Skip to main content
  1. Home
  2. Web
  3. News

You’re probably unknowingly breaking laws online thanks to the CFAA

Andrew Couts
By

Computer crime sceneThe tragic death of Internet activist Aaron Swartz, who killed himself last Friday amidst prosecution for downloading 4.8 million academic articles from JSTOR, has brought one of the primary U.S. computer crime laws under intense public scrutiny. Known as the Computer Fraud and Abuse Act, or CFAA, the law was the basis for 11 of the 13 felony charges against Swartz, who faced more than three decades in prison and a potential $1 million fine for his actions. Some of these CFAA-related charges partially stem from the fact that Swartz violated JSTOR’s Terms of Service – you know, the type of absurdly long document we all agree to but never read.

If Swartz could be charged with nearly a dozen felonies for violating a ToS, does that mean anyone who violates such terms could be charged with federal crimes?

Recommended Videos

What is the CFAA?

Enacted in 1986 as an amendment to the Counterfeit Access Device and Abuse Act, the CFAA makes it illegal to do a whole bunch of stuff related to computers and computer networks, from stealing government documents and committing fraud to sending out spam emails. It’s an extremely broad law, which means a lot of activities can get pushed under its umbrella by federal prosecutors. And it’s been amended so many times that it’s completely unruly.

Why the CFAA is problematic

Much of this breadth is due to the fact that the CFAA prohibits anyone from accessing a computer “without authorization” or by “exceeding authorized access” for certain purposes, which includes attempts to “obtain information” from a “protected computer” if doing so includes “interstate or foreign … communication”.

Now, this probably sounds like a bunch of legal blather – and it is – but it is legal blather that could potentially affect anyone who uses the Web. Here’s why:

“Without authorization”

While the CFAA does explicitly define what a computer is (“an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device”) it does not define what “authorization” means. And that’s a big problem; because of this, prosecutors can (and have) interpreted this to mean that violations of a website’s Terms of Service are tantamount to accessing that website’s computers “without authorization.”

“Obtain information”

“Obtaining information” could mean a whole swath of things, from downloading top-secret nuclear launch codes to loading a Web page. And again, this legalese could be used to argue that someone has violated the CFAA, and has therefore committed a felony.

“Interstate or foreign communication”

You are almost certainly engaging in “interstate or foreign communication” by reading this article, since Digital Trends’ servers are probably not in the same state (or country) where you live. In other words, using the Internet is, almost by definition, “interstate or foreign communication” with a computer.

“Protected computer”

A “protected computer” under the CFAA is any computer that is connected to a government network, or is used for “interstate or foreign commerce or communication.” So if the computer is connected to the Internet, it is “protected.”

To read the full text of CFAA click here.

How CFAA applies to Terms of Service

Okay, so now that we’ve sifted through the most troubling parts of the CFAA, let’s look at how this applies to websites’ Terms of Service.

Every website you go to, every social network you’ve joined, every Internet-connected service you use has a Terms of Services that you had to agree to before using it. Even your Internet service provider has a Terms of Service. And chances are you didn’t read any of them.

Having read through quite a few myself, however, I know that many of them include a big list of rules – things you can’t do, or ways in which you are expected to conduct yourself. For example, most websites – including behemoths like Google – prohibit access by people under the age of 13. On Facebook, users are barred from using pseudonyms, or doing anything “misleading.” Many websites prohibit the posting of sexually suggestive content, or “harassing” anyone.

If a prosecutor so chooses, she can use the CFAA to argue that anyone who violates a Terms of Service is committing a felony. That means every 12-year-old who uses Google Search (or Facebook, for that matter) could technically be targeted under CFAA.

Case in point

This argument was made most famously in United States v. Drew – a case you’ve probably heard of even if it doesn’t ring a bell. In this case, defendant Lori Drew was accused of violating the CFAA when she made a fake MySpace profile, and used it to torment one of her teenage daughter’s enemies. The girl Drew was bullying, 13-year-old Megan Meir, eventually, tragically, took her own life. Prosecutors argued that Drew’s MySpace communications led to her suicide. Drew was later convicted of a misdemeanor violation of the CFAA.

A judge eventually vacated Drew’s conviction, arguing that it was inappropriate to interpret the CFAA. “But other criminal defendants haven’t been so lucky,” writes Marcia Hofmann, staff attorney for the Electronic Frontier Foundation. Hofmann points to AT&T “iPad hacker” Andrew Auernheimer, who was recently convicted under the CFAA for his role in downloading more than 120,000 email addresses of iPad users that AT&T had left unsecured on its network. (He plans to appeal the conviction.)

“It’s possible that Auernheimer’s unsympathetic reputation as an Internet troll played a role in the government’s decision to indict him,” writes Hofmann. “And the CFAA’s vague and over-broad language gave the jury an excuse to punish someone who didn’t carry out anything remotely resembling a serious computer intrusion, even though that’s the concern that caused Congress to criminalize ‘unauthorized’ access in the first place.”

Will you go to jail for violating a Terms of Service?

Not likely. History shows us that you really have to do more than just use a fake name on Facebook to have the feds pounding down your door.That said, the cases against Swartz, Drew, Auernheimer, and many others proves that you could be targeted, if the federal government views you as a threat. And being able to use CFAA to take down undesirables is a power the U.S. Department of Justice desperately wants to have (PDF).

Relief on the horizon

The death of Swartz has spurred Washington politicians into tackling the absurdity that is the CFAA. Earlier this week, Rep. Zoe Lofgren (D-CA) announced plans to introduce a bill (PDF) that would change the CFAA to explicitly decriminalize Terms of Service violations. But until that bill is signed into law – and there’s no good reason at this point to believe it will – I’d make sure to give those Terms of Service a read before you click “agree.”

Andrew Couts
Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
How to pin a website to the taskbar in Windows
A man sits, using a laptop running the Windows 11 operating system.

Windows includes many interesting tools, but if you’re like many people, more and more of your digital life is happening in your web browser and nowhere else. That being the case, you’ll want to keep your most important websites close at hand. The easiest way to access them in Windows is the Start menu and the taskbar, treating them more or less like programs in and of themselves.

Although easy overall, getting a website from your browser to your taskbar is slightly different depending on which browser you’re using.

Read more
Amazon’s Big Spring sale: Save on TVs, laptops, appliances, and more
Amazon Big Spring sale promo image

Deal hunter or not, you'll be pleased to know that Amazon's Big Spring sale is officially underway. It's your opportunity to save on a slew of buzzworthy deals, including TVs, laptops, appliances, various electronics, and much more. It shows that you don't always have to wait for Amazon's Prime Day to capitalize on fantastic discounts. If you've been holding off on buying something, hoping for a great deal, now's the time to pull the trigger. Because the sale is so massive, we've gathered a few of our top picks below. However, we still recommend browsing the sale to see what you can find.

 
What to shop in the Amazon Big Spring sale
For starters, if you want a new tablet, Samsung, Lenovo, and Google during the sale. The Galaxy Tab A9+ is available for 19% to 23% off. Meanwhile, Google's Pixel Tablet is 19% to 25% off, depending on the model. Samsung's , and its gaming monitor is down to $140, usually $190. Or, the beautiful and much larger curved gaming monitor is $700, normally $1,300.

Read more
How to create a Subreddit on desktop and mobile
Laptop Working from Home

Few social media sites are as popular as Reddit. Regardless of what you're interested in, there's probably a thriving community for you to interact with on the platform. Known as subreddits, these communities are home to topics like gaming, world news, science, movies, and more. If you can't find a subreddit with your particular interest, Reddit makes it easy to create your own Reddit community.

Running a successful Reddit community isn't easy – but the process of starting one only takes a few minutes. Keep in mind that you'll want to keep a close eye on your subreddit to prevent it from being shut down or turning into a wasteland with no users, but running a subreddit can be a lot of fun when done properly. If you prefer, you can also create a private community that only your friends can join, giving you a place to hang out beyond Twitter and TikTok.

Read more