Congress Could Make Facebooking at Work a Felony
“Congress Could Make Facebooking at Work a Felony,” Rebecca Freeman argues at Atlantic Wire.
“Imagine that President Obama could order the arrest of anyone who broke a promise on the Internet.” That’s what The Wall Street Journal‘s Orin Kerrthinks the latest cyber-security legislation will lead to: An assault on checking Facebook at work. Today the Senate Judiciary Committee will vote on proposed changes to the Computer Fraud and Abuse Act, which would seek tougher sentences for digital offenses. As more of the world moves online, so has crime. And legislation needs to adapt. But, does the latest updates to the bill target the right cyber criminals?
No, regular folk are in danger. The way the law is worded, it makes violating a terms of service agreement a felony. “The problem is that a lot of routine computer use can exceed ‘authorized access,'” explains Kerr. That means that if your employer prohibits Facebooking on the job and you sneak a peak at a tagged photo, you could face penalties. Senators Patrick Patrick Leahy and Al Franken expressed similar concerns about the proposal, suggesting the administration may be expanding the definition too much, reports eWeek. “We want you to concentrate on the real cyber-crimes, and not the minor things.”
While you might think an employer would never charge an employee for a felony based on Internet wandering, it’s not unprecedented, as Kerr points out. “In 2009, the Justice Department prosecuted a woman for violating the ‘terms of service’ of the social networking site MySpace.com. The woman had been part of a group that set up a MySpace profile using a fake picture. The feds charged her with conspiracy to violate the Computer Fraud and Abuse Act.” He also cites a case where a woman faced charges for using Ticketmaster. Abuse of the language of the legislation is a real possibility.
As has frequently been noted, almost everything is a crime in America. By one estimate, most of us commit three felonies a day. Most of them are technical violations of the law and you’re extremely unlikely to be charged. But you could be, especially if authorities need leverage against you.
As I put it over six years ago, There Should be a Law Against All these Felonies.
This is yet another example of the criminalization of something that ought to be dealt with by the civil court system, if at all. “Unauthorized access” that consists of phyiscally hacking into a computer or computer network is one thing, and should clearly be a crime for the same reason that breaking and entering is a crime. Violating the obscure terms of a Service Agreement that most of us never read before clicking “Agree,” or a work policy about using company computers for private business simply aren’t the same thing. My guess is that the law was originally only intended to go after the first type of activity but that it was written so broadly that it covers much more, which is a frequent problem.
@Doug Mataconis:
Interesting word, “physically.” Maybe you are co-opted already.
To “physically” break into a computer network, you’d need to splice wires or something. Sending packets is not physical.
BTW, I think I recall a story … you know URLs are made up of like:
http://abc.com/xx/yy/zz/mypage.html
It’s a common _use_ of the URL to back up a level and see what’s there:
http://abc.com/xx/yy/zz
or two:
http://abc.com/xx/yy/
There was actually a company that left their “yy” and “zz” directories unprotected, with private stuff in them, and then successfully charged someone who used them with “hacking.” I hope that got overturned, but who knows.
@john personna:
You have a point. Obviously, illegitimate hacking can take place “non-physically,” but I think you get where I’m going there.
@Doug Mataconis:
Sure, but as my zz/yy example shows, it can become an “intent” question, what constitutes remote access and what constitutes hacking. In that case the provider may not have intended access, but they failed basic web server setup, and essentially published their data.
Anyway, that’s a tangent to the whole morality of click-through licenses.
@john personna:
If I accidentally leave my garage door open when I get home tonight, does that mean someone has a right to walk inside?
@Doug Mataconis:
Totally different, unless you have public access spaces in your garage.
This is like you set part of your garage for public access, and forgot to draw lines to show which areas were not.
(Perhaps this is a case where the programmer sees a clear “publication” and the less technical only sees “but I didn’t mean to!”)
(I can go through the steps one takes when one installs a web server, to publish data, if I really have to, but long story short, these guys published directories using the default behavior of the web server, to show a directory without an index.html file as a file list.)
@john personna: If I live in an apartment behind my store, does that mean someone has the right to walk into my bedroom?
@WR:
Funny you should say that. I was in a country market that had no sign or indication where shop-space ended and store-room started. When I stuck my head in they said “Hey! don’t go back there.”
You probably need confirmation from another computer-head how bad that web server install was, but really, they published, and then faulted the reader.
Since this is hard for non-computer folk to understand, let me put it this way:
The web server package, in serving:
http://abc.com/xx/yy/zz
as a directory listing, was doing exactly what the designers and programmers of the web server intended.
It was a feature that zz be rendered as a directory listing.
This.
It’s like a newspaper publishing secret information on an interior page, assuming no one would read it, and then suing someone for doing so.
As we have seen, JP, it’s really easy to understand. You see, a computer is just like a garage…..
I’m curious, though, to hear more about the woman prosecuted for violating the terms of service on Myspace. I think there’s more to that story. Sounds like more of a “let’s bust Al Capone on tax evasion” situation.
And so a little Googling found this. It’s the myspace suicide lady. She created a fake profile to hurt a teenager’s feelings. “How was I suppose to know she’d kill herself?”
They probably should have prosecuted her on harassment charges instead, but now I’m betting the legal definition of “harassment” doesn’t include bugging people on Myspace, so…..
Sounds like we could use a rewrite on a couple of laws.
PS. The lady who “faced charges for using Ticketmaster?” I don’t know if she was doing this kind of thing (she’s not identified, so we can only guess), but yeah….
I mean, there’s “using Ticketmaster” and then there’s “using Ticketmaster.”
@Doug Mataconis:
This analogy is flawed. Placing something on a web-server is the same as publishing it. That content only becomes “private” through the application of passwords (and no-search commands) to it.
@aLittleTooQuiet’s analogy is closer to the reality of the situation: