CFAA violations key to 2012 Obama victory?

An important tactic of the Obama reelection campaign was likely a violation of Facebook's terms of service, and therefore a violation of federal law. This is yet more evidence that Justice Department interpretations of the Computer Fraud and Abuse Act are unreasonable and need to be curtailed.
Written by Larry Seltzer, Contributor

Correction: The blog post which inspired this story has issued a correction which affects this story as well. Apps, such as the Obama campaign app, are subject to a separate set of terms which are different from those cited in this story. The actions taken by the app and the campaign conform to those terms, and therefore they do not violate the CFAA under anyone’s reading of the act.

It's generally accepted in post-mortems on the 2012 presidential election that high turnout among Obama voters was key to his victory. How did the campaign generate such high turnout? According to attorney Michael Vatis on the Steptoe Cyberblog, they did it using widespread violations of the CFAA (Computer Fraud and Abuse Act).

The tactic was revealed in Dan Balz’s forthcoming book about the 2012 presidential campaign, “Collision 2012: Obama vs. Romney and the Future of Elections in America,” which is being excerpted in the Washington Post. The campaign wanted to expand the reach of their already large database of supporters and found a way to use Facebook for it.

Here's how it worked:

If the campaign violated the Facebook terms then, by extension, they violated the CFAA

Balz quotes campaign manager Jim Messina: "…what if we could build a piece of software that … allowed you to match your friends on Facebook with our lists, and we said to you, ‘Okay, so-and-so is a friend of yours, we think he’s unregistered, why don’t you go get him to register?’ Or ‘So-and-so is a friend of yours, we think he’s undecided. Why don’t you get him to be decided?’ And we only gave you a discrete number of friends. That turned out to be millions of dollars and a year of our lives. It was incredibly complex to do.”

The campaign could then, with permission from the user, gain access to their friends. Using other data the campaign had they made a determination as to who was likely to be registered to vote and follow up with them. Balz says that this technique was a big factor for the campaign. But does it violate the CFAA?

The Justice Department has claimed in other cases that a violation of a website's terms of service or an employer's workplace policies can be a violation of the CFAA because it amounts to unauthorized access of a computer or data.

Vatis cites several lines from the Facebook Statement of Rights and Responsibilities which he claims are violated by the campaign's practices. One obvious one is: “You will not … let anyone else access your account.” Another interesting one: “If you collect information from users, you will: obtain their consent, make it clear you (and not Facebook) are the one collecting their information, and post a privacy policy explaining what information you collect and how you will use it.”

If the campaign violated the Facebook terms then, by extension, they violated the CFAA.

The Obama campaign's tactics clearly run afoul of the DoJ's interpretations of the law, but are they actually fraudulent, unauthorized access? 

Vatis is not calling for prosecution here, but rather using the incident to criticize the Justice Department's broad interpretation of the CFAA, an interpretation which was controversial back in 2008 when it was first used against Lori Drew, whose fraudulent use of MySpace led 13-year-old Megan Meier to kill herself.

It reached a new low last year when it was used to prosecute Internet developer and activist Aaron Swartz, leading to his suicide this January. After that, the movement in legal and Internet circles to amend the CFAA picked up steam.

There is such a thing as computer fraud and abuse, and it needs to be illegal. The Obama campaign's tactics clearly run afoul of the DoJ's interpretations of the law, but are they actually fraudulent, unauthorized access? That doesn't make sense to me.

All this does present a problem for Facebook. If they do nothing about this huge, public violation of their terms of service, can they then go after anyone else who violates them? What happens in the next election when other candidates use the same methods?

The unhelpful bottom line of it all is that these things are complicated. It's really hard to come up with a set of rules which are comprehensible, fair and which cover all the circumstances the service needs to cover. Same with the law. Until they figure out how to word these things right, companies and even more so the Department of Justice, need to be restrained in their use of the rules.


Editorial standards