It seems to me that Federal law is able to be applied to websites created by private individuals or businesses. As long as the ToS has knowingly been broken and the person doing the breaking has benefited materially then he is at risk of federal prosecution. I don't see a lot of comment about reasonable the ToS has to be. This just strikes as being completely irrational.
Original comment:
Riiiigght, so I can put together a website with some strange terms of service and then the FBI will come arrest anyone breaking those terms of service because it is a federal crime.
No, you cannot do that. A prosecutor must demonstrate, first to a grand jury, then to a criminal jury, and simultaneously to a judge, that the accused not only violated the terms of service to a website, but in doing so caused material harm or found material gain, and that they did so knowing that they were violating the terms of the site.
The fact seems to remain that any private individual can create a website and have the force of federal government apply to a third party as long as said party has knowingly broken the ToS and gained materially somehow from that.
If a restaurant had a 'terms of service' that said no reselling of food that they make, should you be open to federal prosecution if you stopped by to pick up food for yourself and some co-workers? Especially if someone gave you a few dollars for the trouble of running the errand? And even more, if the restaurant has their own delivery service?
Am I missing an important distinction here? Should private companies be able to make binding rules that open people up to criminal prosecution for something that doesn't violate any laws per se? A person breaking a specific law AND breaking a ToS makes sense. A person breaking a law BY breaking a ToS doesn't make sense.
I can't reply to this because no part of the example you provided constitutes a federal crime under the CFAA.
On the other hand, the criminal aspect of using a university's noncommercial JSTOR access to scrape a substantial portion of the entire database so you can put it on BitTorrent is not hard to understand.
It was unclear if what you were implying was that you shouldn't violate a ToS for your own profit (or at someone's expense) because it was a federal offense. (I can see now that that was not what you were trying to get at)
What are your thoughts on PadMapper vs CL? What is the distinction between scraping that data vs scraping this data that makes one worthy of federal prosecution, but not the other? Considering in both cases it was done for profit or detriment
Elements missing from a CFAA case for PadMapper include at least interstate commerce and intent to defraud.
Swartz's prosecution alleges --- credibly, given what Swartz allegedly posted prior to scraping JSTOR --- that Swartz intention was to liberate data from a commercial database onto file sharing networks, making intent a much easier case to prove. Moreover, the indictment is at pains to point out that MIT and JSTOR repeatedly attempted to stop Swartz from continuing his plan, and found themselves in a cat-and-mouse game with Swartz eventually trespassing to maintain access.
PadMapper found itself having exceeded Craigslist's terms, found out by having its access withdrawn and becoming the target of a civil suit, and did not (directly, at least) attempt to evade the countermeasures Craiglist applied to prevent them from obtaining further access.
Whether or not you believe Swartz did something wrong here (I do) or whether you think he should get a felony conviction for doing it (he probably shouldn't), you can see pretty clearly how JSTOR had no straightforward civil remedy to what Swartz was doing. Swartz was playing chicken with them, and he lost --- or rather, his bicycle collided with JSTOR's semi truck at high speed.
Yet stealing a bar of chocolate from your corner shop is not a federal crime.
Additionally if you hack a site and copy all their data but don't do anything with it, is that now not a federal crime because you have not benefited materially from it?
Yes it is because it is interstate commerce. Even if you are located in the same building as the server, just being connected to the internet raises the potential for it to be interstate commerce so it falls into the federal domain.
18 USC 1030(a)(4):
(a) Whoever—
...
4. knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value ...
"Protected computer" is an incredibly broad term that covers almost any modern computer or device:
(2) the term “protected computer” means a computer—
...
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;
I can't imagine they'd ever prosecute anything below the $5,000 mark but even a candy bar sized loss does appear to fall into the federal domain. (Not saying I agree with it, but that's how the interstate commerce clause has been applied in almost every case.)
Actually, it may well be. Depends on where you are, where the website is hosted, and whether any of the fiber(etc) your packets traverse cross state lines...
No, stealing a candy bar across state lines is also not a crime under the CFAA.
(Wait, it might be. I misremembered what the dollar minimum in the CFAA applied to --- the dollar limit is why you can't be charged under the CFAA for stealing airplane wifi, but things of value other than computer service itself have no dollar minimum I can find.)
You don't even need Lori Drew to arrive at this conclusion. The CFAA doesn't create strict liability crimes. You have to know you're violating the ToS, and, more than that, you have to benefit (or materially harm someone).
"Materially harm" is such a broad term (it's been used to escape one-penny raises in phone bills) that, in the context of CFAA, it might as well be strict liability. Depending on how big of a dick legal is feeling like on a given day, they could make the argument that having the sysadmin dig up logs was materially harming.
Please read my post again. (Why do I find myself saying this to you in almost every interaction? Do I just fail at communicating?)
The point was that the bar for "material harm" is so low that an infant couldn't trip over it. So much that it's barely even worth consideration. Basically, if you violate a ToS, the company on the other side could make it a federal case if they choose to.
From the company's standpoint, there's no reason not to, unless they've already committed their lawyers elsewhere.
So it might as well be strict liability. If they choose to pursue you, you're in for a bad time. Note that a prosecutor still has to choose to come after you, even for strict liability offenses.
You're not failing at communicating so much as failing at understanding what "strict liability" is about. Strict liability pertains to intent, not to the magnitude of the offense.
Statutory rape is an example of a strict liability crime, because you can be convicted of it without even knowing you committed it (at the time).
I understand that much - holding onto underage porn is a strict liability crime for example
What I'm getting at here is that, the "harm" thing is not a good bar. The only difference between breaking a ToS in this condition and breaking a strict liability law is that it's a corporation instead of a prosecutor initiating the case.
*ed
Dropped "unwittingly", since you have to have been proven to know you're breaking the ToS.. still a broken law..
I don't understand what this comment is trying to say. The words following "the only difference" are not in fact the only difference between breaking a term of service and committing a crime under strict liability. In fact, the opposite is more true. You do not, for instance, simply need to know you're violating a term of service; you have to be doing so in bad faith, with intent to defraud.
I think you need to read the CFAA --- carefully, because clauses that occur early in the statute are refined and clarified later in the statute --- before wading into technical discussions about it.
It's not a particularly difficult law to understand.
...you have to benefit (or materially harm someone).
Are benefit and harm legally defined terms in this instance, or can a clever prosecutor convince a jury of the criminal equivalent of the idea that making a phone with rounded rectangles is worth $1B?
Edited comment:
It seems to me that Federal law is able to be applied to websites created by private individuals or businesses. As long as the ToS has knowingly been broken and the person doing the breaking has benefited materially then he is at risk of federal prosecution. I don't see a lot of comment about reasonable the ToS has to be. This just strikes as being completely irrational.
Original comment:
Riiiigght, so I can put together a website with some strange terms of service and then the FBI will come arrest anyone breaking those terms of service because it is a federal crime.
Just what planet do these guys live on....