CFAA is a horse and buggy in a jet plane world

HACKING THE LAW

The federal Computer Fraud and Abuse Act has strayed violently from its origins and has failed to keep up with changes in the conduct and the technology it initially sought to address. In this first installment of a monthly series on hacking and computer crime, I will examine those problems.

As a matter of primacy, it is important to understand the history of the CFAA. The first U.S. computer crime statute was enacted in 1984 and was rewritten in 1986 to become the CFAA. It wasn’t exactly fit to handle the problems presented by social media. Keep that in mind as we will come to discuss cases involving Facebook and LinkedIn. Unlike other laws, such and theft and murder, computers haven’t been around since the era of the Ten Commandments.

The debut 1984 computer crime law was directly linked to the movie “War Games.” In that film, a young computer aficionado accidentally stumbles upon a U.S. war computer, tinkers with it, and almost causes “global thermonuclear warfare.” In the wake of “War Games,” early internet billboards (rudimentary posting sites) saw a sharp rise in participation. People were using computers and modems for all purposes. Some were even attempting to emulate the movie. President Ronald Reagan felt that laws governing the usage of computers needed criminal regulation. Thus was born the Comprehensive Crime Control Act of 1984.

The internet was still in its nascence in 1986. It would be five years before Hypertext Transfer Protocol, aka HTTP, was invented. The protocol is what people think of when they think of today’s internet. You go to a browser, search, and click on a link that goes to a website. Not so in 1986. In 1986, when a user wanted to access a network, that user had to dial up a specific network. These networks included education sites like MIT, government cites like NORAD, and hybrid sites like CERN. There was no link upon which to click. One could not take advantage of the myriad “Cyber Monday” sales in that there were no shopping sites. Accordingly, misuse of a computer in 1984 or 1986 was wildly different, and much more serious, than it is today. By way of analogy, in 1986 going to a network with mal intent was more akin to a nighttime burglary wherein the burglar has to break in first and then rifle through files. Today, the internet is more like a shopping mall and a criminal can just walk in and “shoplift.” Still, neither the definitions nor the punishments have changed. The CFAA no longer fits the technology it was meant to police.

I commonly refer to the CFAA as “a horse and buggy law in a jet plane society.” And that it is. Computer technology in 2017 is worlds apart from what it was in 1986. In a world where most internet users are only familiar with HTTP, the law isn’t just outdated, it’s confusing. The two recent cases I alluded to above, Facebook and LinkedIn, harmonize this point.

Before we compare and contrast these two new cases, it is important to discuss “terms of service” violations. Most websites have terms of service. Terms of service are typically the dozen or so pages of fine print and that a user must agree to as part of using a particular website. For example, most workplaces have rules that disallow the use of a work computer for non-work purposes. Yet many, many people use their work computers to see how they are doing in their “March Madness” college basketball pool. This constitutes a violation of the workplace terms of service. Can they be prosecuted under the CFAA? Yes. A 2014 Department of Justice memo, made public in 2016, says that the CFAA should not be used to prosecute violation of this type, but it does not forbid such prosecutions.

In U.S. v. Nosal, 828 F.3d 865 (2016) (Nosal II), the case that presaged the social media cases, password sharing was prohibited by company policy. The majority side-stepped the issue of whether password sharing could violate the CFAA. The dissent notes that the majority does not define “a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners.” Accordingly, password sharing could violate the CFAA. It is with this principle in mind that we turn to Facebook, Inc. v. Power Ventures, 844 F.3d 1058 (2016), and hiQ Labs, Inc. v. Linkedin Corporation, 17-cv-03301-EMC (N.D. Cal. 2017). Both Facebook and LinkedIn rely heavily upon Nosal II and U.S. v. Nosal (Nosal I), 676 F.3d 854 (9th Cir.2012) (en banc). The Nosal cases were criminal cases whereas Facebook and LinkedIn involved civil suits under the CFAA. Nonetheless, the analyses of the CFAA are no different between civil and criminal cases; meaning that if a U.S. attorney decided to prosecute Power Ventures or hiQ, he or she could have done so.

In the Facebook suit it was alleged that Power Ventures Inc. collected user information from Facebook’s website and displayed it on their own website. Power Ventures was a social media took information from its user’s social media sites and put it together so that it was easier for users of Power Ventures to manage their multiple social media accounts. Facebook alleged, among other things, that this violated the CFAA. Power Ventures accessed Facebook’s information with the express permission of the users whose information was accessed. The information was publicly accessible but Power Ventures’ program still needed password access to properly function. The court stated Power Ventures exceeded that access only when Facebook sent a cease and desist letter. The court held that in order for Power Ventures to continue to access Facebook information — information that was public — Power Ventures needed permission of both the user and Facebook.

LinkedIn considered rather similar issues yet came to the opposite conclusion. hiQ’s business involves providing information to businesses about their workforces based on statistical analysis of publicly available data. hiQ labs was “scraping,” or automatically collecting data from LinkedIn’s website. LinkedIn’s terms of service specifically prohibit “scraping.” Like in Facebook, LinkedIn sent a cease and desist letter to hiQ labs.

“As the Supreme Court has explained, [the CFAA] ‘provides two ways of committing the crime of improperly accessing a protected computer: (1) obtaining access without authorization; and (2) obtaining access with authorization but then using that access improperly.’ Musacchio v. United States, 136 S. Ct. 709, 713 (2016).” The court in LinkedIn noted that: “Each of these cases is distinguishable in an important respect: none of the data in Facebook or Nosal II was public data.” While that was clearly the case in Nosal I and II, Facebook data was owned by the user, and not Facebook itself. Facebook relies upon copyright principles to come to the conclusion that the layout and design portions of the personal websites accessed with user permission belonged to Facebook, thus allowing them to exclude Power Ventures.

LinkedIn is the opinion of a djudge in the Northern District of California. The case has yet to hit the 9th U.S. Circuit Court of Appeals. Accordingly, the future of the case is uncertain. Nonetheless, the cursory glance we just took at these two cases underscores the central point herein: We are using the same statute written in 1986 to target global thermonuclear warfare as we are in 2017 for debates about accessing information on social media sites.