It's pretty conventional in these types of cases. I've received a similar C&D and read several others and they all invoke the CFAA. It seems boilerplate for C&D related to online activities.
The CFAA makes it unlawful to exceed authorized access to any protected computer system (essentially, any computer in the United States). If someone claims that you've violated their ToS, they almost always also claim that by so doing, you've also violated the CFAA, since your access "exceeded authorization" as granted within the ToS, which they'll claim you've agreed to.
Now your breach of contract is upgraded to a federal crime. Better hope you don't make the wrong MegaCorp mad.
I should have given a little more context. Take a look at the statement that Zillow gave the Verge:
“Zillow has a legal obligation to honor the agreements we make with our listing providers about how photos can be used,” Zillow tells The Verge in a statement. “We are asking this blogger to take down the photos that are protected by copyright rules, but we did not demand she shut down her blog and hope she can find a way to continue her work.”
The public face of Zillow says they hope she can find a way to continue her work, yet the corporate counsel pulls out a piece of legislation that could see her spending the rest of her twenties in a jail cell. That's dirty pool...
Point in your favour though, the Verge didn't even mention the CFAA in their coverage of this. So, I would agree that it's common, but just because something is common doesn't make it right.
Yeah, I'm not trying to imply that Zillow's conduct is morally justified or correct. However, based on my experience (I'm not a lawyer), it is conventional conduct.
It is probably less likely that Zillow is intentionally trying to play hardball, and more likely that they pulled out the "Terms of Use violation" boilerplate and made the necessary adjustments.
People are successfully sued under the civil provisions of the CFAA on a regular basis and they rarely have to face the possibility of spending their twenties in a jail cell for conventional scraping or copyright infringement (another thing that has both criminal and civil penalties).
weev is an exception presumably because his disclosure contained a bunch of personally identifiable information from Very Important People. Swartz was an exception probably because he was apprehended by police for illegally breaking and entering a network closet at MIT, triggering the prosecutor's question "What crimes did this guy commit to justify his arrest?".
The CFAA is terrible law, and I say that on HN so much that it will probably be the next thing dang yells at me for saying too much. Large companies like Zillow abuse the legal system to strongarm small entrepreneurs and publishers, and that's disgusting. The fact that it's possible shows that, in large measure, we've lost the plot.
We need serious reform not just for the CFAA, but the legal processes that allow this state of affairs.
The US Justice Dept. tested that theory (violation of ToS is a violation of the CFAA) in court, but it didn't fly. The judge correctly pointed out that this basically gives companies carte blanche to make something a Federal crime via their Terms of Service.
weev was convicted and sent to prison for violating the CFAA, based on his "unauthorized access" to AT&T's site (the limits of which are presumably defined by the ToS). His conviction was reversed on the technicality of improper venue, not the dubious nature of the conviction or the belief that ToS should not be eval'd into federal law.
Did ATT's TOS say e.g. "we have a bunch of customers' PII posted online; please don't read those"? It seems, rather, that the court considered the act itself bad enough to punish regardless of any implied agreement forbidding or allowing the act. (Of course I think the court is wrong.)
IANAL, but my feeling is that eventually the evil companies will come up with a TOS so awful that even the Supreme Court will be sickened by it and be inspired to thoroughly reevaluate CFAA. They won't throw it out entirely, but they'll pick out a particular set of valid terms, and we'll learn to live with TOSes built with those.
A standard ToS prohibits most types of access; in many cases, a literal reading of a ToS would prohibit any access (one ToS I read says that their site should not be accessed by "any method, automated or manual" (in the context of banning robots/scrapers)). They arrange it that way so that they can demand that you stop talking to their server whenever they dislike something you've done.
The CFAA is a critical component in maintaining highly significant tech monopolies like Facebook. I don't think that SCOTUS will clamp it down. Computer access is abstract enough that it is hard to get a political fervor generated, and most people are able to use their computers without impediment, so they're never going to really care (cf. copyright, which is possibly the most widely violated law today, yet the function of which most people continue to remain completely ignorant).
The parties that are interested in these things are going to be large companies that are paying lobbyists to get stricter restrictions pushed through, not political grassroots mobilizing to reverse it.
As an example, last year Congress passed and President Obama signed a law strengthening the CFAA's restrictions by prohibiting the circumvention of "any technological control on an Internet website or online service ... used to enforce online ticket purchasing limits or to maintain the integrity of posted online ticket purchasing order rules".
Like many laws, at a superficial reading, this looks fine, but then we get into the details. What constitutes an "event" or a "ticket"? Is a restaurant reservation an event, and does one circumvent a technological control if they inform a user that a reservation may be available (compare OpenTable)? Is hailing an Uber an event that creates a ticket, and if so, how would this impact third party applications that interface with Uber in some way? etc.
Like copyright, the CFAA, in some form or another, is here to stay, because it is a major part in the legal force used to prevent direct competition against the entrenched interests/incumbent players. It's really hard to get a political upswell over abstract, rarely-deployed concepts (even then, they make a token change and the meat of the policy remains intact).
Health coverage is a much more pressing abstract issue that negatively impacts a much larger percentage of the citizenry and we still can't find a way to agree on that, I'm not optimistic about copyright and/or network access.
It is possible that the CFAA will go away in many years after there is much more cross-generational technical awareness, but I'm personally doubtful. Would someone have been having the same kind of discussion re: copyright in the 18th century, as legal frameworks allowing people to own information emerged?
The ability to eval a ToS into federal law and get people sent to prison for it will probably go away, but the ability of a site's owner to pursue someone who won't quit asking their server for information in an undetectable-server-side, non-disruptive manner probably won't.
I'm referring to the case where that woman posed as a high school student and drove a girl that her daughter didn't like to suicide via cyber bullying. They tried to charge her under the CFAA for violating Facebook's ToS against misrepresenting yourself.
> United States v. Drew[1] is the final decision in a criminal case that charged Lori Drew of violations of the Computer Fraud and Abuse Act (CFAA) over the alleged cyberbullying of a 13-year-old, Megan Meier, who committed suicide.
Also:
> On September 4, 2008, the Electronic Frontier Foundation filed an amicus brief in support of Drew's motion to dismiss the indictment.[10] The brief argued that Drew's indictment was wrongful because Drew's alleged violation of the Myspace terms and conditions was not an "unauthorized access" or a use that "exceeds authorized access" under the CFAA statute; that applying the CFAA to Drew's conduct would constitute a serious encroachment of civil liberties; and that interpreting the CFAA to apply to a breach of a website's Terms of Service would violate the Due Process protections of the Constitution and thereby render the statute void on the grounds of vagueness and lack of fair notice.
Thanks for the reference. It's great that that the absurdity of the CFAA was reigned in on that case.
My understanding is that since this decision occurred at the district court level, it does not have a precedential effect, so I don't think anyone with a pending case can necessarily relax or assume that a similar outcome will be easily obtained.
Note also that in this case, a guilty verdict was entered for the defendant before being vacated by the district court almost a year later. If other CFAA cases have to go through the same process to get a similar outcome, that's better than nothing, but not really something to get excited about from the perspective of someone who has not yet been convicted.
Obviously I'm not privy to the details of weev's legal strategy, but this case didn't seem to help him either in preventing his conviction or in securing his exoneration. His conviction was overturned on unrelated grounds. Perhaps this would've been significant if the venue was not improper. (I haven't read the decision overturning weev's conviction, so it may discuss the applicability of this case regardless).
---
re the EFF's amicus brief, amicus briefs are an opportunity for the public to file their comments on the case for the court's consideration. They merely express the author's opinion and hold no value. The EFF opposes the CFAA as written as well as several other bad laws, but that's nothing new.
https://twitter.com/mcmansionhell/status/879429709251137537