False Positives in the Legal SystemBy: Nick Chapman
Recently Lori Drew was charged with violating the Computer Fraud and Abuse Act for signing up for a MySpace account under a fake name. While the larger circumstances were quite shocking (and have been covered enough I don't think I need to go into them), she was charged for nothing more than pretending to be someone else on the Internet. The indictment calls this a felony, under title 130 section (a) (2) (c) of the US Code, which criminalizes anyone who "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer if the conduct involved an interstate or foreign communication." The access to MySpace was unauthorized because using a fake name violated the terms of service. The information from a "protected computer" was the profiles of other MySpace users.
If this is found to be a valid interpretation of the law, it's really quite frightening. If you violate the Terms of Service of a website, you can be charged with hacking. That's an astounding concept. Does this mean that everyone who uses Bugmenot could be prosecuted? Also, this isn't a minor crime, it's a felony punishable by up to 5 years imprisonment per count. In Drew's case she was charged with three counts for accessing MySpace on three different occasions.
This isn't the first time that there's been a controversial ruling based on these laws. Earlier this year David Ritz was fined over $50,000 in civil proceedings under a similar state statute in Sierra Corporate Design, Inc. v. David Ritz.
Ritz looked at DNS records in an attempt to get more information about a company he was allegedly spamming. He used a zone transfer to retrieve all of the records on the Plaintiff's DNS server. The judge found that "Ritz's behavior in conducting a zone transfer was unauthorized within the meaning of the North Dakota Computer Crime Law." The Plaintiff in the case argued that because a zone transfer was an obscure command, and because it was intended only for use by DNS administrators, it was unauthorized access, and that the information he obtained was not publicly available. This was found to be true even though the Plaintiff's DNS server would happily hand out that information to whoever asked. I personally, as well as many other security and network professionals, consider this a legitimate use of a publicly available service. It may not be in the best interest of the plaintiff to make this information public, but that doesn't mean that the Ritz should incur legal liability for accessing (or using) it.
The problem is that there is no generally accepted definition of what unauthorized means in this context. Law makers either didn't define the term or if they did, used such sweeping language that the definition is plainly overbroad. One Kansas statue defined access as "to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer." A judge rejected that definition, saying that if it was used, then "any unauthorized physical proximity to a computer could constitute a crime" and instead used the definition of access from Webster's dictionary.
Such overarching language is also common in the terms of service used by ISPs and websites to define what is allowed to happen on their website or service. These documents are written by lawyers trying to shield their employers / clients from harm, not set up a set of usable rules of conduct. As such they are routinely ignored by both service providers and visitors. Commonly they contain clauses that no reasonable person could expect to abide by. One example is a TOS that expects users to not "violate any local, state, federal, or non-U.S. law, order, or regulation." In conjunction with the CFAA, wouldn't this make violating any law from any country a violation of US law? Another clause which is commonly found in a TOS, is to not include any content which is "threatening, abusive, defamatory, invasive of privacy or publicity rights, vulgar, obscene, profane or otherwise objectionable." This type of clause seems to be intended to prohibit being mean on the Internet. The ironic thing is that it's not uncommon to find TOS which prohibit the majority of content on the web site, for example a celebrity gossip site forbidding the posting of sensitive information.
The discrepancy between the TOS and the actual use of a website has had negative consequences. In March, New Jersey Attorney General Anne Milgram subpoenaed the website juicycampus.com. Milgram felt that it was a possible violation of the Consumer Fraud Act for the website to disallow offensive content in it's TOS, but to not actively remove offensive content. Juicycampus.com is a gossip site, which goes out of it's way to solicit, well, juicy gossip about college life. The website uses slogans like "Always Anonymous. Always Juicy," so it sure looks like the website is going out of it's way to solicit offensive content. Why does it say that such content is disallowed in it's TOS? In Ritz's case one of the findings of law was that "Ritz has engaged in a variety of activities without authorization on the Internet. Those activities include the compilation and publication of Whois lookups without authorization from Network Solutions."
Whois data is intended to be used to identify the owners of a domain and communicate that information to others. However, the TOS reads the "compilation, repackaging, dissemination or other use of this Data is expressly prohibited without the prior written consent of Network Solutions." This portion of the TOS clearly contradicts the intended use of the data, so why is it there?
I think it's because the lawyers who wrote it wanted the most leverage possible if and when they felt it necessary to take legal action against someone using the data in a way they didn't like. Unfortunately, this overly restrictive TOS helped contribute to a $50,000 judgment against Ritz.
In my perspective, as someone who writes IPS signatures, these issues are the result of not paying enough attention to false positives. The dedication to preventing false positives in the American legal system can be seen from Benjamin Franklin's rephrasing of Blackstone's formulation: "that it is better [one hundred] guilty Persons should escape than that one innocent Person should suffer." Defining what constitutes an unauthorized and criminal violation of a computer system is an extremely difficult task, but it is an important enough issue that it deserves an earnest effort. While legislatures may have the advantage that unlike my IPS signatures, their laws are interpreted by judges, prosecutors and other people who are capable of exercising independent judgment, that's no reason to write overly broad laws that criminalize the majority of Internet users. When those laws are so broad as to be unknowingly violated and unenforceable as written, judges should strike them down for vagueness. Website and ISP operators should also not write TOS that they know will be violated by legitimate users of their site. It might be nice if there was a principal of contract law that invalided Terms of Service which are so over broad as to be meaningless. However, even if this is not the case then they should still do so because words mean something and contracts and laws should as well.