The prosecutorial discretion built into the Computer Fraud and Abuse Act is already controversial in the blogosphere, where leftie admirers of Aaron Swartz and libbie opponents of prosecutorial discretion have made common cause against the law. And indeed it’s true; forfeiture laws aside, the CFAA is among the most flexible tools in a federal prosecutor’s kit. You can be prosecuted for doing almost anything on a computer if you lack “authorization” to do it.
“Authorization” is at the heart of the criminal offense, but it is not defined, and its vagueness means that a routine violation of Facebook’s terms of service or a mean-spirited use of ordinary network protocols can be hyped into federal crimes. (I’m not wild about the law’s breadth and vagueness myself, since prosecutors have used their discretion to keep victims of hacking from protecting themselves.)
All that has made the CFAA controversial, at least in some circles. But if my partner Michael Vatis is right, you ain’t seen nothing yet. His recent post in the Steptoe Cyberblog raises the very real possibility that Mitt Romney lost the 2012 election because of the enormous prosecutorial discretion built into the CFAA. It’s widely agreed that Mitt Romney lost the race because the President’s base turned out in surprisingly large numbers, thanks in large part to the Obama campaign’s effective use of technology. That much we already knew. But now, thanks to Dan Balz’s “Collision 2012,” we’re beginning to learn exactly how the campaign used technology. And, as Michael Vatis, an alumnus of the Clinton Justice Department, persuasively argues, its key tactic was violating the Computer Fraud and Abuse Act. Here’s how the tactic apparently worked. Obama supporters logged on to both a campaign network and their Facebook account, allowing the campaign to search their Facebook network for likely Obama voters whom the campaign believed to be unmotivated or unregistered. Those voters would then get tailored messages from their Facebook friends urging them to register and turn out.The Obama campaign doesn’t seem to have been deterred by the possibility that it was violating federal law. I can think of at least four reasons why that might be. Three of them are scandals. It’s clever. It’s the future. And it’s a violation of the CFAA. Facebook doesn’t let users share access to their accounts, and anything Facebook doesn’t authorize is very likely a federal crime. (Because Facebook is limiting access to information, not just use of information, the conduct was very likely criminal even under the more limited construction of the CFAA adopted in the Ninth Circuit.) Maybe the campaign never thought about the possibility that it was violating federal law. That’s not a scandal, though it strikes me as unlikely that not one of these tech-savvy geeks failed to notice that they were breaching Facebook’s terms of service. The other possibilities are all much more troubling. Perhaps the campaign, or some official in the administration, checked quietly with Justice and got an assurance that its prosecutors would not inconvenience the campaign. Or perhaps the campaign thought about the risk and said, “Pff! Those guys work for us. They’ll never prosecute, especially if we win.” Or perhaps the Obama campaign went to Facebook and got a quiet waiver of the terms of service. (I’m assuming that anything the campaign did was done quietly so as not to alert the Romney campaign, which might have emulated it.) Given the importance of turnout to the result in 2012, and the computer crime prosecutors’ already controversial exercises of discretion, I think this issue will go mainstream. If the President even arguably won re-election by violating federal law or by getting special treatment from Facebook or federal prosecutors, half the country will want to know exactly how that happened. And I don’t see how the extraordinary discretion conferred by the CFAA can survive the storm that follows.
CORRECTION/UPDATE: Having talked in some detail with folks at Facebook, I’ve concluded that this post was just wrong, and I owe an apology to both Facebook and the Obama campaign, not to mention the co-bloggers and readers who joined the fray. Facebook’s terms of service do say all the things that I and Michael Vatis’s post quoted – they prohibit password sharing and the soliciting of password sharing and so on. But it turns out that Facebook also maintains Facebook Platform, whose rules permit users to grant app developers access to their user data, including a user’s list of friends. The Obama campaign created an app that adapted this platform to its turnout goals, and it did so within the rules set by Facebook. Because the program was authorized by Facebook, it was also authorized under the Computer Fraud and Abuse Act. I’ve deleted the bulk of the post but left it up so that any links to the original post will come to this correction.