That's One Less Federal Crime You'll Commit Today

Law

There are many federal criminal statutes susceptible to frighteningly broad interpretation. One of them, as I've suggested before, is the federal computer fraud statute, 18 U.S.C. section 1030. It can be interpreted to make it a federal crime to violate your employer's computer use policies (for instance, by reading Popehat at work) or to violate a web site's terms of use, however obscure. That's exactly the argument the feds made in their prosecution of Lori Drew, which was ultimately unsuccessful. This is some of the problematical language of the statute:

a) Whoever—
. . . .
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
. . . .
(C) information from any protected computer;

Since "protected computer" means any computer in or affecting interstate commerce (any computer connected to the internet, basically), this can be read to criminalize logging onto a site beyond "authorized access" and getting information — including, hypothetically, registering for Facebook with any false information and getting information online from Facebook as a result.

The danger is not that the government will prosecute everyone who lies about their weight on Match.com or lets their 12-year-old register on Facebook or visits Popehat from Canada without sending us donuts. The danger is that the government will selectively prosecute people they don't like — that the government will use this statute to scratch their "there oughta be a law" itch when they are mad at someone who hasn't actually committed a real federal crime.

Fortunately, the government's ambitions have now been thwarted — at least in the Ninth Circuit. In United States v. Nosal, a divided Ninth Circuit panel rejected the broad interpretation of Section 1030 and adopted a narrower approach. I'm in appellate brief Hell, so I won't give you the full rundown. Look instead to Orin Kerr — the victor in the Drew case, who has been sounding the alarm on the dangers of this statute for years — or to Jacob Sullum. The decision — written in typically entertaining fashion by Judge Kozinski — does an excellent job of explaining how a broad interpretation of the statute could criminalize a vast swath of typical behavior. This ruling puts the Ninth Circuit at odds with other Circuits, but to a good end.

Edited to add: Doug's take is well worth reading. And not just because he quotes me.

Last 5 posts by Ken White

19 Comments

17 Comments

  1. Shawn  •  Apr 11, 2012 @11:40 am

    Is the decision available to be viewed online? I would like to read this.

  2. Patrick  •  Apr 11, 2012 @11:43 am

    You can find it by clicking the link which begins "divided Ninth Circuit".

  3. Bill Poser  •  Apr 11, 2012 @12:30 pm

    That's sure a relief: I live in Canada and didn't even know about the donut requirement. But, if I did, isn't it a problem getting donuts in case quantities through US customs?

  4. Marc  •  Apr 11, 2012 @1:38 pm

    Ken, quick hypothetical:

    Since it is a violation of Facebook's TOS to provide others with your login information, When a potential employer asks for a persons Facebook password, can they refuse on the grounds that he is asking them to break the law? If he refuses to hire them based on this, is there any potential recourse?

  5. Ken  •  Apr 11, 2012 @2:03 pm

    Marc, there are a couple of components to your question. The first is whether letting someone else log in to you Facebook could be a crime. I think the answer is, under the broader interpretation that the Ninth Circuit rejects, yes.

    The second component is whether a potential employer can refuse to hire you for refusing to do something illegal. That's a state-by-state question. In some jurisdictions, firing someone — or refusing to hire them — because they won't break the law is a tort.

  6. ShelbyC  •  Apr 11, 2012 @2:29 pm

    Wrt the facebook thing, I would think that the employer logging in using somebody else's credentials, without Facebook's authorization, would be a violation even under the 9th circuit's interpretation. Surely if Nosal's friend had given Nosal his credentials, and Nosal had logged in and gotten the information himself, that would have been a violation, no? The "protected computers" at issue belong to Facebook, not the account holder.

  7. ScottH  •  Apr 11, 2012 @2:36 pm

    They got Tim Hortons in the US now; we could send him donuts from one of them, eh? Hey, Hosehead – do you like Pineapple Crullers?

    They could be useful in researching your cases:

  8. Jess  •  Apr 11, 2012 @2:59 pm

    Well, Bill if you bring them over yourself you risk a strip search by customs. I mean if they'll strip search Loretta Van Beek over a few accidentally undeclared rasberries I can only imagine what they would do for donuts. I take that back, I don't want to imagine.

  9. Jerryskids  •  Apr 11, 2012 @4:26 pm

    YOU MUST READ TH?E OPINION! Most entertaining thing I've read all day.

    But it was rather disconcerting to read the opinion and see this in the dissent" " I fail to see how anyone can seriously
    conclude that reading ESPN.com in contravention of office
    policy could come within the ambit of 18 U.S.C. § 1030(a)(4),
    a statute explicitly requiring an intent to defraud, the obtaining
    of something of value by means of that fraud, while doing
    so “knowingly.” And even if an imaginative judge can conjure
    up far-fetched hypotheticals producing federal prison
    terms for accessing word puzzles, jokes, and sports scores
    while at work, well, . . . that is what an as-applied challenge
    is for.

    In other words, oh, don't worry, that's not what they meant and even if they did they would never enforce it and even if they did enforce it, you would probably find some judge down the line after some lengthy and expensive legal proceeding that would cut you lose anyway.

    Cold comfort, that.

  10. Jerryskids  •  Apr 11, 2012 @4:46 pm

    That is my biggest frustration over the law as it has become to be an attempt to legislate "fairness". A law that calls for the death penalty for spitting on the sidewalk is fair insofar as it makes the crime and the punishment quite clear – it draws a "bright line" between what is permissible and what is prohibited.

    Is it "fair" in some cosmic sense? Well, that meaning of "fairness" has been debated by thousands of eminent scholars for thousands of years. If access to a "fair" ruling depends on which philosophy book the judge most recently read, we are all subject to seemingly random rulings.

    It seems so many laws now have some component of "reasonableness" written right into the law. What is reasonable? Well, we will let a judge and jury decide that after the fact; but you have no way of knowing ahead of time whether or not you are about to break the law. You might as well throw out the entire code and replace it with a single law: Thou shalt not do bad things.*

    *For further details, consult the judge and jury at your trial.

  11. Mercury  •  Apr 11, 2012 @6:39 pm

    Once pretty much everything is illegal (we're almost there!), selective enforcement will make our political/legal system indistinguishable from totalitarianism. Official whimsy in other words will be basically all that stands between your at-liberty self and jail/legal hell at any given time.

    The Feds are pushing in this direction the most, especially with the myriad (and very recent) rules and regs dreamed up by the always expanding list of federal agencies (also magic-wanded into existence).

    The WSJ did a long article recently about huge laundry lists of shiny new federal crimes that are ensnaring all kinds of people for engaging in essentially harmless activity.

  12. Hortensio  •  Apr 11, 2012 @7:50 pm

    You have a preferred flavour of Timbit you'd like sent over?

  13. Jordan  •  Apr 11, 2012 @7:53 pm

    "The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company’s computer, and then transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry had a policy that forbade disclosing confidential information."

    Interesting facts.

  14. Orin Kerr  •  Apr 11, 2012 @11:41 pm

    Thanks for the shoutout, Ken. The interesting question now is whether DOJ will petition for cert. Stay tuned on that one.

  15. Mercury  •  Apr 12, 2012 @9:25 am

    Here's the link to the (even better) online version of the WSJ series on federal crime expansion I mentioned above: http://topics.wsj.com/subject/F/federal-offenses/6853

  16. mojo  •  Apr 13, 2012 @11:21 am

    HAH! I just ripped the "Do Not Remove Under Penalty of Law" tag off the bottom of my chair!

    COME AT ME, BRO!

  17. Crissa  •  Apr 13, 2012 @4:30 pm

    This isn't much different than felony trespass, though. It really is as simple as walking on someone's lawn when they requested you not to. Or walking on the sidewalk outside a business that has kicked you out (actual law in California).

    I'm not sure how to write it – not to say it can't be better – and not leave some iffy loopholes that couldn't be exploited. This is just basically trespass electronically… But do need a law penalizing braking and entering into someone's electronics.

2 Trackbacks