eula


The House Judiciary Committee is considering a bill (.pdf) to amend the Computer Fraud and Abuse Act, 18 USC 1030. I’ve redlined the current statute (.doc) to show how the law would look should this bill pass, and inserted comments where relevant.

I’ve heard that the bill is intended to fix what’s come to be known as “The Lori Drew Problem“: criminalizing terms of service violations. By my analysis, it does the opposite. The text could clear the way for such prosecutions while introducing new legal uncertainties, expanding the scope of the CFAA and greatly increasing penalties, without resolving the underlying problem, which is that the phrase “exceeds authorized access” — as well as the new phrase “in excess of authorization” in the bill — are subject to conflicting interpretations.

The bill also dramatically increases penalties while introducing new ambiguous language that muddies rather that clarifies the reach of this expansive law in other areas as well. For the reasons set forth in the comments to my attached redline, this legislation needs to be scrapped.

This legislative push comes just a few days following the Ninth Circuit’s opinion in United States v. Nosal. There, the Court sitting en banc reversed the panel decision and held that violations of an employer’s computer use restrictions are not penalized under the statute, because “exceeds authorized access” doesn’t mean merely violating a policy, it means obtaining data you are not allowed to see. While a very welcome decision, this creates a Circuit split with the Fifth, Seventh and Eleventh Circuits. We don’t yet know whether the government will petition for, or the Supreme Court will grant cert in Nosal. What we do know is that if Congress wants to resolve the ambiguity, the current bill will only make matters worse.

Courts Turn Against Abusive Clickwrap Contracts

Wednesday’s Wired News column is about the state of the law wrt EULAs, terms of service agreements and other mass market contracting.  Two new cases suggest that courts are going to get more deeply into the business of protecting consumers from oppressive terms in these “take-it-or-leave-it” contracts.  In the column, I discuss the cases and argue this is the right approach.

In mid-February, the New York Attorney General’s office settled a complaint against Blue Coat, a business hardware and software company, for its End User Licence Agreement which prohibited benchmarking. The NYAG challenged the provision, which was only revealed to customers after purchase. The settlement comes with an approximately $30,000 slap on the wrist, an a promise not to include any anti-benchmarking language in EULAs for products sold in New York.

Here is the NY Attorney General’s press release. This is the second time, I believe, that the NYAG has gone after speech restrictive clauses in EULAs on behalf of consumers and succeeded. The success is particularly notable because Judge Easterbrook’s decision in ProCD v. Zeidenberg, often cited as the seminal case on EULA enforceability, suggests a different result. Yet, as I often inform my students, just because there is strong law against you doesn’t mean you can not win.

A couple of questions: First, why won’t the California AG’s office also be a leader in this area? Second, how did the NYAG win, and can consumer rights lawyers around the country expand this victory to challenge anti-Fair Use and reverse engineering clauses as well? Third, do this successes spell the end for ProCD?