EFF, Orin Kerr Ask The Supreme Court To Prevent Turning The CFAA Into A Convenient Way To Punish Site Users, Security Researchers

from the another-way-to-break-the-internet dept

As we reported here earlier, the Supreme Court is examining a CFAA case that could have far-reaching implications for… well, just about anyone who uses any online service, website, platform, or device. The case deals with a cop who abused his access privileges to run unapproved searches of government databases in exchange for cash. Obviously, this is far from an ideal case to argue against overbroad readings of an overbroad law. But, given the abuses perpetrated under this law, non-ideal cases will have to do if we don’t want to be turned into criminals by generous judicial interpretations of the phrase “unauthorized access.”

Plenty of people and entities are lobbing briefs in the Supreme Court’s direction, begging it to avoid criminalizing activities honest Americans participate in every day. It’s not just about security research. But it definitely does affect researchers — both those engaging in normal security research efforts, and those ignoring websites’ terms of service in attempts to determine whether sites engage in biased practices.

The EFF’s brief [PDF] focuses mainly on the negative effects on researchers — security and otherwise. It points out security researchers are often threatened with CFAA prosecutions/lawsuits just because entities engaging in lax security practices don’t like having their lapses noticed, much less pointed out publicly. These researchers perform a valuable public service.

Decades of experience have shown that independent auditing and testing of computers by members of the security research community—often in a manner unanticipated and even disapproved by the computers’ owners—is particularly effective at discovering serious vulnerabilities in widely used software and devices.

But far too often they’re punished for providing this service.

In 2008, the Massachusetts Bay Transit Authority (“MBTA”) invoked the CFAA to try to enjoin two independent security researchers from presenting truthful information about vulnerabilities in the MBTA’s fare collection system at a security conference. And in United States v. McDanel, the government brought criminal CFAA charges against a defendant who discovered a security vulnerability, alerted the company, and then, when the company refused to fix the problem, alerted the company’s customers…

If arguments about security researchers are too esoteric, perhaps Orin Kerr’s arguments [PDF] will hit closer to home. According to the Eleventh Circuit’s interpretation of the CFAA, Kerr himself is a criminal.

Like the majority of American adults, I have a Facebook account. Facebook’s terms of service require its users to “[p]rovide accurate information about” themselves. See Facebook Terms of Service, https://www.facebook.com/legal/terms/plain_text_ terms (last visited July 1, 2020). I recently violated that term by listing my home city as Sealand. Sealand is an offshore platform in the North Sea near England built during World War II to host anti-aircraft guns. It’s not actually my home city. I list it only to make a point about the CFAA. But under the government’s position, my joke is no laughing matter. It is a federal crime.

Interpreting the CFAA this way makes every website owner a jokester and every website user the punchline. If you think the thousands of federal laws are arbitrary, just wait until you run into the whims of the thousands of people running sites and platforms.

Part of the problem is that written restrictions placed on computers can be entirely arbitrary. These days, anyone can run a website. Anyone can buy a computer for another person to use. And the computer owners or operators can impose whatever restrictions they want. Their limits don’t need to serve an important interest. They don’t even need to make sense.

Kerr cites the Lori Drew case as a real world example of how the law can be abused by federal prosecutors. Back in 2006, a teen girl committed suicide after being duped into an online relationship with a nonexistent 16-year-old male.

The Drew prosecution started with a terrible tragedy in a suburb of St. Louis, Missouri. In October 2006, a 13-year-old girl named Megan Meier committed suicide. Meier had regularly used the social media networking site MySpace, a then-popular forerunner to today’s Facebook. In the weeks before her death, Meier had communicated with a MySpace profile of what appeared to be a handsome 16-year-old boy named Josh Evans. The Evans account had befriended Meier, and Evans expressed his admiration and affection for Meier.

But the online friendship soured. In messages sent soon before Meier committed suicide, Evans had abruptly ended the relationship. According to one witness, the last message Evans had sent to Meier had said, “You’re a shitty person, and the world would be a better place without you in it.” Lauren Collins, The Friend Game, The New Yorker, Jan. 14, 2008.

An investigation into Meier’s suicide revealed that Josh Evans did not exist. The account was fake. It had been created by a group that knew Meier and used it to learn what Meier was saying about her friend Sarah Drew. The senior member of the group was Sarah’s mother, Lori Drew. Other participants included Ashley Grills, an 18-year-old employee of Mrs. Drew who actually devised the idea and used the account, and Sarah Drew herself.

This was abhorrent behavior by a bunch of adults who discovered the internet provided an avenue for the complete destruction of a person’s life. But was it a criminal act? Local prosecutors said being an asshole isn’t a crime, no matter how much we’d like it to be.

Despite intense public demand to punish Drew, Missouri state prosecutors declined to file charges. A law enforcement spokesperson explained that decision straightforwardly: Drew’s conduct “might’ve been rude, it might’ve been immature, but it wasn’t illegal.”

With Drew facing intense criticism for her actions, the federal government stepped in with the CFAA in hand to engage in a prosecution for the clicks.

The terms of service gave prosecutors a hook. Because Josh Evans did not exist, using the account violated MySpace’s terms of service. According to prosecutors, this rendered every use of the Evans account an unauthorized access in violation of 18 U.S.C. § 1030(a)(2). And because MySpace’s computer servers were in Los Angeles County, federal prosecutors could bring charges in California even though everyone involved was in Missouri.

Ultimately, Drew was only convicted of misdemeanors. But the feds did such a good job convincing everyone she had broken the law that jury members expressed disappointment in their own verdict.

This — along with Kerr’s example about lying to Facebook about his personal info — is the reality facing everyone if the Supreme Court decides the Eleventh Circuit is right about this and every other circuit that disagrees with it is wrong. It won’t just be the Lori Drews of the world at the mercy of federal prosecutors. It will be everyone who ignores certain parts of terms of service agreements or engages with sites in ways the owners’ did not anticipate or explicitly approve.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “EFF, Orin Kerr Ask The Supreme Court To Prevent Turning The CFAA Into A Convenient Way To Punish Site Users, Security Researchers”

Subscribe: RSS Leave a comment
10 Comments
Anonymous Coward says:

Even when this case has come up before, i have not understood the nuance where illegally using a government information system is similar enough to… all the bad uses and attempted uses of the CFAA.

The CFAA is awful and was born of sheer idiocy to begin with, but i am not seeing the relationship of the ruling in thus particular case to all the problematic and bad applications of a bad CFAA moreso than… well, all the other opportunities previously created to argue or file briefs. Why is this ruling, and not others, going to ratchet up the bad regarding normal internet behavior or research?

And yes i am sure there are other laws under which this asshat could have been prosecuted, but prosecutors love glorious sounding charges and charge-stacking.

R.H. (profile) says:

Re: Re:

The reason that this ruling would be especially bad is that none of the others reached the Supreme Court. If the Supreme Court rules that these abuses of the CFAA are allowed then that becomes the standard in the entire country overnight and we can expect this type of charge to pop up everywhere. As it currently stands, some judges see this type of charge for what it is, nonsense.

ECA (profile) says:

Video/DND/all game concept

If there is a BFG, then everyone will want it, or get it.
If there is a TRICK in game to take advantage, THEY WILL DO IT.
If there is a backdoor, anywhere in life, we will try it.
If the insurance corps, after all these years would make the contracts EASIER to read and comprehend, we wouldnt take them.
If Credit card corps, lowered the Rates to Lower paid workers, the workers would Have incentive to pay them back, and not DUMP that 24% interest card..

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...