Get best of the week

Violation of Terms of Service is not a crime yet


A U.S. federal judge ruled that those who violate the terms of the user agreement cannot be held criminally liable. The case creates a precedent on which the country's legal system will be based in the future. We understand the situation.


Photos - Markus Winkler - Unsplash

Law of contention


In the United States, there is an “anti-hacker law” on computer fraud and abuse - the Computer Fraud and Abuse Act (CFAA). It prohibits unauthorized access to information or computer systems. Sanctions for violation include fines and imprisonment - depending on the gravity of the crime.

This document has been heavily criticized by the public and information security experts. Electronic Frontier Foundation (EFF) experts saythat the wording in the law is so vague that a simple violation of the user agreement (terms of service) may fall under it. In particular, we are talking about creating pseudonyms and fake accounts - practices prohibited by many social networks and sites.


Gray wording in the law interferes with activitiesresearch organizations studying possible cases of gender, age and racial discrimination on web resources. Their work requires the creation of anonymous profiles to collect data and evaluate algorithms that use one or another site (for example, to search on a site). Therefore, in 2016, an initiative group of scientists and journalists, with the support of the American Civil Liberties Union (ACLU), went to court and said that the law restricting such opportunities contradicts the first amendment to the US constitution . The trial went on for several years and ended in late March. A federal court in Washington ruled that violating a site’s terms of service is not a crime from the CFAA’s point of view.

The court's decision


Judge John Bates noted that violating a user agreement cannot be considered a criminal offense because companies reserve the right to change the terms of a document without notifying users. As a result, an act that was permissible yesterday may suddenly become prohibited tomorrow. The court was also guided by the fact that the terms of service of many resources are difficult to find, and the rules themselves are written in a language that is difficult to understand even for industry experts.

, , . terms of service - — , .


In September 2019, another important CFAA litigation ended - LinkedIn v. HiQ Labs. The latter collected user profile data to provide consulting services to employers. LinkedIn considered that the activity of the analytical company violates the CFAA, and demanded to stop scrapping .

The case went to the U.S. Ninth Circuit Court of Appeals, which ruledthat automated data collection from public sites does not contradict the law, and the law on computer fraud and abuse cannot be applied to public information. At the same time, the judge forbade LinkedIn to fix any technical obstacles for hiQ. This ruling will change the balance of power when considering similar cases in the future.

CFAA is outdated


Computer Fraud and Abuse Act was adopted back in 1986, so as not to leave computer crimes unpunished. But since then, it has not practically changed, so it is not suitable for work in modern conditions. Gray areas arise even in key areas covered by law and related to hacking computing systems. These areas cause a lot of controversy in the legal environment, as state courts treat CFAAs differently.


Photos - Jeffrey Smith - CC BY-ND

In 2015, a New York City police officer used a personal database to search for information about a person he knew. Law enforcement officers were accused of unauthorized access to information, but the court acquitted him. According to the judge, the policeman did not violate the CFAA, because he could work with the database and had the necessary username and password. However, in 2010, a US Eleventh Circuit court sentenced a social security official to 12 months in prison for a similar violation.

Because of such inconsistencies, many urge the Supreme Court to investigate the situation and make the necessary clarifications. For example, at the beginning of the year, such a statement was made by specialists of the Electronic Frontier Foundation. What will come of this remains to be seen in the future.

findings


  • Violation of the requirements specified in the user agreement on the site is not a criminal offense from the point of view of the American law on computer fraud and abuse of CFAA.
  • But similar violations can be considered in the framework of other legislation, for example, related to intellectual property rights.
  • CFAA does not prohibit the scrapping of Internet resources, and sites cannot prevent it.

At 1cloud.ru , we have a corporate blog dedicated to IaaS and information security.
We also run a Telegram channel in which we publish news, insights and cases from the cloud industry.

More articles:


All Articles