmail whether you're using the desktop website version of Gmail or its mobile app.
How to add a signature on your desktop
Step 1: Launch your favorite browser and log into your Gmail account as you normally would.

Read more