Thanks to the Internet, We Are All Now Criminals

How many contracts did you enter into this year? Can you count off the top of your head? If you signed a car purchase agreement, a lease, or a mortgage, I’m sure you remember those. Maybe you joined some type of club or organization, or started a new job, which required you to enter into formal agreements with another party.

But if you’re a computer user, the contracts whose terms you bothered to learn, or even remember entering, are almost certainly a small fraction of the total number of legally-binding agreements you entered.

Here’s a better question: how many times did you click “I agree” when visiting a website or installing a piece of software? I’m going to guess it’s more than you can count. And how many times did you read the entire agreement you purportedly just agreed to? If you’re anything like me, and the vast majority of people, you probably read none of them. After all, if you did, it’s what you’d spend most of your life doing.

An example: the simple act of buying music, which once upon a time involved walking into a store, picking the CD you want, and exchanging it for money with the clerk behind the counter. You might have gone through the whole process without saying a word, let alone signing a contract (though, technically, you’re still entering one, it just happens that the whole thing is performed as quickly as it’s formed). The fact is, we probably enter into more formal legal agreements in a year than our grandparents did in their lifetimes.

A very interesting article in the Wall Street Journal talks about some of the issues associated with the fact that we enter hundreds of legal agreements each year without bothering to familiarize ourselves with their terms. And thanks to the Computer Fraud and Abuse Act, which makes it a crime to access any computer system without the authorization of the owner, and the expansive interpretation of that law that the Justice Department and federal courts have settled on, breaking any one of these agreements could, in theory, be a criminal act.

This happened a few years ago. You may remember the “MySpace suicide” case, in which a woman set up a fake MySpace account, posing as a teenage boy. She then befriended a teenage girl who her daughter considered to be an enemy. The girl fell in love with this fictional boy. The woman then revealed the whole thing to be a ruse. Tragically, the victim of this sick prank took her own life.

Because the state in which this occurred, as well as the federal government, had no laws against so-called “cyber-bullying” at the time, a clever federal prosecutor charged her with a violation of the Computer Fraud and Abuse Act. His argument was that setting up a fake account violated MySpace’s terms of service, and in accessing a website in violation of its terms, the woman was accessing a computer system “without authorization,” which amounted to a criminal violation of the CFAA.

She was actually convicted, though her conviction was later overturned on appeal.

Since then, there have been many other cases of people being charged with crimes after they accessed a work computer after being fired, set up fake Facebook accounts, and other things that most of us wouldn’t consider to be the stuff of criminal liability.

Now, most of the conduct that gave rise to these cases was bad, and the law shouldn’t completely ignore it, when it causes actual harm. But that’s why we have civil lawsuits. By criminalizing such a wide range of conduct, we’re actually trivializing crime.

I should also note that I’m not terribly worried that the FBI is going to start arresting married people who join dating sites (that’s against most dating sites’ terms of service), or teenagers who use Google (that site’s terms of service say that you can’t use it unless you’re of the legal age to enter a contract – 18 in most jurisdictions).

What I am worried about is that the CFAA might become a catch-all criminal statute for federal prosecutors to use when they don’t have any real evidence against a defendant, but they “just know” that the defendant did something wrong.

One of the many running themes of my blogging over the last couple years has been the need to avoid vague criminal statutes. Imagine if there were a law on the books which made a crime “punishable by whatever sentence the Court sees fit” to do “anything the government doesn’t like.”

Obviously, I’m not saying that this is likely to happen anytime soon, but with infinitely-elastic laws like the CFAA in existence, I’m not saying that it couldn’t ever happen, either.

For that reason, I agree with Orin Kerr of the Volokh Conspiracy, on his argument that the CFAA needs a serious re-work. Obviously, we want to punish legitimate crimes that can be committed through computers, like identity theft and espionage; but the CFAA, or another law altogether, could accomplish that goal while being much narrower in scope.