Should Faking a Name on Facebook Be a Felony?

Congress contemplates draconian punishment for Internet lies


By ORIN S. KERR

Imagine that President Obama could order the arrest of anyone who broke a promise on the Internet. So you could be jailed for lying about your age or weight on an Internet dating site. Or you could be sent to federal prison if your boss told you to work but you used the company's computer to check sports scores online. Imagine that Eric Holder's Justice Department urged Congress to raise penalties for violations, making them felonies allowing three years in jail for each broken promise. Fanciful, right?

Think again. Congress is now poised to grant the Obama administration's wishes in the name of "cybersecurity."

The little-known law at issue is called the Computer Fraud and Abuse Act. It was enacted in 1986 to punish computer hacking. But Congress has broadened the law every few years, and today it extends far beyond hacking. The law now criminalizes computer use that "exceeds authorized access" to any computer. Today that violation is a misdemeanor, but the Senate Judiciary Committee is set to meet this morning to vote on making it a felony.

The problem is that a lot of routine computer use can exceed "authorized access." Courts are still struggling to interpret this language. But the Justice Department believes that it applies incredibly broadly to include "terms of use" violations and breaches of workplace computer-use policies.

Breaching an agreement or ignoring your boss might be bad. But should it be a federal crime just because it involves a computer? If interpreted this way, the law gives computer owners the power to criminalize any computer use they don't like. Imagine the Democratic Party setting up a public website and announcing that no Republicans can visit. Every Republican who checked out the site could be a criminal for exceeding authorized access.

If that sounds far-fetched, consider a few recent cases. In 2009, the Justice Department prosecuted a woman for violating the "terms of service" of the social networking site MySpace.com. The woman had been part of a group that set up a MySpace profile using a fake picture. The feds charged her with conspiracy to violate the Computer Fraud and Abuse Act. Prosecutors say the woman exceeded authorized access because MySpace required all profile information to be truthful. But people routinely misstate the truth in online profiles, about everything from their age to their name. What happens when each instance is a felony?

In 2010, the Justice Department charged a defendant with unauthorized access for using a computer to buy tickets from Ticketmaster. Ticketmaster's website lets anyone visit. But its "terms of use" only permitted non-automated purchases, and the defendant used a computer script to make the purchases.

In another case, Justice has charged a defendant with violating workplace policies that limited use to legitimate company business. Prosecutors claimed that using the company's computers for other reasons exceeded authorized access. The Ninth Circuit Court of Appeals recently agreed.

The law even goes beyond criminal law. It allows civil suits filed by private parties. As a result, federal courts have been flooded with silly disputes. In one recent case, an employer sued a former employee for excessive Internet usage from work. The alleged offense: visiting Facebook and sending personal emails. In another case, a company posted "terms of use" on its website declaring that no competitors could visit—and then promptly sued a competitor that did.

Remarkably, the law doesn't even require devices to be connected to the Internet. Since 2008, it applies to pretty much everything with a microchip. So if you're visiting a friend and you use his coffeemaker without permission, watch out: You may have committed a federal crime.

Until now, the critical limit on the government's power has been that federal prosecutors rarely charge misdemeanors. They prefer to bring more serious felony charges. That's why the administration's proposal is so dangerous. If exceeding authorized access becomes a felony, prosecutors will become eager to charge it. Abuses are inevitable.

Real threats to cybersecurity must be prosecuted. Penalties should be stiff. But Congress must narrow the Computer Fraud and Abuse Act before enhancing its penalties. There's no reason to make breaching a promise a federal case, and certainly not a felony crime.

Mr. Kerr, a former federal prosecutor, is professor of law at George Washington University School of Law.


Comments

Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

Visualizing The Power Of The World's Supercomputers

BMW traps alleged thief by remotely locking him in car