Fib on Facebook? U.S. Law Calls It Criminal, Critics Warn

Ever fib about your age on a dating site? What about on Facebook?

These infractions could be a federal crime under an obscure 1986 anti-hacking law that was passed well before the advent of social networking sites. Advocacy groups on both sides of the aisle are now pressing lawmakers to re-write the law, to prevent an administration push to toughen penalties from treating online mischief-makers the same as criminal hackers.

The debate centers on a law known as the Computer Fraud and Abuse Act, which has been broadened several times since 1986. Critics of the law point most frequently to a section that imposes penalties on anyone who knowingly "exceeds authorized access" on a computer to obtain information.

"Authorized access," they warn, could refer to anything from a website's "Terms of Use" agreement to an employer's restrictions on computer use. They cite cases where federal prosecutors have charged individuals for breaching these agreements -- and question whether that standard could hold casual slip-ups on the Internet to the same standard as malicious cyber-criminal activity.

"Now it is possible for someone to be prosecuted for violating the user agreement in a social networking site," Rep. Bobby Scott, D-Va., said at a hearing Tuesday on Capitol Hill.

The hearing by a House Judiciary subcommittee marked the latest public debate in D.C. over the law.

The Obama administration is currently pushing to increase penalties under the Computer Fraud and Abuse Act. The Department of Justice downplays concerns about the broadness of the language, and stresses that the government is trying to deter serious cyber-threats and cyber-criminals -- such as the mass theft of credit card data.

But Berin Szoka, president of TechFreedom, said it's critical that Congress make sure the law targets real criminals.

"Hacking is a real problem," he told "But ... any effort to expand (the law) has to also insure that the law is not used to criminalize violations of terms of service."

George Washington University Law Professor Orin Kerr testified on Capitol Hill Tuesday that as written, the law criminalizes routine computer use in a way that could implicate just about anybody.

For instance, Kerr noted that while he lives in Arlington, Va., his Facebook profile states that he lives in Washington, D.C.

"According to the Justice Department, I violate federal criminal law every time I log in," Kerr said. Kerr suggested tweaking the language of the law to clarify that it does not apply to people who violate "terms of service" agreements.

The Justice Department, however, argues that the language in the law on "authorized access" should stand to give the department the tools it needs to prosecute bona fide criminals.

"Restricting the statute in this way would make it difficult or impossible to deter and address serious insider threats through prosecution," Justice official Richard Downing said in written testimony submitted to the House Judiciary Committee.

Downing explained that most employers have "clear and reasonable restrictions" on how sensitive computer data can be accessed by employees. The department, he said, prosecutes people who violate those rules to obtain sensitive information. Changing the law would prevent prosecution of "serious insider cases" -- for instance, a health insurance administrator accessed hundreds of thousands of worker names and Social Security numbers in 2006, and was prosecuted under this law.

Kerr praised the Senate Judiciary Committee for recently amending the law in an attempt to narrow its scope to ensure that routine computer usage is not criminalized. The Senate committee in September approved an amendment that would exempt people whose only infraction is a violation of a user agreement.

A House Judiciary Committee aide told that the Justice Department is "concerned" about the action taken by the Senate. The House, though, has not yet taken up any proposal on the issue.

Asked for comment, a Justice Department spokesman referred back to Downing's testimony.

Kerr and several other groups appealed to Congress back in August to change the law. In a joint letter, they expressed concern about an "overbroad application of the law." A key concern is that by relying on terms of use agreements, the courts would effectively allow those contractual agreements to define what is and is not a criminal act.

"If a person assumes a fictitious identify at a party, there is no federal crime," the letter said. "Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation."

The organizations on the letter included the American Civil Liberties Union, the Electronic Frontier Foundation, the Center for Democracy and Technology and conservative groups like FreedomWorks and Americans for Tax Reform.

While defending the law, Downing pressed for increasing maximum penalties on some violations.

He claimed cyber-crimes are still treated more delicately in U.S. law than related physical crimes. Downing, the deputy chief at the computer crime division, noted the maximum penalty for computer fraud is five years, but 20 years for mail and wire fraud.

"Criminals from across the country and around the world are taking advantage of the relative anonymity provided by the Internet to compromise our critical infrastructure, obtain trade secrets, intrude into bank accounts, and steal the personal and financial information of ordinary Americans," Downing said. "Federal law needs to more effectively deter this spreading criminality."

Though the Justice Department has used the law to go after those who violate terms of service agreements, its track record is spotty. In perhaps the most famous case in recent history, a federal judge threw out the 2008 convictions against Missouri mother Lori Drew. Drew was prosecuted under the Computer Fraud and Abuse Act for creating a fake MySpace page, in violation of MySpace's terms, and using it to harass a teenage girl who later killed herself.