Did you really go to Harvard? Were you actually born in 1982? Did you truly spend that summer backpacking through Europe? Your online profile certainly says so. But if such statements are, shall we say, somewhat less-than-truthful, did you just commit a federal computer crime? In other words, could lying on Facebook really land you in jail?
YOU CAN’T HANDLE THE TRUTH
Relax. It is highly, highly unlikely that a decision to fudge your age or weight or use a fake name on Facebook is going to result in any extended jail time. But just in case you were planning on making a habit of it, know that there was once a time when the federal government actually argued such conduct could theoretically be deemed criminal.
Few people realize that claiming to be another person, creating multiple accounts, letting someone else log into your account or falsely representing an organization violates Facebook’s terms of service. Or that by using online dating sites like Match.com, you not only agree to “not provide inaccurate, misleading or false information to the company or to any other member,” but must also update any information that “subsequently becomes inaccurate, misleading or false.”
So the bigger question becomes: Is it a crime to violate a website’s terms of service? If so, millions of people could potentially be at risk for uploading false data to social media or online dating sites. And what about your company’s computer-use policies? Could using ESPN.com at work to check a score get you in hot water with the Department of Justice?
THE TRUTH IS (NOT NECESSARILY) OUT THERE
Think people only upload truthful information about themselves on social media sites? Why not ask Darth Vader, who apparently settled in Allentown, Pa., after his storied adventures during the Star Wars saga. At least that is what his Facebook page says.
In fact, according to a June study of 2,000 households by Consumer Reports, 25 percent of Facebook users admitted to falsifying information on the site — be it their name, birth date or location. This was double the number of users from two years ago.
So what happens if you throw caution to the wind and continue to post such “creative” information? Have you done something illegal? The answer may surprise you.
COMPUTER FRAUD AND ABUSE ACT OF 1986
In 1984, Congress initiated a campaign against computer crime by passing the Counterfeit Access Device and Computer Fraud and Abuse Act. Shortly thereafter, it expanded the act with a revised version: the Computer Fraud and Abuse Act.
Originally intended to help crack down on computer hacking, the CFAA also assists the federal government in prosecuting computer fraud cases.
Passed in 1986 and amended several times — most notably as part of the USA Patriot Act in 2001 — the reach of the CFAA has expanded over the years.
Despite it being primarily a criminal statute, a civil provision was added to the CFAA in 1994 to provide a private cause of action if a violation causes loss or damage, as defined therein. In 2008, the CFAA was further amended by the Identity Theft Enforcement and Restitution Act — which eliminated the threshold need for a plaintiff’s loss to be greater than $5,000 and made it a felony for a user to cause damage to 10 or more computers.
According to the Electronic Frontier Foundation’s Internet Law Treatise (ilt.eff.org), a CFAA violation can be committed in two ways: either by an outsider who trespasses into a computer, or by an intruder who goes beyond the scope of his or her given authorization.
Congress did not define the phrase “without authorization” — perhaps assuming the words speak for themselves. But the term “exceeds authorized access” is defined by Section 1030(e)(6) to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” Courts have recognized the distinction between these terms is “arguably minute.”
OUT OF PLACE ON MYSPACE
The most notable use of the CFAA to target those accused of exceeding their authorized access to social media sites occurred in the lamentable case of United States v. Drew, 259 F.R.D. 449 (C.D. Cal. Aug. 28, 2009)— referred to by The New York Times as the country’s “first cyberbullying verdict.”
In Drew, defendant Lori Drew was charged with violating the CFAA by using a fictitious name and age on a Myspace account to make hurtful comments to a teenage girl in the fall of 2006. Tragically, the girl later took her own life. Following a wave of public outcry, federal prosecutors claimed Drew broke federal law by violating Myspace’s terms of service — and that her communications were responsible for the teen’s death. Drew was subsequently convicted of a misdemeanor under the CFAA in November 2008.
But in 2009, a California federal judge threw out the conviction after the court determined the CFAA was inapplicable to the allegation that Drew violated Myspace’s terms of service, as it would effectively “criminalize … a breach of contract.” There was no appeal.
COMPUTER-USE POLICIES AND THE CFAA
Two schools of thought exist with respect to violations of corporate policies and the CFAA.
The first, promulgated by the U.S. Court of Appeals for the Seventh Circuit in International Airport Centers v. Citrin, 440 F.3d 418 (7th Cir. 2006), holds that when an employee accesses a computer or information on a computer to further interests that are adverse to his or her employer, he or she violates his or her duty of loyalty — thereby terminating his or her agency relationship and losing any authority he or she has to access the computer or any information on it. Thus, the Seventh Circuit held an employee who erased crucial data on his company laptop prior to turning it in at the end of his employment violated the CFAA. It reasoned his “breach of his duty of loyalty terminated his agency relationship … and with it his authority to access the laptop, because the only basis of his authority had been that relationship.” The Fifth and Eleventh circuits follow this approach.
The second school of thought, articulated by the Ninth Circuit in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), interprets the terms “without authorization” and “exceeds authorized access” literally and narrowly, limiting their application to situations where an individual accesses a computer (or information on a computer) without permission.
In Nosal, the Ninth Circuit, sitting en banc, held the defendant’s co-conspirators, a group of employees at an executive search firm, did not violate the CFAA when they retrieved confidential information via their company user accounts and transferred it to the defendant, a competitor and former employee. It reasoned the CFAA fails to provide a remedy for the violation of a use policy where authorization has not been rescinded.
Notably, as part of the Nosal decision, authored by Ninth Circuit Chief Judge Alex Kozinski, the court “respectfully declined to follow our sister circuits,” and “urge[d] them to reconsider instead.”
At least one other circuit has heeded Kozinski’s advice — this time in the context of a civil CFAA claim. Despite disagreeing with the Ninth Circuit’s exact interpretation of “exceeds authorized access” — in that it could, theoretically, impute liability to employees with no intent to defraud — the Fourth Circuit in WEC Carolina Energy Solutions v. Miller, 687 F.3d 199 (4th Cir. 2012), nevertheless rejected the Seventh Circuit’s automatic “cessation-of-agency” theory. In so ruling, WEC Carolina sided with Nosal to find a former employee who, prior to his resignation, downloaded proprietary information at his new employer’s direction and then used it to make a presentation to a potential customer did not violate the CFAA.
The Fourth Circuit also noted that “other legal remedies” existed to dissuade such disloyal conduct. In so doing, the court endeavored to rein in efforts to utilize the expansive damages available under the CFAA — which can include response costs, damage assessments, restoration of data or programs, wages of employees for these tasks, lost sales, lost advertising revenue and even harm to reputation or good will.
Is goofing off at work actionable? Should your Facebook page be subject to a lie-detector test? As shown above, questions such as these are currently working their way through both the judicial and legislative branches.
Conceivably, the recent momentum from the Ninth and Fourth circuits will continue to limit the reach of the CFAA as it applies to nonfraudulent, everyday uses of workplace computers and websites.
There is also a block of individuals and organizations — led by Senator Patrick Leahy, D-Vt., and former Justice Department computer crime prosecutor Orin S. Kerr — who intend to correct what they see as a draconian interpretation of the CFAA.
For instance, in August, Leahy proposed an amendment to the Cybersecurity Act of 2012 (S 3413) to, in effect, adopt the Ninth Circuit’s narrow interpretation. That bill, however, failed to obtain the votes required to move it forward. And with Congress on recess (and its focus likely turning toward the upcoming November elections) commentators believe any such legislation is not expected to be voted on until next year.
Additional protection from prosecution may come from the government itself. During his testimony before Congress in November 2011, Richard Downing, deputy chief of the Department of Justice Computer Crime and Intellectual Property Section, testified that “the DOJ is in no way interested in bringing cases against the people who lie about their age on a dating site or anything of the sort. We don’t have time or resources to do that.”
Yet this reasoning was insufficient for Kozinski. Indeed, according to the Nosal court, “the government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations. But we shouldn’t have to live at the mercy of our local prosecutor.”
Commentators have also discussed how the CFAA cases have long been likely candidates for Supreme Court review — given the apparent circuit split. And although the Department of Justice sought an extension to file a cert petition in Nosal one day after WEC Carolina was decided, it ultimately chose not to proceed in August without explanation.
Amazingly, if the strictest letter of the CFAA were to be applied today, one-quarter of Facebook’s domestic users (about 29 million people) could, in theory, be transformed into fugitives for having something false on their pages. The remainder could be picked up for checking social media sites at work in violation of their company’s computer-use policy.
Obviously that is not going to happen.
So, while there is certainly no need to go out and scrub the content on your online dating or social media profile, it is at least worth thinking about the type of information you post online until this issue is ultimately resolved by the legislature. •
Jeffrey N. Rosenthal is an attorney with Blank Rome. He concentrates his practice in the areas of complex corporate and commercial litigation, and specializes in cases involving technology. He regularly publishes articles on the nontraditional uses of social media and its implications for modern practice. He can be reached at firstname.lastname@example.org.