EFF contends that interpreting Section 502 broadly to allow liability where the absence of permission is based only on the violation of a contractual term of use or failure to fully comply with a cease and desist letter would render the statute unconstitutionally vague, stripping the statute of adequate notice to citizens of what conduct is criminally prohibited. (Amicus Brief at 24-28.) EFF further contends that giving the statute the broad application that Facebook seeks could expose large numbers of average internet users to criminal liability for engaging in routine web-surfing and emailing activity. ( Id.)
“It is a fundamental tenet of due process that ‘[n]o one may be required at peril of life, liberty or property to speculate as to the meaning of penal statutes.” Lanzetta v. New Jersey, 306 U.S. 451, 453 (1993). Thus, a criminal statute is invalid if it “fails to give a person of ordinary intelligence fair notice that his contemplated conduct is forbidden.” United States v. Harriss, 347 U.S. 612 (1954). Where a statute has both criminal and noncriminal applications, courts must interpret the statute consistently in both contexts. Leocal v. Ashcroft, 543 U.S. 1, 11 n. 8 (2004). In the Ninth Circuit, “[t]o survive vagueness review, a statute must ‘(1) define the offense with sufficient definiteness that ordinary people can understand what conduct is prohibited; and (2) establish standards to permit police to enforce the law in a non-arbitrary, non-discriminatory manner.’ “ United States v. Sutcliffe, 505 F.3d 944, 953 (9th Cir.2007).
FN21. Orin S. Kerr, Cybercrime’s Scope: Interpreting “Acess” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L.Rev. 1596, 1650-51 (2003).
If a violation of a term of use is by itself insufficient to support a finding that the user’s access was “without permission” in violation of Section 502, the issue becomes what type of action would be sufficient to support such a finding. The Court finds that a distinction can be made between access that violates a term of use and access that circumvents technical or code-based barriers that a computer network or website administrator erects to restrict the user’s privileges within the system, or to bar the user from the system altogether.FN23 Limiting criminal liability to circumstances in which a user gains access to a computer, computer network, or website to which access was restricted through technological means eliminates any constitutional notice concerns, since a person applying the technical skill necessary to overcome such a barrier will almost always understand that any access gained through such action is unauthorized. Thus, the Court finds that accessing or using a computer, computer network, or website in a manner that overcomes technical or code-based barriers is “without permission,” and may subject a user to liability under Section 502.
FN23. See generally Kerr, supra note 20.