During last week’s oral argument before the 9th Circuit Court of Appeals on the case of U.S. v. Nosal, 642 F.3d 781 (9th Cir. 2011), reh’g en banc granted (Oct. 27, 2011), members of the Court, including most notably Chief Judge Alex Kozinski, spent a substantial amount of time questioning the government lawyer about whether a Facebook user could be criminally prosecuted (meaning the person would face serious jail time) under the Computer Fraud and Abuse Act (“CFAA”) for lying about their personal information in signing up for a Facebook account. The full oral argument can be viewed at the following: click
The CFAA makes it a crime to gain unauthorized access to a computer. The questioning was premised on Facebook’s terms of service that prohibit a member of the public from providing false information in signing up for a Facebook account. The concern expressed by another Judge in the argument is that a violation of Facebook’s rules such as lying about one’s age would mean that access to Facebook is unauthorized and thus the person is subject to criminal prosecution under the CFAA. For a number of reasons this is a non-issue and, to the extent there is any issue, it is up to Congress, not the 9th Circuit, to remedy it.
First, it should be pointed out that the Nosal case does not involve a criminal defendant accessing Facebook. David Nosal, a Korn/Ferry International executive, was indicted for stealing confidential data from the company computers prior to joining a competitor. The issue before the 9th Circuit is limited to whether Nosal exceeded his authorized access to his employer’s computers when he violated Korn/Ferry’s computer policies that restricted the scope of its employees’ access to the company computers to “legitimate Korn/Ferry business.” Id.
Second, the fear that a minor offense such as lying on Facebook could be prosecuted is not unique to the CFAA. The wire fraud statute, for example, makes it a crime to engage in a scheme to defraud using interstate wires in furtherance of the scheme. On its face the wire fraud statute could theoretically not only be used against someone who lies on Facebook but could be applied against a college student who calls home asking his parents to wire him money for books, when in fact he intentionally lied, planning to use the money to buy beer.
No one has ever seriously argued that this potential misuse of prosecutorial discretion makes the wire fraud statute unconstitutional. Not only has no one ever been prosecuted for simply lying about their age on Facebook, the concern raised over the misuse of federal criminal statutes is totally overblown as evidenced by the fact that Department of Justice does not bring frivolous wire fraud prosecutions based on common lies that have no meaningful harmful impact. Nor is the CFAA unconstitutionally vague. The only Circuit case that has addressed this issue, U.S. v. Mitra, 405 F.3d 492, 496 (8th Cir. 2005), held that “[t]here is no constitutional obstacle to enforcing broad but clear statutes” and that “[t]he statute gives all the notice that the Constitution requires.”
The only government prosecution under the CFAA predicated, in part, on lying about one’s age in signing up for a social networking site, was brought against Lori Drew in the federal court in Los Angeles. Judge Kozinski referenced this prosecution in the oral argument. The Drew case, however, was not a prosecution predicated solely on Drew lying about her age. Drew was a 49-year-old woman who, according to the government’s indictment, used a MySpace account to harass and torment a 13-year-old girl, who, as a result, committed suicide. Drew perpetrated what has been referred to as cyberbullying by posing as a fictitious 16-year-old boy in violation of MySpace’s terms of service that required her, among other things, to provide truthful information on MySpace and not use MySpace to harass, abuse or harm other people or solicit personal information from anyone younger than 18.
No one can seriously argue that the allegations in the indictment were not serious conduct worthy of a criminal prosecution. In that case the jury convicted Drew of a misdemeanor for unauthorized access to MySpace’s website and did not convict her of the felony for doing so with the purpose of intentionally inflicting emotional distress on the young girl. The Department of Justice chose not to appeal that decision to the 9th Circuit.
Third and finally, it is not up to the courts to decide whether the CFAA is good or bad policy. Judge Kozinski responded to the government attorney at the argument stating that it “would be exceedingly bad policy to give the hands of the government the ability to prosecute everybody who has access to a computer” who might violate Facebook’s terms of service. Whether it is or is not bad policy, is not within the purview of the courts. Under the Constitution it is Congress that writes the laws, and it is the court’s obligation to enforce them.
The bottom line – someone who does nothing more than lie about their age on Facebook and violates Facebook’s terms of service could theoretically be prosecuted under the CFAA, but that does not make it unconstitutional or even a realistic concern.