×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Appeals Court Rules TOS Violations Aren't Criminal

Soulskill posted about 2 years ago | from the by-reading-this-you-agree-to-not-commit-felonies dept.

The Courts 120

Trepidity writes "In a decision today (PDF), the Ninth Circuit Court of Appeals ruled that the Computer Fraud and Abuse Act 'does not extend to violations of use restrictions,' and therefore violating terms of service and corporate use policies is not a federal crime. Law profesor Orin Kerr cheered the decision, but since three other Courts of Appeals have reached opposite decisions, it might be heading to the Supreme Court."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

120 comments

Corporations don't make law (5, Insightful)

Anonymous Coward | about 2 years ago | (#39636449)

And therefor, violating a TOS can't automatically be seen as criminal activity. Kudos to the Ninth Circuit Court of Appeals for having their head on straight.

Re:Corporations don't make law (0)

Anonymous Coward | about 2 years ago | (#39636481)

3:1 against common sense so far, at least we're moving in the right direction...

Re:Corporations don't make law (3, Insightful)

Anonymous Coward | about 2 years ago | (#39636561)

Unfortunately the 9th Circuit is the most overturned court in the USA. I'm not having high hopes that the SCOTUS will affirm the ruling.

Re:Corporations don't make law (4, Informative)

AuMatar (183847) | about 2 years ago | (#39636775)

No it isn't. The 9th circuit court is by far the largest appellate court in the country, so while it has the most appeals overturned, it also has the most cases. By percentage it's actually in the middle of the pack.

Re:Corporations don't make law (-1)

Anonymous Coward | about 2 years ago | (#39636801)

so while it has the most appeals overturned

Which is exactly what I said.

Re:Corporations don't make law (2)

Qzukk (229616) | about 2 years ago | (#39636825)

Which is exactly what I said.

Which is why what you said was the most retarded second response to the first post.

Re:Corporations don't make law (5, Insightful)

Anonymous Coward | about 2 years ago | (#39636845)

Which is exactly what I said.

What you said was deceptive and someone pointed out that deception. Saying you intended to deceive people don't help.

Re:Corporations don't make law (2)

geogob (569250) | about 2 years ago | (#39641367)

I'm not even convinced he was trying to be deceptive. Maybe the AC simply doesn't get it. Or stopped reading the reply half-way through, as he was satisfied with himself.

Regardless, the subtlety pointed out by AuMatar is very disappointingly very hard to understand by a large portion of the population. Yes, I know, citation needed, but I can only give my own experience and observation as reference. Every time I face this situation, I turn out highly disappointed - in what exactly I don't know, but i'm just sorry for something. Happens all the time.

Re:Corporations don't make law (3, Insightful)

Anonymous Coward | about 2 years ago | (#39636865)

Did you not understand the parent's post at all? It doesn't matter that you 'exactly said something' if you fail to grasp basic mathematics enough to realize that the total number of appeals is fucking meaningless metric by itself.

Re:Corporations don't make law (4, Informative)

Baloroth (2370816) | about 2 years ago | (#39636607)

And therefor, violating a TOS can't automatically be seen as criminal activity. Kudos to the Ninth Circuit Court of Appeals for having their head on straight.

Actually, the question is whether the law on the books that makes it illegal if an action "exceeds authorized access" applies to TOS violations, since the TOS outline what counts as authorized access. You can argue very easily that using a service in a manner that breaks the TOS does, in fact, violate the law (by exceeding what you were authorized in the TOS), but this court argues that the language is somewhat ambiguous and in the case of criminal law, you should always err on the side of leniency unless Congress makes itself clear. Basically, an action cannot be criminal unless the law clearly and explicitly states it is.

The case has nothing to do with corporations ability to make an action illegal, specifically, but rather whether an action (violating the TOS) is already criminal under the current law. Agreed about the court having it's head on straight, this judge seems extremely rational.

Re:Corporations don't make law (0)

Anonymous Coward | about 2 years ago | (#39637017)

At most, wouldn't that be a contract violation between 2 Civil parties, and be a matter for Civil court?

Of course, when law contains the word Federal, I automatically think Interstate boundaries, and not Corporate TOS. Silly me for thinking private contracts are well, private.

Can you say BIG GOVERNMENT!

Re:Corporations don't make law (3, Informative)

SuricouRaven (1897204) | about 2 years ago | (#39637275)

The legal reasoning, simplified, goes like this:

1. Accessing a computer system without authorisation from the owner is a crime.
2. A ToS specifies what a user can do, and upon violation becomes invalid - thus, the user is no longer authorised, legally. Even if their account still exists.
3. So any access breaking the ToS is, in legal fact, unauthorised - and indistinguishable from if they had, say, used an exploit or guessed a password. The means by which unauthorised access is granted is legally unimportant - it doesn't matter if it's via sophisticated hacking, script-kiddie work, social engineering, finding someone's password on a postit or pure luck in guessing. The important part is that the user, having broken the ToS, is no longer authorised by the system owner to access that computer system. See point one.

Re:Corporations don't make law (0)

Anonymous Coward | about 2 years ago | (#39637409)

In other words, breaking the ToS is a civil offense but after doing so accessing a computer system covered by those ToS is a criminal offense.

Is that your point?

Re:Corporations don't make law (3, Insightful)

similar_name (1164087) | about 2 years ago | (#39637729)

To apply this same idea to meatspace. If I rent an apartment and my lease says no pets but I have a pet anyway should that make me a criminal? I don't think so. Seems like for a couple hundred years the U.S. has considered it a civil matter and I fail to see why it should be any different on a computer. At the same time if I break into an apartment that is criminal, likewise it should be for a computer. Companies are pushing to make breaking a TOS criminal and that's a very scary thing. Especially when they change it whenever they feel like it.

Re:Corporations don't make law (2)

fast turtle (1118037) | about 2 years ago | (#39638843)

because a TOS is not a valid contract is why the courts have ruled that it's a criminal offense to violate one. Contract law absolutely requires the ability to negotiate both sides, otherwise it's an EULA that is not recognized by half of the United States - the 9th district is in California IIRC

Re:Corporations don't make law (1, Insightful)

gnasher719 (869701) | about 2 years ago | (#39639375)

To apply this same idea to meatspace. If I rent an apartment and my lease says no pets but I have a pet anyway should that make me a criminal? I don't think so.

Let's make that a bit clearer. If your lease says "no pets" but you have a pet anyway, does that make you a trespasser? No. You live there, and as long as you live there you are not a trespasser. You may be in violation of your rent agreement, and the landlord may use this to cancel your tenancy agreement, and then ask you to leave, and if you don't leave the landlord may send bailiffs to remove you, but until they remove you, you are not trespassing.

On the other hand, you might take your pet rat on a walk, and when you come home you find the locks changed and a notice on the door - if you then break into what used to be your apartment you would be trespassing. Back to cyber space: If you have a Facebook account and you violate their TOS: No crime. If Facebook cancels your account and you hack into their servers to get the account back: Criminal.

Re:Corporations don't make law (1)

crypticedge (1335931) | about 2 years ago | (#39642803)

In most states it's illegal to just change the locks on a rental if there's a renter there. They have to file with the court, then get the sheriff

Re:Corporations don't make law (2)

AmiMoJo (196126) | about 2 years ago | (#39637041)

The case has nothing to do with corporations ability to make an action illegal, specifically, but rather whether an action (violating the TOS) is already criminal under the current law.

That's the same thing. TOS say "making a backup copy is illegal" or "one install only, if your PC dies you buy a new license" and doing otherwise becomes illegal. Or not, as the court has said.

Re:Corporations don't make law (1)

Baloroth (2370816) | about 2 years ago | (#39639745)

You seem to be thinking of EULAs, which are different from TOS. Terms of Service are for... well, services that you run on computers (notably, in this case, computers you do not own, such as using Facebook). For example, Facebook can have it in their TOS that you cannot host, say, a picture of your butt on Facebook. If the Computer Fraud and Abuse Act was interpreted broadly, it could be a crime to put such a picture on their servers (it would count as "unauthorized access"). Making backup copies of software or restricting it to only one copy may involve a TOS, but more likely it is part of the EULA (which is similar but not the same). There really isn't any way you can justify making a backup copy of software as "unauthorized access" even in the loosest possible sense, so that wouldn't apply (it may be considered illegal under copyright law, but that would be a different issue). Violating copyright is illegal because copyright is already enforced by law. TOS are not.

Note that conducting actual hacking without permission would definitely count as "unauthorized access", but not because it violates the TOS (although obviously permissive TOS may make it not a crime, just as permissive copyright makes copying software not a crime). Anyways, the court basically said that what counts as computer fraud and abuse under the law is open to interpretation by judges, not simply the company involved... which is good, and sane, and logical, and consistent with legal precedent. Note of course that a TOS violation may be a criminal act, but only because it is illegal already.

Oh, IANAL BTW: the above is simply my armchair opinion.

Re:Corporations don't make law (1)

rtb61 (674572) | about 2 years ago | (#39640093)

Still really, violation of a term of service should only be a criminal act if that actual violation is legislated as such otherwise it should just be a civil breach of contract.

Private corporation should not be able to just stick in arbitrary terms of service, things like you are not allowed to publicly criticise the company whilst using it's services etc. etc.

Re:Corporations don't make law (1)

nschubach (922175) | about 2 years ago | (#39637047)

Doesn't the "exceeds authorized access" apply to owned property? (ie: a server, mainframe...) I'm sure this is going to border on that ever popular "ownership" aspect of software.

Re:Corporations don't make law (1)

Baloroth (2370816) | about 2 years ago | (#39639773)

I'm not sure exactly what you mean. I think in this case the question is whether an action that effectively takes place on a server you do not own, that happens to violate the TOS of whatever service you took the action under, counts as "unauthorized access" of that server. For example, uploading porn to Facebook (I presume that is against their TOS, anyways). In that case, Facebook could argue that they did not authorize you to upload porn, and therefore you accessed their server in an unauthorized fashion. It's certainly a weak argument, IMO, but the text is open to that interpretation. But only if you interpret it broadly, which you shouldn't.

Re:Corporations don't make law (1)

91degrees (207121) | about 2 years ago | (#39641505)

It is an important question.

Reading the law as widely as possible would mean I'm breaking federal law by setting up a second gmail account, or not using my real name on facebook. This clearly wasn't the intent of the law. It was a reaction to hackers breaking into systems that they had absolutely no rights to at all. At the time, public access services weren't that common. Those that were typically had a TOS agreement that was fairly narrow in scope.

I'm not sure how much the courts are allowed to take into account intent. It's certainly something they can consider.

Re:Corporations don't make law (0)

Anonymous Coward | about 2 years ago | (#39636677)

Corporations don't make law?
I see, you must be from... wait, I can't think of any country where corporations don't make the law. (Even if they don't admit it.)

Re:Corporations don't make law (0)

Anonymous Coward | about 2 years ago | (#39636955)

N Korea

Ex post facto (5, Insightful)

NoNonAlphaCharsHere (2201864) | about 2 years ago | (#39636459)

If a corporation can unilaterally change a TOS agreement AFTER someone has signed up for the service (which they do all the time), how can anybody then claim that violating it is a criminal offense?

Re:Ex post facto (2)

pwnyxpress (2597273) | about 2 years ago | (#39636513)

Don't corporations regularly write into the TOS agreement that they can change the terms with minimal (if any) notification to the customer, thus putting the responsibility of terminating the agreement onto the customer?

Re:Ex post facto (4, Informative)

dbet (1607261) | about 2 years ago | (#39636639)

They can amend the contract, however, you are allowed to not accept the new version. So for example you're one year into a 2 year contract with AT&T, and they change the terms. You are now free to walk away. Because of this they usually grandfather in people who are in existing contracts.

Re:Ex post facto (1)

tepples (727027) | about 2 years ago | (#39642469)

They can amend the contract, however, you are allowed to not accept the new version.

However, by continuing to use the service after the new terms are published, a user is considered to have accepted the new terms.

Re:Ex post facto (3, Informative)

JoeMerchant (803320) | about 2 years ago | (#39636523)

If a corporation can unilaterally change a TOS agreement AFTER someone has signed up for the service (which they do all the time), how can anybody then claim that violating it is a criminal offense?

Even more, how can a corporation (say: JoeMerchantCorp) create a TOS and then get the police and courts of the land to enforce it for them? My TOS can state that you must dance on your hands naked in the waiting room after a late payment or your account will be revoked... and it can be a criminal offence to violate it?

Re:Ex post facto (1)

Sique (173459) | about 2 years ago | (#39636853)

One of the main reasons to have a state and a judicary is to have contracts enforced. There is a whole body of law just for contract disputions, it's called Civil Law.

Re:Ex post facto (1)

FunPika (1551249) | about 2 years ago | (#39636583)

They will probably just try to make "Ignorantia juris non excusat" apply to the TOS as well and be like "You didn't read the updated TOS? Your fault".

Re:Ex post facto (2)

Surt (22457) | about 2 years ago | (#39636657)

Which seems entirely reasonable. I don't use any websites subject to unilaterally modifiable TOS without reading those TOS every single time, and neither should anyone else.

Re:Ex post facto (2)

SuricouRaven (1897204) | about 2 years ago | (#39637291)

When I got my iPod touch*, I got to see the agreement to use the app store. Ninety-nine pages long. That was one of the shorter ones.

*Don't worry, it was a freebie with something else and went on eBay.

Re:Ex post facto (1)

CanHasDIY (1672858) | about 2 years ago | (#39636907)

They will probably just try to make "Ignorantia juris non excusat" apply to the TOS as well and be like "You didn't read the updated TOS? Your fault".

Which is, as we all know, complete bullshit.

"Ignorantia juris non excusat" is only legitimate when applied across the board, without exceptions, and we all know that's not the case.

Re:Ex post facto (2)

NonUniqueNickname (1459477) | about 2 years ago | (#39636615)

So? Laws change unilaterally all the time too, it doesn't make them ex post facto. Only if the corporation takes action against a user over a violation of the new TOS that ocurred before the new TOS was instated (and agreed to by the user). Only then would it be ex post facto.

Re:Ex post facto (1)

Anonymous Coward | about 2 years ago | (#39636867)

I dunno that I like this argument. I agree with the conclusion, but the reasoning you take for it is a bit scary.

I mean, I *can* change my terms and make you a criminal /if/ you persist. In computing it's as simple as "John, you're fired--don't login as administrator"

A very simple alternate meatspace analogy is trespass.

If I invite you to my home, you're welcome there. If I then order you to leave, you have a reasonable amount of time to gather your things and exit. If you delay unduly, or refuse--you've committed trespass.

In some states, depending upon time and circumstance of your trespass (but basically including if you commit another felony crime such as types of assault) you may now be a felon. I may then have the right to:

1) Remove you with force (up to and including the lethal variety)
2) Detain and execute an arrest--with the above force.

So...I know we don't want corps setting the laws. But to say that a civil manner can't escalate to criminal is...misleading. Quite simply --people, and corps...have the freedom to change their mind.

CAPTCHA: autocrat. Amused.

Re:Ex post facto (1)

CanHasDIY (1672858) | about 2 years ago | (#39637719)

A very simple alternate meatspace analogy is trespass.

No; trespassing is a criminal matter, not a civil one (unless we're talking trespass to chattels, which you are not). "Analogy" implies a commonality.

A real meatspace analogy would be if you offered me access to your property in writing, then at some point changed the contract to revoke my access.

The difference is, with a written (paper) contract between two individuals, changing the terms requires the physical signature of both parties; in terms of service, one party can unilaterally change their policy, with minimal notification to the other party, and so long as the original party offers some sort of notification (i.e., Sony 'allowing' consumers to opt-out of their "no-sue" clause by forcing them to snail-mail a written rejection within 14 days), it's all considered perfectly legal.

In summation, the system is fucked, and it's going to stay that way until someone like Sony or facebook step on the wrong toes.

Re:Ex post facto (1)

ohnocitizen (1951674) | about 2 years ago | (#39636897)

I can't wait to re-read the parent comment after the supreme court rules it is a criminal offense. I'll have myself a nice little cry then. It'll be cathartic.

Can't complain (0)

Anonymous Coward | about 2 years ago | (#39636477)

I think it's hard to tell whether this is good for consumers (because we have the freedom to do what we want with our programs, etc), or bad for consumers (because it makes things less safe for companies). Either way, I'm happy for now, I guess.

Re:Can't complain (5, Insightful)

CanHasDIY (1672858) | about 2 years ago | (#39636505)

I think it's hard to tell whether this is good for consumers (because we have the freedom to do what we want with our programs, etc), or bad for consumers (because it makes things less safe for companies). Either way, I'm happy for now, I guess.

It's not hard to tell at all: being able to throw consumers in jail for ToS violations is most definitely, unquestionably, bad for consumers.

Re:Can't complain (1)

Surt (22457) | about 2 years ago | (#39636683)

The direct action is obviously negative, the question is whether the indirect incentive more than outweighs that negative. One could argue, for example, that perhaps facebook wouldn't exist if they didn't think this was possible, and facebook is so awesome it outweighs the cost. I wouldn't argue that, but someone could.

Re:Can't complain (1)

CanHasDIY (1672858) | about 2 years ago | (#39636989)

One could argue, for example, that perhaps facebook wouldn't exist if they didn't think this was possible, and facebook is so awesome it outweighs the cost. I wouldn't argue that, but someone could.

You and I both.

Besides, yea, one could attempt to make that argument, but it's obvious bullshit; the Zuckerburgs of the world don't give two shits about being able to incarcerate their customers for ToS violations, so long as people keep signing up and the skrilla keeps flowing in.

Re:Can't complain (1)

sabt-pestnu (967671) | about 2 years ago | (#39641713)

> or bad for consumers (because it makes things less safe for companies).

If Congress (or lobbyists acting through congress) really really wants to criminalize TOS violations, they can try to pass a bill that explicitly states that.

Or they could just try again with the fuzzy language and call it CISPA.

I must be reading something wrong... (1)

gatfirls (1315141) | about 2 years ago | (#39636487)

Lower courts have held that violating a (basically TOS) is a crime? Is there ever real world logic applied to these decisions or is it basically (let's rewrite every law when it applies to the internet). "What are you in for?" "Leaving food stuffs in the fridge after 5pm on friday, clearly against company policy".

Re:I must be reading something wrong... (5, Insightful)

CanHasDIY (1672858) | about 2 years ago | (#39636555)

Lower courts have held that violating a (basically TOS) is a crime?

Not just a crime, a felony crime. Which means being convicted of ToS violations not only takes away your physical freedom, but also damages your ability to find a job upon release, makes it impossible to own a gun, removes your right to vote (although some states restore that right after a prescribed period of time), and all the other wonderful disadvantages that come with being a convicted felon.

Land of the Free, my enslaved ass.

Re:I must be reading something wrong... (5, Funny)

Jeng (926980) | about 2 years ago | (#39636749)

Ya know, if they want to charge you with a felony you might as well commit one and kill the motherfucker who wrote the TOS.

Re:I must be reading something wrong... (1)

Trepidity (597) | about 2 years ago | (#39637557)

Fortunately it does at least require that it be a TOS violation "with intent to defraud", which provides a bit higher burden of proof. It's still better not to have the CFAA in this mess at all, though. If you want to ban fraud, then write a law banning fraud (which already exist, naturally), not criminalize random things just because "with a computer" is tacked on.

Re:I must be reading something wrong... (1)

jamstar7 (694492) | about 2 years ago | (#39637943)

If you want to ban fraud, then write a law banning fraud (which already exist, naturally), not criminalize random things just because "with a computer" is tacked on.

But it's ok to 'create' and 'patent' something already out there by adding 'on a computer hooked to the internet or not'?

Go to SCotUS, Go directly to SCotUS (5, Insightful)

LostCluster (625375) | about 2 years ago | (#39636507)

A court ruling out of line with three other rulings is certainly a sign that the court wants a higher court to look at this... 3-1 scores don't matter, just that the case got there.

of course (1)

shentino (1139071) | about 2 years ago | (#39636567)

Violating terms of use is not a criminal offense.

It's a civil matter known as breach of contract, the solution for which is getting sued.

Now if you were forging a mac address in an attempt to masquerade as another subscriber, or hacked the service to get free internet or evade a service termination, that would be different and probably *would* qualify as criminal.

Breaking TOS and having your service yoinked is like going shopping at a grocery store and getting thrown out by security for swearing, or like getting an eviction notice from your landlord because you didn't pay your rent or because you broke the door. It's not the same as shoplifting or burglary.

The only time a TOS violation should be criminal is if what you're doing amounts to trespassing.

Re:of course (1)

GiMP (10923) | about 2 years ago | (#39637057)

Without any contract, you have no authority access. If you breech the contract, you have no authorization to access. Access without authorization is a felony.

I tend to agree that the other courts were probably right. Whether or not the Computer Fraud and Abuse Act is too broad is another matter and something for higher courts and the legislative branch to determine.

Re:of course (2)

gstrickler (920733) | about 2 years ago | (#39637311)

I've discussed this many times. Any while your interpretation could be valid, I most strongly disagree with it. I agree with the OP and the 9th CC, this is not a crime, it's a contract dispute, which makes it a civil case, not a criminal case. That's how it should be handled, breach of contract.

Consider what happens if it's the other way around, what if the company violates their responsibilities under the TOS? Is that automatically a crime? No. In some cases, if you can show they were willfully misleading, to a large group of customers, then it might be treated as criminal fraud. But the company violating the TOS is not automatically a crime, it's a civil breach of contract. And if it's not automatically a crime for the company to violate it, then it's not automatically a crime for the other party to the contract to violate it. It's a civil dispute unless there are other considerations (e.g. massive fraud) that make it a criminal one.

Re:of course (1)

jamstar7 (694492) | about 2 years ago | (#39638025)

Consider what happens if it's the other way around, what if the company violates their responsibilities under the TOS? Is that automatically a crime? No. In some cases, if you can show they were willfully misleading, to a large group of customers, then it might be treated as criminal fraud. But the company violating the TOS is not automatically a crime, it's a civil breach of contract.

I'd have an attorney read over the TOS before suing, though. I've read some that have a clause saying that by using the service I accept the TOS and agree to hold the provider blameless in anything that may come up, up to and including the Second Coming of Elvis.

Re:of course (1)

causality (777677) | about 2 years ago | (#39638629)

Consider what happens if it's the other way around, what if the company violates their responsibilities under the TOS? Is that automatically a crime? No. In some cases, if you can show they were willfully misleading, to a large group of customers, then it might be treated as criminal fraud. But the company violating the TOS is not automatically a crime, it's a civil breach of contract.

I'd have an attorney read over the TOS before suing, though. I've read some that have a clause saying that by using the service I accept the TOS and agree to hold the provider blameless in anything that may come up, up to and including the Second Coming of Elvis.

I'm not a lawyer and this isn't legal advice, yadda yadda. Owing to the legally protected freedom of speech, they may write whatever they want into a document. That doesn't necessarily mean it will hold up in court. Some states are better than others about rejecting unreasonable clauses in such contracts.

Not a TOS (5, Insightful)

Desler (1608317) | about 2 years ago | (#39636575)

Once again a terrible title and summary. This had nothing to do with a TOS. It was about trying to prosecute someone criminally for violating their workplace's authorized access policy.

Re:Not a TOS (1)

gatfirls (1315141) | about 2 years ago | (#39636661)

An "access policy" is basically "terms of service". You are right though the word "policy" is enough of a description to make a criminal charge (an upheld appeals) seem ridiculous.

Re:Not a TOS (2)

Desler (1608317) | about 2 years ago | (#39636711)

No, a ToS is in common use an agreement between a company and a consumer when providing you a service. This was about an internal company policy for its employees. It's not the same.

Re:Not a TOS (2)

gatfirls (1315141) | about 2 years ago | (#39636937)

You do know that "basically" and "same" have very different meanings right? The point is that neither of them (should) carry a criminal penalty for the violation of them unless the violation actually violates the law. The problem here is that they are using their *policy* to stipulate what is illegal. ....using very ambiguous overreaching laws. Even though using criminal courts in place of civil is all the new rage.

Re:Not a TOS (0)

Anonymous Coward | about 2 years ago | (#39637559)

Not the same, except for the part where they are both agreements about how a system should be used by users. The fact that employees use a system (supposedly) for productive purposes doesn't mean much. Especially when "consumers" are doing the same (hello cloud services..)

Re:Not a TOS (2)

tacokill (531275) | about 2 years ago | (#39636663)

Mod this up. The fact that an employer / employee is involved changes everything. This is not a case of TOS and Customers violating said TOS.

Re:Not a TOS (2)

gatfirls (1315141) | about 2 years ago | (#39636751)

Exactly what does it change? They're both loose "contracts" on what is authorized for the service/network/etc. Using horribly vague, ambiguous and broad laws to cover civil matters (especially big corporate civil matters) is a crazy concept that people seem to just ignore as "welp don't break the law" until they get snagged up in it.

Re:Not a TOS (4, Insightful)

urulokion (597607) | about 2 years ago | (#39637567)

No. The fact that is an employer/employee type setup doesn't change a thing. An employee violating a company policy in regards to accessing information they are authorized to to access via their computer credentials isn't a violation of the CFAA. Let's take another CFAA case involving the Social Security Adminstration. Certain employees in the SSA have access to personal information of people in regards to SSN payroll deductions, benefit payouts, etc. They have authorization via their computer credentials to look at virtually anyone's personal information. But the SSA has policies in place they speel out when it is proper to access that personal information. When an employee is working a case that is assignment to them, they policies says they can access personal information about persons related to that case as an example.

Now if an SSA employee starts to just access information about celebrities or other persons in the new just because they are curious. They would be a clear violation of SSA policy. Remember that the employee's credentials allow access to virtually anyone. The employee used their assignen credentials to access the information. They didn't breach any technological measure to access the measure. They didn't "hack" to gain access to the information. Their access is a violation of SSA policies, may be violations of criminal statutes of misusing government data, violations of the Privacy Act, etc. But their access was not a violation of the CFAA. That was what the 9th Circuit ruled on.

The 9th Circuit got this one right. Yes, I'm shocked as much as you are. If this ruling goes to the US Supreme Court, I don't think it'll be overruled.

Re:Not a TOS (1)

Trepidity (597) | about 2 years ago | (#39637613)

It doesn't change anything, as the decision notes. The question is whether exceeding authorization to use a computer, by violating the terms of a policy authorizing you to use that computer, is a federal crime. Whether the policy is a workplace policy for employee usage of computers, or a user policy for customer usage of computers, doesn't make a difference.

Re:Not a TOS (0)

Anonymous Coward | about 2 years ago | (#39636849)

It *is* about TOSes, because this exact same bit of legislation *is* being used to prosecute for violating TOSes.

You are right that using it for a workplace access policy is different, but a workplace access policy probably has an even better argument for being considered subject to criminal penalties under the CFAA for its violation.

So, the fact that it the 9th Circuit rejected a broad interpretation of the CFAA for this policy is an even *stronger* repudiation than if they had just rejected a broad interpretation of the CFAA for a plain old website TOS.

Re:Not a TOS (0)

Anonymous Coward | about 2 years ago | (#39637101)

Wrong. Please see post by Baloroth (2370816) on Tuesday April 10, @04:59PM (#39636607).

The Computer Fraud and Abuse Act defines a felony offense for violations of "authorized access". A TOS (or an equivalent Corporate Use Policy) defines what is authorized. So the question before the court was whether or not violating a specific TOS constitutes such a felony offense under the law as written.

The problem with the law is that there is no definition of "authorized access" and could even allow after-the-fact determination (again, also with no definition) by the "victim" that any arbitrary prior access was "unauthorized". By defining "authorized access" in a TOS or CUP, the "victim" can at least claim the access was "unauthorized" prior to the access.

The case is about whether an action (violating the TOS) is already criminal under the current law. The 9th got it right. Congress needs to fix the definition of "authorized access" or the courts should rightfully strike down the law.

This gets into sticky areas like "How many near-simultaneous "requests" for my PUBLICLY ACCESSIBLE SERVICE constitutes "popular" versus a denial-of-service attack?" In effect, the slashdot effect could be deemed a federal felony offense if the law stands. SCOTUS will likely have to take it up.

Re:Not a TOS (1)

CanHasDIY (1672858) | about 2 years ago | (#39637369)

This gets into sticky areas like "How many near-simultaneous "requests" for my PUBLICLY ACCESSIBLE SERVICE constitutes "popular" versus a denial-of-service attack?" In effect, the slashdot effect could be deemed a federal felony offense if the law stands. SCOTUS will likely have to take it up.

In other words, the fate of our technological freedom is in the hands of 9 dinosaurs who are of the generation that honestly believes the internet is made up of physically interconnected tubes?

$diety help us, we are FUCKED.

Re:Not a TOS (1)

Trepidity (597) | about 2 years ago | (#39637575)

If you read the court's opinion, it discusses both ToS and workplace access policies, and holds that the CFAA applies to neither, for similar reasons.

Whoop-de-do, big deal. (3, Insightful)

istartedi (132515) | about 2 years ago | (#39636585)

So you're not in jail. Big deal. They can still take all your money via the civil courts. Then you're homeless. It's like jail except that the cell has poor climate control and the 3 hots and a cot are unreliable. Nothing will change until civil suits are reformed. For starters, guaranteed right to a jury trial with the possibility of nullification required to be informed to the jury from the bench (not the bench lying and saying that it doesn't exist). Also, reasonable doubt, not prepoderance. Also, no civil trial for the same matter already settled in criminal courts.

Wow, it might actually be a free country again if we could pull that off. Oh and look, I expressed it in one paragraph that everybody can understand. Just like back in the 1700s. Imagine that!

Re:Whoop-de-do, big deal. (1)

gl4ss (559668) | about 2 years ago | (#39636651)

well.. at least then you get to still vote that should be changed?

usa style settling in criminal cases is bullshit. it distorts statistics, history and murkies wtf actually happened so badly... that should only happen in civil, non criminal, disagreements.

Re:Whoop-de-do, big deal. (1)

interval1066 (668936) | about 2 years ago | (#39636769)

Has anyone ever been rounded up for violating an access TOS?

Re:Whoop-de-do, big deal. (1)

sabt-pestnu (967671) | about 2 years ago | (#39641727)

From the ruling:

In a recent Florida case, after an employee sued her employer for
wrongful termination, the company counterclaimed that plaintiff violated
section 1030(a)(2)(C) by making personal use of the Internet at work --
checking Facebook and sending personal email -- in violation of company
policy. See Lee v. PMSI, Inc., No. 8:10-cv-2904-T-23TBM, 2011 WL
1742028 (M.D. Fla. May 6, 2011)
. The district court dismissed the counterclaim,
but it could not have done so if "exceeds authorized access"
included violations of private computer use policies.

Re:Whoop-de-do, big deal. (1)

mark-t (151149) | about 2 years ago | (#39637179)

They can't take your home away if you don't own it... and they can't garnish your wages below what is necessary to survive, taking into consideration standard costs of living in your area.

Civil suits (0)

Anonymous Coward | about 2 years ago | (#39637725)

Having won a civil suit for a 3,000 debt on a customer I can say it's a pain in the ass to collect. You can seize certain assets, say a car parked outside of their home. But if it's in a garage forget it. You can file paperwork to seize a bank account but you only get that one shot to do it and you don't know how much is in there. You can garnish wages, provided they have a job and/or are not working for cash. You can place a lein on property, if they own any, but you only get paid if they want to sell. If they have a mortgage forget it, bank gets first dibs.

Damn it (5, Funny)

Fned (43219) | about 2 years ago | (#39636721)

I was so looking forward to forcefully citizen's-arresting the next HR asshole to demand my Facebook login.

Re:Damn it (1)

Elldallan (901501) | about 2 years ago | (#39639153)

That has not changed, unless the HR asshole has Facebook he never had a TOS with FB so he could always(and still can) demand your account details. You would however be in breach of the TOS if you gave it to said HR asshole so you would be the one tossed in jail.

BUT what has not changed is the fact that if said HR asshole did access FB(with your account details) without having a contract with FB in the first place it will still be a felony.
Things gets muddy if he has his own Facebook since he would technically have legal permission to access FB's servers(just not with your account details).

IANAL

Re:Damn it (1)

Xaositecte (897197) | about 2 years ago | (#39639407)

He's not violating the TOS, but he's certainly accessing the computer system without authorization, which is the actual felony crime being discussed. If anything, his guilt is even more unambiguous.

Re:Damn it (0)

Anonymous Coward | about 2 years ago | (#39639501)

That has not changed, unless the HR asshole has Facebook he never had a TOS with FB so he could always(and still can) demand your account details. You would however be in breach of the TOS if you gave it to said HR asshole so you would be the one tossed in jail.

True, but consider that conspiracy to commit a felony is also a felony...

Re:Damn it (1)

MobyDisk (75490) | about 2 years ago | (#39639541)

Allow me to play devil's advocate here: what is to say they don't arrest you for giving the information out? Asking for it probably doesn't violate the TOS. Either giving it out, or using it are more likely to violate it.

Re:Damn it (1)

darkonc (47285) | about 2 years ago | (#39639631)

It's not just the asshole who demands your Facebook login that gets charged with counselling a felony. You can also go after the asshole who set the policy (usually further up the food chain). Now that should get the attention of legal (especially if it was legal who set the policy).

Authorized access to my (physical) mailbox (1)

Anonymous Coward | about 2 years ago | (#39636739)

"Credit card companies are not authorized to have their mail access my (physical) mailbox, unless they enclose a cashier's check for $1,000 in my name."

Now go ahead send me another one of these credit card offers!

Don't get excited (0, Troll)

BBTaeKwonDo (1540945) | about 2 years ago | (#39636805)

First, as other posters have pointed out, it's an employer/employee agreement, not a consumer ToS. Second, the decision was by the Ninth Circuit a.k.a the People's Republic of the Ninth Circuit. The five Republicans on SCOTUS like to slap down the Ninth Circuit's rulings out of principle or spite or both. This will not end well for the employee.

Re:Don't get excited (0)

Anonymous Coward | about 2 years ago | (#39636959)

I mentioned this above, but it bears repeating:

The fact that the agreement was an employer/employee agreement seems to make it much more likely that both parties (1) understand the nature of the agreement, (2) have knowingly agreed to be bound by it, and (3) have a good channel of communication for updates to the policy, etc.

All of these cut in favor of giving more weight to employer/employee agreements than to your typical website TOS. So this decision seems to be (at least as far as I can tell from the summaries, haven't read it) a *stronger* repudiation of a broad CFAA interpretation than if they had gone with a narrow interpretation of the website TOS.

Maybe I'm way off base here, but I can't think of any convincing arguments giving an emplorer/employee agreement a narrow view under the CFAA, but giving a website/visitor TOS agreement a broad view.

Re:Don't get excited (1)

Trepidity (597) | about 2 years ago | (#39637635)

Wrong on both points: 1) the decision covered ToS in general, not only employer/employee agreements; and 2) the Ninth Circuit has plenty of conservatives on it, with its Chief Judge, who wrote this opinion, being a libertarian-leaning Reagan appointee.

Re:Don't get excited (1)

BBTaeKwonDo (1540945) | about 2 years ago | (#39638465)

Yeah, you're right, my bad for not RTFO. Though the Ninth circuit, while it may have some conservatives, is still the most liberal circuit by a wide margin.

Opinion by Kozinski (0)

Anonymous Coward | about 2 years ago | (#39636831)

Kozinski's opinions are usually worth reading.

Under the government’s proposed interpretation of the CFAA, ... describing yourself as “tall, dark and handsome,” when you’re actually short and homely, will earn you a handsome orange jumpsuit.

Employers demand access to employee account ... (1)

Spectre (1685) | about 2 years ago | (#39636837)

So, those employers that demand access to your social networking accounts, or, say, bank accounts, personal e-mail accounts, etc. They get a free pass at violating those sites' Terms of Use and can sign on with employees' access credentials ... NO PROBLEM?

Re:Employers demand access to employee account ... (1)

GiMP (10923) | about 2 years ago | (#39637103)

Those companies are not violating the TOS, the employee is. What the company is doing is worse, the company is arguably accessing without agreeing to the TOS at all, which falls under unauthorized access and is criminal under the Computer Fraud and Abuse Act. I think. IANAL

Re:Employers demand access to employee account ... (1)

mark-t (151149) | about 2 years ago | (#39637355)

If you're going to work for a company that expects access to such accounts, then I would think that your best course of action is to just not have any such accounts. Even better is to just not work at such a company.

In at-will states, employers can fire you for pretty damn near any reason they want, or no reason at all. I'm pretty sure that not supplying them with access to your facebook account doesn't quality as some form of legal discrimination (even though they might be able to obtain some information from your facebook page that they could potentially discriminate on, I think you'd have to somehow show that searching for such information to discriminate against you for in your facebook profile was somehow at least a genuinely likely motive for asking for the login information).

Re:Employers demand access to employee account ... (1)

gnasher719 (869701) | about 2 years ago | (#39639459)

So, those employers that demand access to your social networking accounts, or, say, bank accounts, personal e-mail accounts, etc. They get a free pass at violating those sites' Terms of Use and can sign on with employees' access credentials ... NO PROBLEM?

Not at all. If I give you my Facebook password, then I am in violation of the Facebook TOS - which as discussed is not a crime. But _you_ have no authorization to log into my account. I can give you the password, but I cannot give you the authorization to log in, because it is not my server that you are logging in to. So by accessing my account, using the password I gave you, _you_ are committing the crime of unauthorized access to a computer.

extradite the chinese gold farmers (0)

Anonymous Coward | about 2 years ago | (#39637521)

We should use the CFAA to extradite the 1000s of Chinese gold farmers creating inflation in World of Warcraft. They are in esense printing money.
So any kid who cheats at a computer game can go to jail? Imagine filling up the jails with all the fat kids who hacked Diablo ?
The people who mod the IPAD so it runs Flash?

Re:extradite the chinese gold farmers (0)

Anonymous Coward | about 2 years ago | (#39640233)

no one gives a shit about your old lame whack-off-fest mmo

stuff on the level traffic tickets should not felo (1)

Joe_Dragon (2206452) | about 2 years ago | (#39637553)

stuff on the level traffic tickets should not be a felony.

Now lot's of tos violation are on the level of some traffic tickets where most people don't follow the rules 100% and some of them are very technical when you get down to them.

This could go bad seriously fast (1)

powerspike (729889) | about 2 years ago | (#39637689)

and therefore violating terms of service and corporate use policies is not a federal crime.

If it was a Federal Crime, Basically what it would lead to, is private entities been able to send people to jail for breaking rules not set by the government (ie laws...). If this does start to happen, then the corporations have effectively directly taken over law making in this country, and could even possibly put in jail terms and penlites for breaking their tos's.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...