Kudos to the digital rights crusaders at the Electronic Frontier Foundation for combating a disturbing new trend: criminal prosecutions of persons who violate the terms of use of public websites.
Yes, you heard that correctly. In the last few months, the federal government has brought indictments against several individuals under a 1986 anti-hacking statute, the Computer Fraud and Abuse Act (the “CFAA”), for engaging in otherwise legal online behavior that nevertheless violated website terms of use. The CFAA (18 U.S.C. ยง1030) imposes criminal and civil sanctions for access to a protected computer without authorization or exceeding the scope of authorization. The theory used by government prosecutors and private litigants is that the do’s and don’ts spelled out in website terms of use define the scope and limitations of permitted access. Any behavior contrary to such terms, then, renders the site access illegal. In the most common application of this theory, an action is brought against a data aggregator or other person for using bots (automated software programs) to access a public website whose terms of use prohibit access through “automated means.”
Cops Armed with Website Terms
Even apart from the argument that the CFAA was never intended to prevent non-invasive access to public websites, the EFF highlights another problem with this theory: it delegates to private website owners the ability to define what is and is not criminal behavior. As a Internet lawyer who has both written and reviewed many website terms of use and privacy policies over the years, I can appreciate the EFF’s concern that they are rife with arbitrary and one-sided clauses.
In United States v. Lowson, federal prosecutors brought an action in New Jersey against the operators of Wiseguys Tickets, Inc., which used bots to buy concert tickets on the Ticketmaster.com website for resale, contrary to the site terms of use which prohibited access by automated means. Although scalping is not illegal in New Jersey, the government justified its action by a supposed need to protect consumer access to tickets. The EFF has filed an amicus curiae (friend of the court) brief on behalf of the defendants in this case.
In United States v. Drew, the feds indicted a woman who created a false profile on MySpace and used it to communicate with a teenager, who later committed suicide. The EFF similarly filed an amicus brief for the defense, and the indictment was ultimately dismissed.
Facebook is using a similar theory in a civil suit against a company called Power Ventures. Power Ventures provides an add-on that enables Facebook users to aggregate their data over several social media sites. Facebook is alleging that Power Ventures violated California criminal law because the add-on utilizes a bot (in violation of the Facebook terms of use) to retrieve user data. (Never mind, as the EFF has wryly observed, that the bot is being deployed at the user’s initiative to obtain his or her own data.)
Confusion in the Law
I’ve been following these cybertrespass case for years, and on a number of occasions I’ve counseled data aggregators using bots and other aggregation tools to harvest factual and similar uncopyrightable data from publicly accessible websites. It’s an exceedingly common practice, part of the landscape of the Internet that we are coming to take for granted. Unfortunately, the law hasn’t kept pace with technological evolution and business practices. The authorities are conflicted, and while some cases set a high standard for proving damage or loss in common-law computer trespass and CFAA actions based on violation of website terms (for example, a substantial slowdown of the web server or exclusion of other users due to tens of thousands of pings from bots over a short period of time), other courts have left the door wide open for suits.
As the EFF has observed, the defendants in these cybertrespass cases (scalpers, an unfriendly adult tormenting a teenager online, a etc.) are not terribly sympathetic. In the first rash of civil cases in the early 2000’s, the defendant was generally a competitor of the plaintiff which used to bots to copy factual data (such as movie times) from the plaintiff’s site. On some level this may seem unfair, since a website operator makes an investment in time and resources to assemble and publish the information in the first place. On the other hand, where the copyright law does not grant protection in publicly available content, the purpose of the law is circumvented by engineering some other legal cause of action effectively to prevent the copying and republishing of this content. (Copyright protects creative expression, and raw factual data by itself lacks even the minimal creative quotient needed for copyright. The fact that it may be difficult to assemble is legally irrelevant.)
Finding a Balance
The bringing of criminal prosecutions for violating public website terms of use takes the confusion in the law to a frightening new level. Even if courts ultimately dismiss the indictments (as happened in the Drew case), the threat of prosecution can be expected to deter competition and chill the beneficial use of data aggregation tools to enable the free access and management of data on the Internet, including users’ own data. Furthermore, as the EFF has noted, innocent parties who do not read or do not understand the terms of use of the sites they are accessing may be caught in the cybertrespass dragnet.
While the use of bots to access and harvest data from protected areas of sites (such as third parties’ personal profiles designated as private and shielded by privacy settings) should be actionable and treated as a criminal offense under the CFAA, website operators should not look to the government to police users on the public areas of their sites. Rather, let them be responsible for enforcing their own terms of use under breach of contract law and provide evidence of actual, quantifiable damages from user access they don’t like.