• United States



Busted! DOJ says you might be a felon if you clicked a link or opened email

Nov 15, 20116 mins
CybercrimeData and Information SecurityMicrosoft

People don't always tell the truth online, imagine that, and if the Department of Justice has its way then that would be a criminal offense. In fact, a law professor says that under the Justice Department's interpretation of the Computer Fraud and Abuse Act, you could be convicted for "Routine and entirely innocent conduct such as visiting a website, clicking on a hyperlink, or opening an e-mail." You also might be a felon under the anti-hacking law if...

We may be doomed and you are probably a felon if you ever used a fake name online, used a bogus birthday to register on a site, or fibbed about your height or weight on an online dating profile, named a different town or city in a profile, or basically didn’t tell the exact truth anywhere online. Never done that? No problem, then you’re probably busted under the “obtains information” portion of the Computer Fraud and Abuse Act (CFAA). According to George Washington University Professor of Law Orin Kerr, “Any information of any kind is enough” to qualify you as a criminal under the Justice Department’s broad interpretation of CFAA. Kerr said that includes, “Routine and entirely innocent conduct such as visiting a website, clicking on a hyperlink, or opening an e-mail.”

Richard Downing, the Justice Department’s deputy computer crime chief, told CNet’s Declan McCullagh, “The law must allow prosecutions based upon a violation of terms of service or similar contractual agreement with an employer or provider.”

People don’t always tell the truth online, imagine that, and if the Department of Justice has its way then that would be a criminal offense. That seems to make Google’s previous war on pseudonyms look tame as the wham bam wouldn’t be a ban but the slamming of prison doors behind most people who use computers today. It doesn’t even have to be committed online or on a computer, but anything with a microchip! The DOJ is hungry for the power to convict folks who have broken any website terms of service based off a 2008 “MySpace Suicide” case in which the user registered under an alias and bullied a 13-year-old girl until the girl killed herself.

Now I’m really sorry that happened to the little girl, but we are told to trust the Justice Department’s discretion about who to prosecute under the CFAA. However, I have not yet forgotten that the DOJ recommended a law firm to Bank of America which then used three intelligence agencies to attack WikiLeaks and plan a digital character assassination for people supporting them. That made me scratch my head and worry about our justice system which is supposed to support liberty and justice for all in America. Criminals under an anti-hacking law for not even hacking but for telling a fib or visiting a site? That’s as ridiculous as the Espionage Act making felons of all us who read, commented upon, tweeted or otherwise interacted with Cablegate ‘classified’ memos.

Orin Kerr testified before the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security at the Cyber Security: Protecting America’s New Frontier hearing. From his testimony [PDF] concerning the DOJ’s current broad definition interpretation of “exceeding authorized access” statute, Kerr broke it down in terms that should alarm us all. You would be guilty as a felon if you:

(1  Intentionally exceeds authorized access

(2  Obtains information

(3  From a protected computer

Elements (2) and (3) will be satisfied in most instances of routine computer usage. Element (2), the requirement that a person ‘obtains information,’ is satisfied by merely observing information. Element (3) is easily satisfied because almost everything with a microchip counts as a protected computer. The device doesn’t need to be what most people think of as a “computer,” and it doesn’t need to be connected to the Internet.

Busted! But since when is using a nym a sin or worse, a felony? Aren’t prisons overcrowded enough? Millions of Americans would be guilty under CFAA and clicking on a hyperlink doesn’t strike me as being in the same category with those felons convicted of rape and murder. Take Microsoft for a minute; do you even read the TOS on sites or just click accept to get on with it?

Kerr also laid out a few examples such as Google TOS; anyone who is under 18 and uses Google search is a criminal under the Justice Department interpretation of the statute. As would any other fib told on for example. In fact, sites can make up any ridiculous TOS and, Kerr said, “under the the Justice Department’s interpretation of the statute, all of these Terms of Use can be criminally enforced.”

You know, other countries that used to love America are shaking their heads wondering what the heck happened to us. As the NZ Herald pointed out, America has become the land where liberty is protected by taking it away.

A previous letter [PDF] addressing the wording in CFAA from the likes of the ACLU, CDT, EFF and many other concerned groups stated:

At least one federal prosecutor has brought criminal charges against a user of a social network who signed up under a pseudonym in violation of terms of service. These activities should not be “computer crimes,” any more than they are crimes in the physical world….If a person assumes a fictitious identity at a party, there is no federal crime. Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation. This is a gross misuse of the law. The CFAA should focus on malicious hacking and identity theft and not on criminalizing any behavior that happens to take place online in violation of terms of service or an acceptable use policy.

Sometimes it doesn’t seem very difficult at all to understand by the Occupy movement is picking up steam.

Like this? Here’s more posts:

  • Fourth Amendment’s Future if Gov’t Uses Virtual Force and Trojan Horse Warrants?
  • 4th Amendment vs Virtual Force by Feds, Trojan Horse Warrants for Remote Searches?
  • Facebook Wants to Issue Your IRL Offline ID & Internet Driver’s License
  • Skype Exploits: I know where you are, what you are sharing, and how to best stalk you
  • FBI rolling out nationwide face search and recognition system
  • Alabama Sheriff Demands Go Daddy Kill AntiSec Hackers’ Websites for Data Dumps
  • Privacy Nightmare: Data Mine & Analyze all College Students’ Online Activities
  • Double Security Whammy, No Patches: Killer SSL DDoS Attack, XML Encryption Broken
  • Not Without a Warrant: Privacy Upgrade and Digital Liberty from Surveillance
  • Secret Snoop Conference for Gov’t Spying: Go Stealth, Hit a Hundred Thousand Targets
  • PROTECT-IP or control freaks? Monster Cable blacklists Sears, Facebook as rogue sites
  • 4Chan Founder Moot Cherishes Choices: ‘Facebook and Google Do Identity Wrong’
  • Do you give up a reasonable expectation of privacy by carrying a cell phone?

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.