EFF, Orin Kerr Ask The Supreme Court To Prevent Turning The CFAA Into A Convenient Way To Punish Site Users, Security Researchers
from the another-way-to-break-the-internet dept
As we reported here earlier, the Supreme Court is examining a CFAA case that could have far-reaching implications for… well, just about anyone who uses any online service, website, platform, or device. The case deals with a cop who abused his access privileges to run unapproved searches of government databases in exchange for cash. Obviously, this is far from an ideal case to argue against overbroad readings of an overbroad law. But, given the abuses perpetrated under this law, non-ideal cases will have to do if we don’t want to be turned into criminals by generous judicial interpretations of the phrase “unauthorized access.”
Plenty of people and entities are lobbing briefs in the Supreme Court’s direction, begging it to avoid criminalizing activities honest Americans participate in every day. It’s not just about security research. But it definitely does affect researchers — both those engaging in normal security research efforts, and those ignoring websites’ terms of service in attempts to determine whether sites engage in biased practices.
The EFF’s brief [PDF] focuses mainly on the negative effects on researchers — security and otherwise. It points out security researchers are often threatened with CFAA prosecutions/lawsuits just because entities engaging in lax security practices don’t like having their lapses noticed, much less pointed out publicly. These researchers perform a valuable public service.
Decades of experience have shown that independent auditing and testing of computers by members of the security research community—often in a manner unanticipated and even disapproved by the computers’ owners—is particularly effective at discovering serious vulnerabilities in widely used software and devices.
But far too often they’re punished for providing this service.
In 2008, the Massachusetts Bay Transit Authority (“MBTA”) invoked the CFAA to try to enjoin two independent security researchers from presenting truthful information about vulnerabilities in the MBTA’s fare collection system at a security conference. And in United States v. McDanel, the government brought criminal CFAA charges against a defendant who discovered a security vulnerability, alerted the company, and then, when the company refused to fix the problem, alerted the company’s customers…
If arguments about security researchers are too esoteric, perhaps Orin Kerr’s arguments [PDF] will hit closer to home. According to the Eleventh Circuit’s interpretation of the CFAA, Kerr himself is a criminal.
Like the majority of American adults, I have a Facebook account. Facebook’s terms of service require its users to “[p]rovide accurate information about” themselves. See Facebook Terms of Service, https://www.facebook.com/legal/terms/plain_text_ terms (last visited July 1, 2020). I recently violated that term by listing my home city as Sealand. Sealand is an offshore platform in the North Sea near England built during World War II to host anti-aircraft guns. It’s not actually my home city. I list it only to make a point about the CFAA. But under the government’s position, my joke is no laughing matter. It is a federal crime.
Interpreting the CFAA this way makes every website owner a jokester and every website user the punchline. If you think the thousands of federal laws are arbitrary, just wait until you run into the whims of the thousands of people running sites and platforms.
Part of the problem is that written restrictions placed on computers can be entirely arbitrary. These days, anyone can run a website. Anyone can buy a computer for another person to use. And the computer owners or operators can impose whatever restrictions they want. Their limits don’t need to serve an important interest. They don’t even need to make sense.
Kerr cites the Lori Drew case as a real world example of how the law can be abused by federal prosecutors. Back in 2006, a teen girl committed suicide after being duped into an online relationship with a nonexistent 16-year-old male.
The Drew prosecution started with a terrible tragedy in a suburb of St. Louis, Missouri. In October 2006, a 13-year-old girl named Megan Meier committed suicide. Meier had regularly used the social media networking site MySpace, a then-popular forerunner to today’s Facebook. In the weeks before her death, Meier had communicated with a MySpace profile of what appeared to be a handsome 16-year-old boy named Josh Evans. The Evans account had befriended Meier, and Evans expressed his admiration and affection for Meier.
But the online friendship soured. In messages sent soon before Meier committed suicide, Evans had abruptly ended the relationship. According to one witness, the last message Evans had sent to Meier had said, “You’re a shitty person, and the world would be a better place without you in it.” Lauren Collins, The Friend Game, The New Yorker, Jan. 14, 2008.
An investigation into Meier’s suicide revealed that Josh Evans did not exist. The account was fake. It had been created by a group that knew Meier and used it to learn what Meier was saying about her friend Sarah Drew. The senior member of the group was Sarah’s mother, Lori Drew. Other participants included Ashley Grills, an 18-year-old employee of Mrs. Drew who actually devised the idea and used the account, and Sarah Drew herself.
This was abhorrent behavior by a bunch of adults who discovered the internet provided an avenue for the complete destruction of a person’s life. But was it a criminal act? Local prosecutors said being an asshole isn’t a crime, no matter how much we’d like it to be.
Despite intense public demand to punish Drew, Missouri state prosecutors declined to file charges. A law enforcement spokesperson explained that decision straightforwardly: Drew’s conduct “might’ve been rude, it might’ve been immature, but it wasn’t illegal.”
With Drew facing intense criticism for her actions, the federal government stepped in with the CFAA in hand to engage in a prosecution for the clicks.
The terms of service gave prosecutors a hook. Because Josh Evans did not exist, using the account violated MySpace’s terms of service. According to prosecutors, this rendered every use of the Evans account an unauthorized access in violation of 18 U.S.C. § 1030(a)(2). And because MySpace’s computer servers were in Los Angeles County, federal prosecutors could bring charges in California even though everyone involved was in Missouri.
Ultimately, Drew was only convicted of misdemeanors. But the feds did such a good job convincing everyone she had broken the law that jury members expressed disappointment in their own verdict.
This — along with Kerr’s example about lying to Facebook about his personal info — is the reality facing everyone if the Supreme Court decides the Eleventh Circuit is right about this and every other circuit that disagrees with it is wrong. It won’t just be the Lori Drews of the world at the mercy of federal prosecutors. It will be everyone who ignores certain parts of terms of service agreements or engages with sites in ways the owners’ did not anticipate or explicitly approve.