Good news: another federal judge has ruled that violating a website terms of service is not a crime. But there's bad news, too — the court also found that bypassing technical or code-based barriers intended to limit access to or uses of a website may violate California's computer crime law.
The decision comes in Facebook v. Power Ventures, a case in which Facebook is suing a company that offers a tool for users to access and aggregate their personal information across social networking sites. Because Facebook's terms of service don't allow users to access their information through "automated means," Facebook claimed that Power accesses its service "without permission" in violation of California Penal Code Section 502. Facebook has also argued that Power broke the law by evading Facebook's effort to block the Power browser’s IP address, which was meant to try to keep users from accessing their Facebook accounts though the Power website.
EFF filed an amicus brief in this case, urging the court to reject Facebook's computer crime claims. We argued that turning any violation of terms of use into a crime would give websites unfettered power to decide what conduct is criminal, leaving millions of Internet users vulnerable to prosecution for everyday activities.
The court agreed with our position, relying heavily on our brief. This part of the ruling is great.
Unfortunately, the court also said that Power might be liable if it changed its IP address so that its browser could continue to interoperate with the Facebook service. In other words, it may be a crime to circumvent technological barriers imposed by a website, even if those measures are taken only to enforce the terms of service through code. There's nothing inherently wrong or unlawful about avoiding IP address blocking, and there are valid reasons why someone might choose to do so, including to sidestep anticompetitive behavior by other Internet services. As long as an end user is authorized to access a computer and the way she chooses doesn't cause harm, she should be able to access the computer any way she likes without committing a crime.
Overall, yesterday's opinion is an important precedent that aligns with United States v. Drew, a decision last year finding that a woman did not violate the federal hacking law when she created a fake MySpace profile, as well as recent Ninth Circuit cases. We welcome the court's rejection of terms of service violations as triggers for criminal liability, but will continue to work to demonstrate to courts that not all technological measures are created equal. If the measure seeks to control access to or use of data, then evasion of it is almost certainly criminal. But if the restriction merely seeks to impose owner preferences or terms of service on otherwise authorized users, bypassing it should not be a crime.
As other courts look at this issue, we hope that they will agree that code-based restrictions require a very fact-specific inquiry, and will remain open to the possibility that bypassing such measures should not necessarily be criminal.