DOJ: Lying on Match.com needs to be a crime

CNET News | November 14, 2011
By Declan McCullagh

The U.S. Department of Justice is defending computer hacking laws that make it a crime to use a fake name on Facebook or lie about your weight in an online dating profile at a site like Match.com.

In a statement obtained by CNET that's scheduled to be delivered tomorrow, the Justice Department argues that it must be able to prosecute violations of Web sites' often-ignored, always-unintelligible "terms of service" policies.

The law must allow "prosecutions based upon a violation of terms of service or similar contractual agreement with an employer or provider," Richard Downing, the Justice Department's deputy computer crime chief, will tell the U.S. Congress tomorrow.

Scaling back that law "would make it difficult or impossible to deter and address serious insider threats through prosecution," and jeopardize prosecutions involving identity theft, misuse of government databases, and privacy invasions, according to Downing.

The law in question, the Computer Fraud and Abuse Act, has been used by the Justice Department to prosecute a woman, Lori Drew, who used a fake MySpace account to verbally attack a 13-year old girl who then committed suicide. Because MySpace's terms of service prohibit impersonation, Drew was convicted of violating the CFAA. Her conviction was later thrown out.

What makes this possible is a section of the CFAA that was never intended to be used that way: a general-purpose prohibition on any computer-based act that "exceeds authorized access." To the Justice Department, this means that a Web site's terms of service define what's "authorized" or not, and ignoring them can turn you into a felon.

On the other hand, because millions of Americans likely violate terms of service agreements every day, you'd have a lot of company.

A letter (PDF) sent to the Senate in August by a left-right coalition including the ACLU, Americans for Tax Reform, the Electronic Frontier Foundation, and FreedomWorks warns of precisely that. "If a person assumes a fictitious identity at a party, there is no federal crime," the letter says. "Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation. This is a gross misuse of the law."

Orin Kerr, a former Justice Department computer crime prosecutor who's now a professor of law at George Washington University, says the government's arguments are weak.

Kerr, who is also testifying tomorrow before a House Judiciary subcommittee, told CNET today that:

The Justice Department claims to have an interest in enforcing Terms of Use and computer use policies under the CFAA, but its examples mostly consist of cases in which the conduct described has already been criminalized by statutes other than the CFAA. Further, my proposed statutory fix (see the second proposal in my testimony) would preserve the government's ability to prosecute the remaining cases DOJ mentions while not raising the civil liberties problems of the current statute.
Kerr's testimony gives other examples of terms of service violations that would become criminal. Google says you can't use its services if "you are not of legal age to form a binding contract," which implies that millions of teenagers would be unindicted criminals. Match.com, meanwhile, says you can't lie about your age, criminalizing the profile of anyone not a model of probity.

"I do not see any serious argument why such conduct should be criminal," Kerr says.

The Justice Department disagrees. In fact, as part of a broader push to rewrite cybersecurity laws, the White House has proposed (PDF) broadening, not limiting, CFAA's reach.

Stewart Baker, an attorney at Steptoe and Johnson who was previously a Homeland Security assistant secretary and general counsel at the National Security Agency, has suggested that the administration's proposals to expand CFAA are Draconian. Uploading copyrighted YouTube videos twice "becomes a pattern of racketeering," with even more severe criminal penalties, "at least if Justice gets its way," Baker wrote.

In a kind of pre-emptive attack against Kerr's proposed fixes, the Justice Department's Downing says the CFAA properly criminalizes "improper" online activities.

"Businesses should have confidence that they can allow customers to access certain information on the business's servers, such as information about their own orders and customer information, but that customers who intentionally exceed those limitations and obtain access to the business's proprietary information and the information of other customers can be prosecuted," Downing's prepared remarks say.