When McMansion Hell blogger Kate Wagner received Zillow’s letter last month demanding that she take down her architecture parody blog, she was scared. So scared that she temporarily disabled access to her blog via McMansionHell.com until she could find an attorney. We’re happy she found us at EFF.
While all of the claims Zillow made were highly dubious, one stuck out to us as especially egregious and scary: the claim that McMansion Hell violated a notorious vague criminal statute called the Computer Fraud and Abuse Act, or CFAA. That Zillow’s lawyers thought it was proper to include this threat shows how strongly we need some sanity brought to the CFAA.
Luckily, the Supreme Court has the opportunity to bring that sanity—and we urge them to do so.
CFAA’s Ongoing Threat
The CFAA, inspired in part by by a fictional movie, was meant to criminalize breaking into computers to access or alter data. But it’s language in incredibly broad and vague. It makes it illegal to intentionally access a “protected computer”—which includes any computer connected to the Internet—“without authorization” or in excess of authorization, but it doesn’t tell us what “without authorization” means.
Sadly, both prosecutors and private parities have taken advantage of this vague language, endeavoring to stretch the law to cover any “bad” conduct that happens to involve a computer—even just violating a website’s terms of use. As journalist Sarah Jeong said on an episode of the podcast ReplyAll about the CFAA, “When nothing else sticks, you can always turn to the CFAA.” It’s tacked on in all sorts of cases that have nothing to do within breaking into a computer—including the Zillow McMansion Hell controversy.
For those looking to get content offline, the CFAA is an obvious choice for a powerful scare tactic. That Zillow’s lawyer’s chose to say that Ms. Wagner “may” have violated the CFAA was cold comfort; for most people even the suggestion of criminal charges is enough to scare them into complying with a takedown demand. This is compounded by a range of court decisions interpreting the law in conflicting ways. If courts can’t even agree about what the CFAA covers, how can those unfamiliar with the law be expected to tell whether a CFAA-based demand for an immediate takedown is legitimate?
Time to Rein in the Threat of the CFAA
It’s long past time for both the courts and Congress to put an end to such abusive behavior by clarifying what the law does and doesn’t reach—and by putting Terms of Service violations on the far side of that line. Right now the Supreme Court seems like the best option.
Earlier this summer, in fact, EFF asked the Supreme Court to step in and clarify that using a computer in a way that violates corporate policies, preferences, and expectations, which is what Zillow claimed here, cannot be grounds for a CFAA violation. A clear, unequivocal ruling would go a long way to help stop abuses like those Zillow inflicted on Ms. Wagner. The case, called U.S. v. Nosal, is on appeal from a Ninth Circuit ruling that threatens to transform the CFAA into a mechanism for criminalizing password sharing and policing Internet use.
EFF has also been pushing for CFAA reform for years and increased those efforts after the tragic death of programmer and Internet activist Aaron Swartz. Our efforts in Congress have been blocked so far, with tech giants like Google, Facebook, and Oracle shamefully unwilling to support reform even as the law needlessly claims lives and results in massively overbroad sentences.
The CFAA was passed years before the advent of the modern Internet and is desperately out-of-touch with how we use computers today. Common sense changes, like clarifying that terms of service violations cannot give rise to federal criminal liability, are needed—both to reign in prosecutorial discretion and to help stop companies from using the CFAA as a scare tactic. We hope the Supreme Court takes up the Nosal case.