The US Department of Justice is defending computer hacking laws that make it a crime to use a fake name on Facebook, or lie about your weight in an online dating profile at a site like Match.com.
In a statement obtained by ZDNet Australia's sister site CNET, the Justice Department argues that it must be able to prosecute violations of websites' often-ignored, always-unintelligible "terms of service" policies.
The law must allow "prosecutions based upon a violation of terms of service or similar contractual agreement with an employer or provider", Richard Downing, the Justice Department's deputy computer crime chief, will tell the US Congress tomorrow.
Scaling back that law "would make it difficult or impossible to deter and address serious insider threats through prosecution", and jeopardise prosecutions involving identity theft, misuse of government databases and privacy invasions, according to Downing.
The law in question, the Computer Fraud and Abuse Act, has been used by the Justice Department to prosecute a woman, Lori Drew, who used a fake MySpace account to verbally attack a 13-year-old girl who then committed suicide. Because MySpace's terms of service prohibit impersonation, Drew was convicted of violating the CFAA. Her conviction was later thrown out.
What makes this possible is a section of the CFAA that was never intended to be used that way: a general-purpose prohibition on any computer-based act that "exceeds authorised access". To the Justice Department, this means that a website's terms of service define what's "authorised" or not, and ignoring them can turn you into a felon.
On the other hand, because millions of Americans likely violate terms of service agreements every day, you'd have a lot of company.
A letter (PDF) sent to the Senate in August by a left-right coalition, including the ACLU, Americans for Tax Reform, the Electronic Frontier Foundation and FreedomWorks, warns of precisely that. "If a person assumes a fictitious identity at a party, there is no federal crime," the letter says. "Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation. This is a gross misuse of the law."
Orin Kerr, a former Justice Department computer crime prosecutor who's now a professor of law at George Washington University, says that the government's arguments are weak.
Kerr, who is also testifying tomorrow before a House Judiciary subcommittee, said that:
Kerr's testimony gives other examples of terms of service violations that would become criminal. Google says that you can't use its services if "you are not of legal age to form a binding contract", which implies that millions of teenagers would be unindicted criminals. Match.com, meanwhile, says that you can't lie about your age, criminalising the profile of anyone not a model of probity.
"I do not see any serious argument why such conduct should be criminal," Kerr says.
The Justice Department disagrees. In fact, as part of a broader push to rewrite cybersecurity laws, the White House has proposed (PDF) broadening, not limiting, CFAA's reach.
Stewart Baker, an attorney at Steptoe and Johnson who was previously a Homeland Security assistant secretary and general counsel at the National Security Agency, has suggested that the administration's proposals to expand CFAA are draconian. Uploading copyrighted YouTube videos twice "becomes a pattern of racketeering", with even more severe criminal penalties, "at least if justice gets its way," Baker wrote.
In a kind of pre-emptive attack against Kerr's proposed fixes, the Justice Department's Downing says that the CFAA properly criminalises "improper" online activities.
"Businesses should have confidence that they can allow customers to access certain information on the business's servers, such as information about their own orders and customer information, but that customers who intentionally exceed those limitations and obtain access to the business's proprietary information and the information of other customers can be prosecuted," Downing's prepared remarks say.