
EFF to Supreme Court: Violating Terms of Service Isn’t a Crime Under the CFAA - Jarred
https://www.eff.org/press/releases/eff-asks-supreme-court-rule-violating-terms-service-isnt-crime-under-cfaa
======
huffmsa
Good. It's hard to think of any other cases / examples where breaching a
service contract which doesn't also lead to a crime is directly punishable
under a statute.

I suppose it would be like the manufacturer of a blowtorch saying "this can
only be used to blowtorch X,Y and Z" and then calling the Feds on you for
using it to toast the tops of your creme brulee.

Or you tuning a pressure washer up to a higher than agreed upon pressure and
discovering that there's some flaw in a component. You may have lost the
warranty, but haven't broken a law.

But even those aren't great analogies

------
tdrp
We had a bad user who we kept banning for harassing other users. He would come
back over and over again, using different pictures, IPs, even throwaway phone
numbers or FB accounts etc. We ended up stopping him by involving a lawyer who
drafted a letter invoking the CFAA. But it revolved around him violating our
terms of service (eg no harassment, banned users are banned forever etc.)

Anybody know: Would CFAA still apply here if EFF wins this case? Or are there
any other laws which would cover this kind of unauthorized access?

Thanks!

~~~
phkahler
>> Or are there any other laws which would cover this kind of unauthorized
access?

Here's the thing. Violating terms of service and unauthorized access are two
different things. Your site apparently is publically accessible and anyone can
create a fake user profile. You are not vetting anyone or granting any
specific person access.

~~~
tdrp
I mean they would log in with FB, through a VPN, then verify a phone number
which was usually some throwaway. I am not sure how we could be more strict
short of asking all of our users for pictures of their IDs. We were explicit
with the user that they were banned and not allowed on the site anymore. I
wonder how we would have made sure that user never returned.

~~~
rmrfstar
If you were a local corner store and you had a disruptive customer who
returned repeatedly, your recourse would be calling the cops for trespass.

CFAA violations come with 5-10 year prison sentences per violation. A little
extreme for a trespasser whose conduct is otherwise non-criminal, don't you
think?

~~~
tdrp
Definitely extreme - ideally I would want something like a "restraining order"
against the disruptive user that legally compels them to no longer use the
website. If they still break that, then probably fines+damages of some kind.
But you know, _something_.

The other extreme which some people are advocating "let the users do whatever
the hell they want and it's your own fault if they keep spoofing fb
accounts/phone numbers and creating new accounts" I find pretty bad and tone-
deaf; it gives carte blanche to bad behavior. Any malicious user who is set on
messing with you becomes a full-time job to deal with. Most people who run
some kind of B2C website have run into this and once you hit 1M+ users you are
bound to be dealing with a handful of those at any one time.

------
mvanveen
Yes! Let's make sure in the memory of Aaron Schwartz and the many others who
have faced undue scrutiny under CFAA that we see drastic reform of this
draconian law and how it is applied.

~~~
TAForObvReasons
Aaron Swartz [http://www.aaronsw.com/](http://www.aaronsw.com/)

EDIT: why was this downvoted? Is there a different Aaron "Schwartz" or did the
parent misspell Swartz?

~~~
mvanveen
Thanks for the correction! Apologies for my gross oversight.

