by Mike Masnick
Wed, May 1st 2013 3:47pm
by Mike Masnick
Wed, May 1st 2013 9:29am
Craigslist's Abuse Of Copyright And The CFAA To Attack Websites That Make Craigslist Better Is A Disgrace
from the please-stop-this-craig dept
In response, Craigslist sued them both (and another site that was using 3taps as well) making some highly questionable claims about how this was both copyright infringement and a CFAA violation because it violated its terms of service. The copyright claim seemed particularly bizarre, because Craigslist appeared to be claiming copyright on posts made by others, something that was obviously ridiculous. Making things even more farcical, Craigslist then tried to cover this up with a click through notice on the site telling visitors that when you post on Craigslist you're granting an exclusive license to Craigslist -- meaning you're effectively giving it control over your copyright. After that raised significant backlash, including from the NY Times, Craigslist backed down on that one point.
But the lawsuit itself has continued and the judge recently ruled on the motions to dismiss the lawsuit from 3taps and Padmapper. The ruling is a mixed bag, but mostly bad. First we'll start with the tiny "good" part, though: the court did dismiss the general copyright claims Craigslist was making over everyone's posts on its site (outside that time period discussed above where Craigslist said it wanted an exclusive license).
The meaning of the phrase “You also expressly grant and assign to [Craigslist] all rights” was the subject of some debate at the hearing on these motions, but the “all rights” language relates specifically to enforcement rights–not rights to the content of the posts. The language assigning rights to the content did not use the phrase “all rights,” and did not specify that the rights granted were “exclusive.” Craigslist provides no authority for the proposition that an ambiguous grant of rights is presumptively exclusive, and the Court declines to read that term into the terms that Craigslist itself draftedBasically, it says that Craigslist's regular terms of service didn't grant Craigslist an exclusive license, which is necessary for a lawsuit over the copyrights.
But, in the long run, that's a small victory. The court does say that Craigslist has a copyright in the "compilation," claiming that adding geographic information is somehow creative.
Craigslist has alleged that its “classified ad service is organized first by geographic area, and then by category of product or service,” with these categories organized in “a list designed and presented by craigslist.”... Construing the relevant allegations in Craigslist’s favor at this early stage in the proceedings, the Court concludes that Craigslist, in “deciding which categories to include and under what name,” ... “display[ed] some minimal level of creativity,”Ick. I have trouble seeing how that kind of activity raises to the level of creativity protected by copyright, so hopefully later in the process the court will reject this concept. Now, the next bad part of the ruling: the court says that Craigslist does actually have a valid copyright in the posts for those few short weeks when it had that clickthrough "reminding" people that it had the exclusive right. I still don't see how this is possible, since an exclusive license is supposed to require a written confirmation, not clicking through on an oddly worded "reminder." But, the court twisted some things around to say this is okay. I've read this over a few times and it still doesn't make any sense.
Clicking “Continue” confirms that craigslist is the exclusive licensee of this content, with the exclusive right to enforce copyrights against anyone copying, republishing, distributing or preparing derivative works without its consent.That certainly sounds like a reminder of an existing situation and not an official agreement to transfer rights. But the court seems to think people will realize that clicking that single button is giving up entirely the rights to their own copyrights to Craigslist. That seems ripe for revisiting...
The impact of this -- even if it only applies to posts from July 16, 2012 through August 8, 2012 -- could be huge. As the EFF notes this could create serious problems:
So, if you posted a craigslist ad while this provision was live, you're out of luck. craigslist's ownership claims over user posts could potentially mean that the affected users can’t republish their ads on multiple services without risking a claim of infringement. And while not every craigslist post is going to go viral and have real value outside the original context (like the “Jesus Tap-Dancing Christ” car ad), users still need the right to post and repost their material in a variety of venues. Moreover, the exclusive license provision calls into question craigslist’s compatibility with common licensing schemes, like the Creative Commons ShareAlike license or the GNU Free Documentation License for the time that provision was valid. And, worse still: craigslist’s actions, and the court's ruling, only increases the chance that other websites will start demanding ownership of the content you post there.So, a tiny bit of good, but a lot bad on the copyright front.
On the CFAA front... it's the same basic story. The court rejects the idea that merely accessing the website is a CFAA violation (thanks to the Nosal ruling). It rejects Craigslist's claims that it was blocking access, rather than uses (which is the core of the Nosal ruling), noting correctly that within Craigslist's terms, all of the restrictions are about uses.
Aside from the TOU, however, Craigslist specifically denied authorization to use the website “for any purposes” in its cease and desist letters, Kao Decl. Ex. A, and also used technological measures to block access from IP addresses associated with 3Taps, which Craigslist alleges that 3Taps bypassed by using different IP addresses and proxy servers to conceal its identity. Assuming that the CFAA encompasses information generally available to the public such as Craigslist’s website, Defendants’ continued use of Craigslist after the clear statements regarding authorization in the cease and desist letters and the technological measures to block them constitutes unauthorized access under the statute.The EFF points out how ridiculous both of these claims are. On the cease and desist:
Cease and Desist Letters Should Not Make Access to a Website CriminalAnd on the IP address change, EFF points out how changing IP addresses is a common thing that happens all the time:
The CFAA is both a civil and a criminal statute. This is a civil case, but has criminal ramifications. While the court looked at the earlier Facebook v. Power Ventures case, it misread a key holding. There, the court recognized that imposing criminal liability based on the “receipt of a cease and desist letter would create a constitutionally untenable situation.” This would put too much power in the hands of private parties to decide what a crime would be.
Changing IP Addresses Is Not HackingGiven all that, there are very serious problems with this ruling, and the fact that Craigslist is driving such dangerous precedents is quite upsetting for a company that has been so involved and so at the forefront of helping fight back against such abuses of the law. Over at Freedom to Tinker, Steve Schultze asks Craigslist to dismiss the case with prejudice, and I second that call.
The court’s ruling on IP address blocking is dangerous because it could criminalize innocent behavior.
[....] There is nothing inherently improper, never mind unlawful, about switching IP addresses and thereby avoiding IP address blocking. Moreover, when a website is available without restriction to the public, a private party should not be able turn access into a crime to back up owner preferences or terms of service with the weight of criminal authority.
If Craig Newmark and Craigslist move forward with this lawsuit, which has the possibility of creating very dangerous precedents concerning both copyright law and the CFAA, it will do tremendous harm to Craigslist's reputation and standing in the wider internet community. As Schultze notes, moving forward at this point, given the details in the latest ruling will just make Craig look petty and vindictive. I know Craig and he's anything but vindictive and petty. Destroying his reputation and acting out just because a couple of sites tried to make Craigslist more useful? It just doesn't make any sense at all. Hopefully Craig will realize this as well, and will call off his legal attack dogs, and think twice about future lawsuits of this nature.
by Mike Masnick
Fri, Apr 12th 2013 3:42am
from the bad-news dept
This is silly. The tech companies are refusing to fix a very dangerous and broad law, because of a very specific circumstance that can be dealt with via other existing laws. Also, it's going against basic common sense and the views of many of these companies' own engineers. When companies are so focused on protecting one weapon that they're willing to allow such bad laws to stay, those are companies who are showing that they're not focused on innovation but on litigation and protectionist views.
Similarly troubling is the news that TechNet, an organization representing a bunch of tech companies has sent a letter to the House Intelligence Committee supporting the post-markup version of CISPA. This isn't a huge surprise. TechNet had already been listed as a supporter of CISPA, and the bills' sponsors in Congress had worked overtime (or, rather, had their staffs work overtime) seeking to appease the tech industry on the mistaken belief that the fight against SOPA was really lead by the tech industry, rather than an angry public. The public isn't quite as angry about CISPA, since the threats of CISPA aren't quite as immediately obvious to everyday people, but winning over the tech companies by giving them immunity should they violate their users' privacy is a bad long term strategy.
Yes, tech companies were a part of the coalition who fought against SOPA, but part of that was because those tech companies were focused on what was best for their users. Choosing to go against those same users when it comes to their own privacy is going to backfire eventually. Some people think that it was the tech companies who drove the fight against SOPA, when the reality was that it was the internet users, who pulled the tech companies into the fight. Not listening to their users would be a big mistake, as a vocal internet turning against these companies isn't a good sign for their future.
On that note, Reddit founder Alexis Ohanian has kicked off a campaign looking to shame Google, Facebook and Twitter into coming out against CISPA. Hopefully, he'll do something similar around CFAA reform as well. Having tech companies come down on the wrong side of these two laws is a bad long term strategy for the tech industry.
by Mike Masnick
Tue, Apr 9th 2013 11:01am
from the another-day,-another-example dept
Let's jump over to Twitter's terms of service. There, they clearly forbid impersonation:
Impersonation: You may not impersonate others through the Twitter service in a manner that does or is intended to mislead, confuse, or deceive othersNow, you could argue that Colbert registering an account for Clinton without his permission does not reach that level, but are you confident that someone else doing the same thing less publicly wouldn't run into problems if their tweets pissed someone off? An account that many people believe actually belongs to Bill Clinton would be highly valuable. Indeed, just overnight the account has racked up tens of thousands of followers. In the meantime, it's not even entirely clear who actually controls the account. Colbert registered it and tweeted from it. Are any future tweets coming from Colbert or Clinton or someone else? It's not difficult to make an argument that the account is intended to confuse others. Furthermore, if Colbert is transferring the account over to Clinton, it means that Clinton never actually agreed to the terms of service in the first place. Would that mean he is then abusing the use of the service?
While they appear to now have been deleted, according to the Washington Post, after the inaugural post done live on the air, there were a series of other tweets in which it was not clear if it was Clinton or Colbert tweeting. One had "Clinton" refer to "Colbert" as his new "BFF" and the tweets used the hashtag "#notColbertpretendingtobeme." At the very least, there is clear confusion, and a regular person might assume that this is Bill Clinton tweeting. If it's actually Colbert, it could be seen as a CFAA violation.
Yes, this is a stretch -- no doubt about it. But that's part of the problem with the CFAA. It is so broadly worded that simple activities like these can be twisted into a violation should someone in power wish to do so.
by Mike Masnick
Mon, Apr 8th 2013 8:02pm
from the don't-make-it-worse dept
The Computer Fraud and Abuse Act is the law under which Aaron Swartz and other innovators and activists have been threatened with decades in prison. The CFAA is so broad that law enforcement says it criminalizes all sorts of mundane Internet use: Potentially even breaking a website's fine print terms of service agreement. Don't set up a Myspace page for your cat. Don't fudge your height on a dating site. Don't share your Facebook password with anybody: You could be committing a federal crime. (Read more here.)Thankfully, we've heard that the public outcry over the bad CFAA reform proposal probably (though not definitely) means that it won't be scheduled for a markup this week (as originally intended). However, that doesn't mean it's not still a major risk. There remains strong support from law enforcement folks and the Justice Department in particular for this kind of CFAA reform (the kind that makes it even broader). And, tragically, many in Congress just don't think that the public cares enough to support a bill in the other direction. Hopefully enough people speak up and let them know that this is unacceptable. A law that criminalizes breaking terms of service is not a law worth having on the books.
It's the vagueness and over breadth of this law that allows prosecutors to go after people like Aaron Swartz, who tragically committed suicide earlier this year. The government threatened to jail him for decades for downloading academic articles from the website JSTOR.
Since Aaron's death, activists have cried out for reform of the CFAA. But members of the House Judiciary Committee are actually floating a proposal to expand and strengthen it -- that could come up for a vote as soon as April 10th! (Read more here.)
by Mike Masnick
Mon, Apr 8th 2013 10:53am
In Which NY Times Reporter Jenna Wortham Accidentally Reveals How She Violated Both The CFAA & The DMCA
from the all-in-one dept
One of the key issues that critics of both laws have pointed out, repeatedly, is how they criminalize things that most people don't really think are bad or illegal. That is, they often criminalize someone (or at least make them open to huge civil awards) for the types of things plenty of people do everyday without thinking twice about it.
Given all that, it's interesting to see a NY Times reporter, Jenna Wortham, more or less admit publicly to willfully breaking both laws in an article she wrote about the rising number of people, including herself, who use other people's logins for various streaming content services. In Wortham's case, she logs in to the HBO Go internet service via a login obtained from some guy she met at a restaurant.
LAST Sunday afternoon, some friends and I were hanging out in a local bar, talking about what we’d be doing that evening. It turned out that we all had the same plan: to watch the season premiere of “Game of Thrones.” But only one person in our group had a cable television subscription to HBO, where it is shown. The rest of us had a crafty workaround.That's a violation of the anti-circumvention clause of the DMCA, as she is circumventing a technical protection measure that is designed to keep her from watching the show without paying. It's a violation of the CFAA because it means that she is knowingly accessing a protected computer without authorization (or, at least, exceeding authorized access). There may be some questions about whether or not the data she obtained exceeds $5,000 in value, but it wouldn't be that hard for a inspired US Attorney to come up with some way to count it as such. After all, they made that claim with Aaron Swartz and all he was downloading was academic papers that have little or no actual commercial value. Wortham is admitting to streaming some of the most popular (and expensive to produce) content out there.
We were each going to use HBO Go, the network’s video Web site, to stream the show online — but not our own accounts. To gain access, one friend planned to use the login of the father of a childhood friend. Another would use his mother’s account. I had the information of a guy in New Jersey that I had once met in a Mexican restaurant.
No, no one thinks that anyone is likely to actually go after Wortham, but this story highlights why both of those laws are highly problematic and are in serious need of immediate reform. Just the fact that Wortham could find herself on the receiving end of lawsuits (both criminal and civil) over both of those laws (and considering her public admission to the key facts, she might have a difficult time pleading innocence) shows why those laws desperately need to be fixed. A quick look through Wortham's writings this year suggest that she has not written about either of these issues. While it may not directly be considered her "beat," the fact that this latest article leads to inadvertent admissions to breaking two laws -- one of which can result in $150,000 in statutory damages and the other a felony charge and potential jail time -- suggest that perhaps it should be something worth covering.
All that said, her article is actually pretty interesting, and worth reading. While it starts out talking about how people are sharing their accounts, it also notes that many of these services are really falling down on enabling easier community and sharing features among friends or the wider community of people who like the same content. I agree with all of that, though I don't think people should face penalties for breaking these two incredibly obsolete laws to explore the topic.
by Mike Masnick
Fri, Apr 5th 2013 7:54am
from the reform-the-cfaa-now dept
The EFF has pointed out just how ridiculous it is to argue that violating a terms of service is a potential felony, noting how that even makes children who read online news sites potential felons for violating terms of service. This is, in part, due to another bad law that we've spoken about, the Children's Online Privacy Protection Act, or COPPA. The issue here is that online sites have stricter rules if they're seen as targeting children under the age of 13. To avoid this potential liability, many websites simply inserted a clause into their terms of service saying that you can only read the site if you're over 13 (some sites say 18 and others say between 13 and 18 need a parent's approval). While this is somewhat lazy lawyering on the part of those sites (to ban outright), those are their terms of service. And violating such terms violates the CFAA under the DOJ's interpretation.
The EFF notes that such age exclusion provisions are pretty common, and sites like the NY Times and NBC News bar children under 13 entirely.
This means that inquisitive 12-year-olds who visit NBCNews.com to learn about current events would be, by default, misrepresenting their ages. Again, this could be criminal under the DOJ's interpretation of the CFAA.Then the Atlantic Wire helpfully jumped in and highlighted many other publications and their online terms of service, showing that young readers of many of today's most popular news sites are potentially breaking the law every time they do so under the DOJ's clearly stated position on the CFAA.
We’d like to say that we’re being facetious, but, unfortunately, the Justice Department has already demonstrated its willingness to pursue CFAA to absurd extremes. Luckily, the Ninth Circuit rejected the government’s arguments, concluding that, under such an ruling, millions of unsuspecting citizens would suddenly find themselves on the wrong side of the law. As Judge Alex Kozinski so aptly wrote: "Under the government’s proposed interpretation of the CFAA...describing yourself as 'tall, dark and handsome,' when you’re actually short and homely, will earn you a handsome orange jumpsuit."
And it’s no excuse to say that the vast majority of these cases will never be prosecuted. As the Ninth Circuit explained, “Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.” Instead of pursuing only suspects of actual crimes, it opens the door for prosecutors to go after people because the government doesn’t like them.
Unfortunately, there’s no sign the Justice Department has given up on this interpretation outside the Ninth and Fourth Circuits, which is why the Professor Tim Wu in the New Yorker recently called the CFAA “the most outrageous criminal law you’ve never heard of.”
The EFF followed it up by pointing out that, until just recently, if you were a 17-year-old girl (or younger!) reading the magazine Seventeen online, you were almost certainly breaking the law under the DOJ's interpretation of the CFAA, since its terms restricted visitors to those 18 and older.
Rather than "trusting" the DOJ not to abuse this kind of thing, wouldn't we all be better off fixing it?
by Mike Masnick
Fri, Mar 29th 2013 7:47am
from the take-a-stand dept
Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely. The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved. The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn’t worked...He goes on to point out that there have been massive unintended consequences of trying to apply an offline concept to a very different online world, and to also note that other existing laws can already handle many, if not potentially all, of the scenarios that people normally fear concerning malicious computer hacking.
Indeed, because legal doctrines already overlap so extensively, we almost never see an online trespass to chattels claim asserted on a standalone basis. Instead, an online trespass to chattels claim is usually just one of numerous legal violations asserted against the defendant. These doctrinal overlaps mean we usually don’t need online trespass to chattels either to supplement the more squarely applicable claims or to act as a “gap-filler” to plug the rare and narrow holes left by the other legal doctrines.And thus, his recommendation is basically to gut the CFAA almost entirely:
1) Repeal most provisions of the CFAA (that don't relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.It's difficult to argue with these suggestions, which is probably why most of Congress will likely instead ignore them.
2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.
3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.
4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).
by Tim Cushing
Wed, Mar 27th 2013 2:41pm
from the and-hopefully,-head-off-further-damaging-CFAA-precedent dept
Andrew "Weev" Auernheimer is appealing his 41 month prison sentence (and its accompanying fine of $73,000). Many members of the security community have expressed concern with this ruling, especially in light of other CFAA cases. Auernheimer's exposure of AT&T's security hole doesn't really seem like the sort of thing that should be punished, at least not with multiple years in jail and a hefty fine. Then there's the unsettling feeling that the US prosecutors pushed hard for a prison sentence because they found Weev unlikable.
Fortunately for Weev (and others who have or will run afoul of the CFAA), Orin Kerr has stepped up to offer pro bono representation in Auernheimer's appeal (along with members of the EFF). Kerr, most recently spotted here going head-to-jackass with Rep. Gohmert over the legality of "destroying" a hacker's computer, has a very thorough post discussing his reasons for joining the fray. Basically, it boils down to this: nearly everything about the government's decision is wrong, which is problematic if this ruling is going to be used as precedent in future CFAA cases.
In the government’s view, visiting the URLs was an unauthorized access of AT&T’s website. But I think that’s wrong. At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers’ International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an “unprotected website” that is “open to the public.” The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them.According to Kerr, undesirable access does not equal unauthorized access. The URLs were publicly available due to AT&T's own carelessness. What this actually looks like is the vindictive pursuit of an individual for publicly embarrassing the company. But it's not all on AT&T. The prosecutors themselves had to do a bit of creative sentencing to arrive at a "suitable" punishment for Weev's "hack."
Unauthorized access is ordinarily a misdemeanor. Why is this crime a felony? Here’s the government’s remarkable theory. All 50 states have state unauthorized access computer crime statutes similar to the federal unauthorized access statute. The government’s theory is that this overlap turns essentially all federal CFAA misdemeanors into federal felonies. They rely on 18 U.S.C. 1030(C)(2)(B)(ii), which states that a misdemeanor unauthorized access becomes a felony when it is “in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” The government argues that the existence of state unauthorized access crimes transform unauthorized access misdemeanor crimes into felonies: The overlap means that every federal unauthorized access crime is a federal crime “in furtherance of” the analogous state crime.As Kerr states, this is nothing more than disingenuous double-counting being done for no other reason than to make the charges carry some weight. A misdemeanor results in a slap on the wrist, something that would hardly make AT&T happy. This isn't Kerr's (or the government's) first experience with hacking-related double-counting.
Back in 2011, Sarah Palin's email account was hacked and the Justice Department attempted to charge the hacker under two overlapping laws: "hacking into a computer" and "hacking an email account." This was overturned on appeal by the Fourth Circuit court, stating that the Justice Department's attempt to double dip a single action violated US principles on double jeopardy. This situation is more of the same, only with a convenient overlap of federal and state laws allowing prosecutors to ratchet up the charges from a misdemeanor to a full-blown felony.
In addition to these problems, Kerr also finds some jurisdictional issues at play. Even though none of the principals are located in New Jersey, the charges were brought in that state. The rationale? Some of the email addresses belonged to New Jersey residents. This paper-thin justification for filing charges in a pretty much unrelated state gives the appearance of prosecutorial venue shopping.
The most ridiculous aspect of the case is Kerr's final reason for stepping in: the sentence.
The largest part of Auernheimer’s sentence was due to an alleged $73,000 in loss suffered by AT&T. Under the provisions of the Sentencing Guidelines associated with 18 U.S.C. 1030, sentences are based primarily on the amount of loss caused by the crime. More dollar loss to the victim means more time in prison for the defendant.AT&T claims it incurred costs of $73,000 due to Auernheimer's actions. But it claimed no loss to its computers, it suffered no downtime and lost no data. The only assertion of loss comes via AT&T's efforts to notify customers of the data breach.
First, AT&T notified its customers by e-mail. That was free, leading to a “cost” so far of zero. But then AT&T decided to follow-up the e-mail notification with paper letter notification, and the postage and paper costs amounted to about $73,000.That's right. Auernheimer has to repay AT&T for envelopes and stamps with $73,000 of his own money -- and 3-1/2 years of his life. As Kerr points out, AT&T cannot reasonably pin this notification expense on Auernheimer as these costs are not "directly attributable" to the defendant's access of its supposedly off-limits URLs. Furthermore, Kerr says these costs are not "reasonable," considering AT&T's electronic notice to its customers was largely successful. In essence, Weev is doing time because he raided AT&T's petty cash box by proxy. Hopefully, this appeal will overturn this misguided sentence and prevent the CFAA from becoming an even worse law, thanks to the precedent set by this decision.
by Mike Masnick
Wed, Mar 27th 2013 3:46am
from the why-would-they-do-this? dept
Now that the bill has been out a few days, various experts on the CFAA are scratching their heads about why the House Judiciary Committee is even bothering with this draft bill. As Orin Kerr notes, this seems to be a basic rehash of the DOJ's attempt 2 years ago to expand the CFAA. He suggests (and we agree) that the Judiciary Committee stop taking DOJ language from 2011 and start dealing in the present, and deal with the very real problems with the CFAA, and not just with a DOJ who wants more power.
They’re looking for feedback, so here is mine: Stop taking DOJ’s language from back in 2011 and packaging it as something new. Based on a quick read, it seems that the amendments for 1030 in the new draft are mostly copied from a bill that Senator Leahy offered (with substantial input from DOJ, as I understand it) back in November 2011. I criticized that language here. The new circulating draft also adopts the sentencing enhancements (minus mandatories) and the proposed 1030a that DOJ advocated in May 2011. I criticized that initial DOJ language here. (There’s also a breach notification provision in the new language, but I haven’t followed that issue closely; I don’t know if that proposal is also based on old language.)Of course, when we brought up similar examples in our original post, people said we were overreacting. Hmm. Meanwhile Paul Rosenzweig, the former Deputy Assistant Secretary for Policy at Homeland Security is similarly stumped by the direction of the reform.
[....] This language is really, really broad. If I read it correctly, the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions. It would make it a felony crime for anyone to violate the TOS on a government website. It would also make it a federal felony crime to violate TOS in the course of committing a very minor state misdemeanor. If there is a genuine argument for federal felony liability in these circumstances, I hope readers will enlighten me: I cannot understand what they are.
My quick review and reaction to this bill is that it seems to answer most of what the Department of Justice wants with very little for the internet online community in return. Most notably the bill would make violations of the CFAA predicate acts for a RICO criminal charge — what this means is that if you engage in just two instances of violating the CFAA, then you are engaged in a pattern of racketeering, with substantial criminal penalties and .. .since the criminal definitions translate directly to civil liability .. a very significant possibility of a “bet the company” civil suit. Not a move designed to foster innovation, I think.Hopefully, the House Judiciary Committee goes back to the drawing board on this, and takes a closer look at things like Aaron's Law, which is being developed to cut back on the excesses of the CFAA, rather than expand them.