After the 9th Circuit’s en banc ruling in United States v. Nosal (Nosal I), it appeared for a brief and shining moment that some clarity was being brought to the Computer Fraud and Abuse Act, that the court held that violating the terms of service did not elevate whatever private crap a website owner used into the foundation for a federal offense. But as so often happens, the clouds rolled in and obscured the sunlight.
“[W]ithout authorization” is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission. This definition has a simple corollary: once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party. (Emphasis added.)
For an unambiguous, non-technical term, “without authorization” has caused the murder of a great many words in explanation. But there is some foreshadowing in there, perhaps not clearly noticed in Nosal II, but apparent now that the 9th Circuit has issued its decision in Facebook v. Power Ventures, which held that while no CFAA violation occurs based upon a violation of the terms of service per se, failure to abide by a cease and desist demand by the website owner based upon the violation gives rise to a violation of the CFAA.
In other words, violating TOS doesn’t make it a crime, but accessing a website after the owner has demanded you cease and desist does. Remember, “affirmatively revoked”?
At Volokh Conspiracy, Orin Kerr dissects the latest decision (and, in case you’re unclear, is no fan of the concept that people commit a crime under the CFAA based on TOS):
While Orin’s breakdown of the underlying meaning of Judge Graber’s rationale raises very real questions, this may be a situation where an analysis of a decision is too deep, too smart, when the decision is pragmatic, even if it’s doctrinally or theoretically shaky.
Judge Graber has announced a bright line test. There can be no CFAA crime (or civil cause of action, as was the case in Power Ventures) based on the terms of service. So far, so good. But if the website owner bans someone from accessing his website, then it crosses the line of “unauthorized access” and is sufficient to establish a CFAA violation. Whether it requires the magic words, “cease and desist,” isn’t clear, but since words are cheap, why not use them?
Is this because of the user’s intent? Is this because ignoring a cease and desist letter is more criminal-ly than intentionally violating TOS? It seems to be more easily understood as a very practical bit of line drawing, that the user may or may not have understood the exact parameters of the TOS, or may or may not have even been aware of them. But once they get a C&D letter, the user has no excuse for not grasping that the website owner doesn’t want them in their house. You want an engraved invitation? You got one.
Orin argues for a narrow interpretation of Power Ventures, though he still thinks it’s a bad decision.
One question is whether you can read the decision more narrowly to apply only to accessing an account rather than visiting a website. Here’s the uncertainty: Is the decision saying broadly that you can’t visit the public face of a website after the computer owner said “no,” or is the decision saying more narrowly that you can’t access an individual account with the user’s permission after the computer owner said “no”? I would still disagree with the narrower reading, but it would be a lot less objectionable than the broader one.
My speculation is that the 9th Circuit didn’t even consider this question, and that Orin is still over-thinking the implications of the decision.
Reading over the opinion, though, I don’t see a lot of reason to think the court had the narrower interpretation in mind. Consider these clues. First, Footnote 1 states:
Because, initially, Power users gave Power permission to use Facebook’s computers to disseminate messages, we need not decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly.
The court then cites a law review article “asserting that websites are the cyber-equivalent of an open public square in the physical world.”
Unless Judge Graber has mad hacker skillz, my bet is that she approached the problem as would any ordinary internet user, that anybody can look at the picture on their screen, but that they can’t go any further, such as leaving a comment, writing on someone’s wall, or scraping user information. Then again, I can’t point to anything that says so, while Orin can point to a line that gives rise to his issue:
Third, the court says that by sending the cease-and-desist letter, “Facebook explicitly revoked authorization for any access[.]” (emphasis in original). It doesn’t say that the authorization was revoked for the account access but not for visiting material accessible to the public on its computers (content such as this, for example, which anyone can access). Again, that suggests the broader reading rather than the narrower reading.
Or, it suggests that the judges view the internet like regular folk, unsophisticated in their use and with the common understanding that looking at the “public face” without more isn’t access as covered by the CFAA. Whether this is a matter of the Power Ventures opinion being read by someone too knowledgeable to miss the nuance, or written by judges too unsophisticated to realize the nuances, isn’t clear.
What is clear is that the 9th Circuit has tried to craft a bright line test, and part of it is that violating a website’s TOS does not, standing alone, give rise to a CFAA violation. That’s not a bad thing, and it means that if you aren’t hopping on your left leg as you read this post (as required by my TOS as of this moment), you have yet to commit a felony. Here, at least.