Wall Street Journal
By ORIN S. KERR
Congress contemplates draconian punishment for Internet lies.
Imagine that President Obama could order the arrest of anyone who broke a promise on the Internet. So you could be jailed for lying about your age or weight on an Internet dating site. Or you could be sent to federal prison if your boss told you to work but you used the company’s computer to check sports scores online. Imagine that Eric Holder’s Justice Department urged Congress to raise penalties for violations, making them felonies allowing three years in jail for each broken promise. Fanciful, right?
Think again. Congress is now poised to grant the Obama administration’s wishes in the name of “cybersecurity.”
The little-known law at issue is called the Computer Fraud and Abuse Act. It was enacted in 1986 to punish computer hacking. But Congress has broadened the law every few years, and today it extends far beyond hacking. The law now criminalizes computer use that “exceeds authorized access” to any computer. Today that violation is a misdemeanor, but the Senate Judiciary Committee is set to meet this morning to vote on making it a felony.
Breaching an agreement or ignoring your boss might be bad. But should it be a federal crime just because it involves a computer? If interpreted this way, the law gives computer owners the power to criminalize any computer use they don’t like. Imagine the Democratic Party setting up a public website and announcing that no Republicans can visit. Every Republican who checked out the site could be a criminal for exceeding authorized access.
If that sounds far-fetched, consider a few recent cases. In 2009, the Justice Department prosecuted a woman for violating the “terms of service” of the social networking site MySpace.com. The woman had been part of a group that set up a MySpace profile using a fake picture. The feds charged her with conspiracy to violate the Computer Fraud and Abuse Act. Prosecutors say the woman exceeded authorized access because MySpace required all profile information to be truthful. But people routinely misstate the truth in online profiles, about everything from their age to their name. What happens when each instance is a felony?
In another case, Justice has charged a defendant with violating workplace policies that limited use to legitimate company business. Prosecutors claimed that using the company’s computers for other reasons exceeded authorized access. The Ninth Circuit Court of Appeals recently agreed.
Remarkably, the law doesn’t even require devices to be connected to the Internet. Since 2008, it applies to pretty much everything with a microchip. So if you’re visiting a friend and you use his coffeemaker without permission, watch out: You may have committed a federal crime.
Until now, the critical limit on the government’s power has been that federal prosecutors rarely charge misdemeanors. They prefer to bring more serious felony charges. That’s why the administration’s proposal is so dangerous. If exceeding authorized access becomes a felony, prosecutors will become eager to charge it. Abuses are inevitable.
Real threats to cybersecurity must be prosecuted. Penalties should be stiff. But Congress must narrow the Computer Fraud and Abuse Act before enhancing its penalties. There’s no reason to make breaching a promise a federal case, and certainly not a felony crime.
Mr. Kerr, a former federal prosecutor, is professor of law at George Washington University School of Law.