The Department of Justice would like the authority to put millions of American parents in prison. Don’t believe me? Read on.
A House Judiciary Committee hearing today considered the federal computer crime statute, the Computer Fraud and Abuse Act, known to its friends as the CFAA. Among other things, the Act punishes anyone who “exceeds authorized access, and thereby obtains … information.” The penalty for a first-time offense is a fine and up to a year in prison.
This provision has been used to prosecute people whose only misuse of a computer was violating a website’s terms of service. Most famously, when Lori Drew helped her daughter create a fake MySpace profile under the name “Josh Evans” to flirt with and then disparage a 13-year-old neighbor, Megan Meier. After “Josh” told Megan, “Have a shitty rest of your life. The world would be a better place without you,” Megan killed herself. When Drew was prosecuted, it wasn’t for homicide, but for exceeding authorized access to MySpace’s servers. Drew herself deserves no sympathy, but the theory that her crime was complete when she created the fake profile would make a criminal out of anyone who fails to comply with every last term in the fine print in a website’s terms of service.
Orin Kerr, the leading academic authority on the CFAA, has pointed out the absurdity of this reading of the CFAA. At the hearing today, he explained that it would make him a criminal because he lives in Arlington, Virginia but lists “Washington, D.C.” on his Facebook profile. In his written testimony, he pointed to simple statutory fixes that would draw a more sensible line between routine computer use and real computer crime.
But Richard Downing, the Deputy Chief of the the Computer Crimes and Intellectual Property Section of the Department of Justice, was having none of it. In his testimony, he explained:
We believe that Congress intended to criminalize such conduct, and we believe that deterring it continues to be important. Because of this, we are highly concerned about the effects of restricting the definition of “exceeds authorized access” in the CFAA to disallow prosecutions based upon a violation of terms of service or similar contractual agreement with an employer or provider.
Here’s an example of the severe criminal computer misuse that Downing would like the CFAA to prohibit: parents helping their children get on Facebook. Not just getting on Facebook with fake profiles to harass classmates, like in Drew. No, getting on Facebook at all.
Facebook doesn’t let users sign up unless they’re 13 or older. Facebook does this in order to comply with a 1998 law, the federal Children’s Online Privacy Protection Act. It puts stringent limits on the personal information websites can collect from children under 13. Some websites comply by going through the hard work of getting and verifying parental consent. But many others, including Facebook, comply by prohibiting children under 13 from using their site at all.
The prohibition is honored mainly in the breach. According to Consumer Reports, 7.5 million children under 13 use Facebook. One academic study found that 46% of 12-year-olds used Facebook, and other research is consistent with these findings. Pre-teens are on Facebook, notwithstanding its policies.
A recent paper by danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey examined the motivations of parents whose underage children were on Facebook. Some misunderstood the minimum age, or thought it was only a recommendation, but a substantial fraction understood that it was a genuine requirement. Over three quarters of the parents they surveyed agreed there were circumstances under which they’d let their child violate a site’s age restrictions, particularly for school-related reasons or to communicate with family members. And of the half of the parents in the survey (roughly 50%) with children who had Facebook accounts, over half had helped create the account.
Facebook’s terms of service leave no room for doubt:
4. … Here are some commitments you make to us relating to registering and maintaining the security of your account: …
1. You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
5. You will not use Facebook if you are under 13.
Parents who create accounts for their children violate section 4.1 by “creat[ing] an account for anyone other than yourself.” On the Department of Justice’s theory of “exceeds authorized access,” that means the parents have directly violated the CFAA. But even parents who merely help their underage children create accounts (for example by explaining how to enter a false birthdate) are in trouble. Their children “exceed authorized access” by violating section 4.5. That makes the parents guilty of aiding and abetting a violation of the CFAA. The punishment is the same.
boyd and her coauthors focus mainly on the failure of COPPA’s regulatory strategy, and on the moral lesson parents teach their children when they show that lying online is acceptable. But there is another, even more frightening point implied by their findings. A mother in Ohio who helps her son sign up for Facebook to keep in touch with his cousin in Arizona is exposing herself to criminal liability, if the CFAA means what the Department of Justice claims it does. Worse still, the Department of Justice wants it to make a criminal of the mother.
This ought to be a scandal. A high official in the Department of Justice is endorsing a law that could be used to put millions of parents in prison. Do something to tick off a federal prosecutor and even if you’ve otherwise lived a blameless life, they can lock you up for helping your kid use Facebook.
UPDATE: Orin Kerr is cautiously optimistic that the DOJ is taking a more moderate position in its interpretation of the CFAA.