Civil and Criminal Liability for “Faking A Name on Facebook”? Not Likely.

This week, the Wall Street Journal published an article concerning the Computer Fraud and Abuse Act and criminal charges under that Act. The article was written by Orin Kerr, a Los Angeles employment lawyer. Mr. Kerr correctly points out that the federal government is using the Act for investigations and prosecutions that nobody could foresee in 1986, when the Act was initially enacted by Congress. Mr. Kerr, however, strays off course when he imagines various “doomsday scenarios” that could result from increased penalties under the Act. He imagines a world in which people open themselves up to prison time and civil liability whenever they use a computer or website in violation of any rule or guideline, no matter who came up with the rule or guideline. A simple reading of the Computer Fraud and Abuse Act, however, shows that most of Mr. Kerr’s fears are unfounded.

Civil Liability for Excessive Internet Use

Invoking the myth of frivolous litigation, Mr. Kerr suggests that merely using a computer incorrectly can subject someone to civil litigation. He asserts, without any factual support, that “federal courts have been flooded with silly disputes” arising under the Computer Fraud and Abuse Act.

While the Act does have a provision for civil suits, the Act significantly limits the circumstances in which plaintiffs can pursue damages. Specifically, a person can only maintain a civil action if the “unauthorized access” of a computer results in economic damages exceeding $5,000, physical injury to a person, or a threat to public health or safety. Litigation is also authorized when the access results in the modification or impairment of medical treatment or damage to a U.S. Government computer used for national defense, national security, or the administration of justice.”

In other words, nobody can be (successfully) sued under the Act for simply violating a website’s terms of service. No right to sue arises from “hurt feelings” or emotional distress. Just as with any other case, the plaintiff must prove real damages to bring a suit under the Computer Fraud and Abuse Act. The “flood” of civil suits that Mr. Kerr envisions simply has not happened and will not happen.

Criminal Liability for Making Coffee

Mr. Kerr suggests that, under the Act, you “may have committed a federal crime” if you use a neighbor’s coffeemaker without getting his permission first. His justification for this assertion is that the Act broadly defines “computer,” and everyday appliances like coffeemakers technically have “computers” in them. This sounds ludicrous, and it is. Even under the broadest imaginable interpretations, the Act only imposes criminal liability if someone accesses a computer either to damage the computer or to obtain information from the computer. In the case of the coffeemaker, no information is obtained from the computer; thus, there is no criminal liability under the Act. In fact, the Act probably even excludes such simple appliances from the definition of “computer.” Under the act, the term does not include “an automated typewriter or typesetter, a portable hand-held calculator, or other similar devices.” The simple, isolated computers in our everyday appliances much more resemble “handheld calculators” than the databases and communications facilities described in the Act.

Criminal Liability for Checking Sports Scores

But what about computers that actually do obtain information? Mr. Kerr imagines that you could be jailed for “lying about your age or weight on an Internet dating site” or using “the company’s computer to check sports scores online.” He states that the use of any computer that “exceeds authorized access” is a criminal act. This ignores the definition of “exceeds authorized access” under the Act, which defines the term as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” In other words, “exceeding authorized use” requires three steps: (1) accessing a computer (with authorization), (2) obtaining or altering information in that computer, and (3) the information obtained or altered must be informed that the person wasn’t authorized to access.

So, the computer subject to the “terms of access” and the computer holding the information obtained must be one and the same. This severely limits any possible criminal liability. In the case of “checking sports scores,” the worker’s policy would govern the usage of his own computer, but “checking sports scores” does not involve accessing information on that computer. The information actually accessed is on a server somewhere, with no limitations to authorized access. In the case of “lying about your age on an Internet dating site,” that simple act alone does not involve accessing any information on the dating site itself. Moreover, so long as the information on the dating website is freely available, there can be no unauthorized access of the information.

In sum, Mr. Kerr is probably correct that the Computer Fraud and Abuse Act is outdated in that it was written before anyone had contemplated the breadth of the Internet. It is certainly being used as a basis for some investigations and prosecutions that no one could have imagined in 1986, like cases involving Florida stalking injunctions. But, Mr. Kerr is way off base with his imagined criminal and civil liability for mundane, everyday web surfing. The Act may be outdated, but it’s still well enough written that it prevents such silly prosecution and civil suits.