Online Trespass to Chattels Needs Structural Reform (Forbes Cross-Post)
By Eric Goldman
In light of Aaron Swartz’s tragic suicide, there has been a lot of discussion–some productive, some not–about reforming the Computer Fraud & Abuse Act (the “CFAA”). I support some of the reform proposals, but they don’t go far enough. Initially, the CFAA banned hacking, but over the years, it has morphed into a general restriction against online trespass to chattels. In this post, I’ll explain why–and how–the concept of online trespass to chattels should be eliminated from the CFAA and analogous state law doctrines.
The Current Law of Online Trespass to Chattels
Trespass to Chattels Offline. “Chattel” means tangible personal property, as opposed to real property like real estate or intangible assets like intellectual property. Colloquially, we often refer to chattel as our “stuff.”
In the offline world, a chattel owner has the exclusive right to possess the chattel. If someone permanently takes someone else’s chattel, we call this “theft” or “conversion,” and we punish it both civilly and criminally.
Chattel interferences less significant than theft/conversion, such as temporarily depriving the chattel owner of possession (e.g., taking someone else’s car for a “joyride”), may be actionable as “trespass to chattel.” Trespass to chattels is a venerable doctrine (it dates back centuries), but it does not apply to all interactions with someone else’s offline chattel. The owner must show some damage from the interference. Petting someone’s dog (pets are chattel) or touching someone’s car with your finger may technically interfere with the chattel, but typically it’s not actionable as a trespass because the chattel owner hasn’t suffered any harm. The requirement that the chattel owner show some harm differs from trespass to real property, which in contrast can occur merely by a person’s unauthorized presence even if the owner has experienced no other damage.
Trespass to Chattels Online. The Internet operates by passing bits of data over computer equipment, such as servers, routers and cables. All of that equipment is owned by someone. In other words, Internet data moves over a network of privately owned chattel.
Over the years, legislatures and the courts progressively have treated the unauthorized movement of data bits over someone else’s chattel into a “trespass” of that chattel–an activity I’ll call “online trespass to chattels.” For example, many states have enacted computer crime laws that restrict unauthorized use of Internet and telecommunications equipment. In 1997, CompuServe v. Cyber Promotions, a federal district court held that sending spam to an third party’s email router constituted trespass to chattels under the common law (common law is judge-made law, not enacted by a legislature). Many subsequent courts have embraced that precedent. And over the years, Congress has progressively expanded the Computer Fraud & Abuse Act so that it has become, in effect, a federal prohibition on trespassing someone else’s Internet equipment by sending data to it or taking data from it. With respect to the CFAA and some state computer crime laws, we punish violations both civilly and criminally.
All of these legal doctrines (the CFAA, state computer crimes, common law trespass to chattels) require that the online chattel owner show that the defendant’s activity was unauthorized and that the owner suffered some damage from the defendant’s use of the chattel, but the legal standards differ somewhat between the doctrines. In practice, the required damages showing is often trivial. For example, both the CFAA and California’s computer crime law count the chattel owner’s efforts to prevent the defendant’s usage as actionable damage–and in California’s case, no further showing of harm to the chattel owner is required. Effectively, simply making unauthorized use of a third party’s Internet-connected chattel violate the state computer crime law. Some parts of the CFAA requires a higher quantitative showing of damages, but many cases easily clear that threshold.
Rethinking Online Trespass to Chattels
Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely. The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved. The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn’t worked for at least three reasons.
Connecting to the Internet. When a chattel owner affirmatively connects its chattel to the Internet, we might presume that the owner wants to exchange data via the Internet. Of course, not all Internet data exchanges will be welcome; the chattel owner may have security restrictions on who can access some or all of the chattel, and no website wants to be overwhelmed with bogus exchange requests (i.e., denial-of-service attacks).
Acknowledging those caveats, we ought to legally presume that Internet-connected chattel is intended to exchange data with other Internet users. If we start with this presumption, the chattel owner can “bargain” with other Internet users to restrict their usage through a contract specifying permitted and unpermitted uses. Current online trespass to chattels doctrines contemplate this bargaining process, but the laws often let websites communicate their usage restrictions on obscure web pages that most people won’t see.
Chattel owners also can use technological controls, such as security measures, to restrict unwanted chattel usage. For example, websites often use “rate limits” to throttle the amount of data that can be gathered from the website during a specified time period and “IP address blocks” to restrict website access by specified computers.
Given that chattel owners can easily restrict how their Internet-connected chattel is used, they should bear the onus to take the contractual or technological steps to do so. Otherwise, society incurs significant transaction costs for individual users trying to determine their rights to interact with Internet-connected chattel, and overly protective legal doctrines create border cases where users engaged in socially beneficially conduct nevertheless unintentionally commit legal violations.
(Side note for economics buffs: the Coase Theorem says it doesn’t matter where we set the property entitlement so long as there are no transaction costs. I favor giving the entitlement to Internet users because (a) the chattel owner chose to connect to the Internet, and (b) it’s cheaper for the chattel owner to bargain back for the rights).
Unintended Consequences. Online trespass to chattels now reaches scenarios far beyond the hacking scenarios, sometimes in farcical ways. Three examples of troubling applications of online trespass to chattels:
* because virtually every employee uses computers at work and some employees download company data onto their personal devices, employers now routinely assert CFAA violations against ex-employees. This illustrates the CFAA’s scope creep; the CFAA wasn’t designed to apply to ordinary employee activities, but sloppy and expansive drafting enables that possibility. Fortunately, courts have balked at this trend (see, e.g., Nosal and WEC). I still favor punishing rogue employees, but online trespass to chattels is not the way to do it.
* websites may assert online trespass to chattels when a third party’s automated script gather information from their website (a process sometimes called “scraping” or “spidering”). Technically, search engine spiders commit online trespass to chattels when they access a website without permission, although we don’t often see cases asserting that. Instead, more typically we see anti-competition lawsuits, including efforts to thwart price competition or shut down third party developers who enhance a website’s functionality (such as Craigslist’s and Facebook’s crackdowns).
* Lori Drew’s CFAA prosecution over Megan Maier’s suicide due to Drew’s use of a fake MySpace profile. To establish the CFAA violation, the government (unsuccessfully) argued that MySpace was the victim of Drew’s ruse because she lied to them when she created her online account. The government’s theory threatened to make virtually every Internet user a criminal because Internet users routinely fib during online account registration processes.
Doctrinal Overlap. In many situations currently covered by online trespass to chattels, at least one–and often numerous–other legal doctrines already apply. For example, trade secret law already applies to employees who walk out the door with a company’s confidential information, whether the confidential information is analog or digital. Copyright law already applies to search engines republished copyrighted material they scrape. MySpace could have brought a breach of contract claim against Drew for violating its user agreement (if it cared).
Indeed, because legal doctrines already overlap so extensively, we almost never see an online trespass to chattels claim asserted on a standalone basis. Instead, an online trespass to chattels claim is usually just one of numerous legal violations asserted against the defendant. These doctrinal overlaps mean we usually don’t need online trespass to chattels either to supplement the more squarely applicable claims or to act as a “gap-filler” to plug the rare and narrow holes left by the other legal doctrines.
Reforming Online Trespass to Chattels
Lawmakers aren’t very good at acknowledging when their legal experiments fail (Tim Wu discusses this point more). But if lawmakers honestly judge the results of their online trespass to chattels experiment, they should:
1) Repeal most provisions of the CFAA (that don’t relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.
2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.
3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.
4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).
Obviously, these proposals are dramatic, but they are in keeping with my goal of eliminating the legal concept of online trespass to chattels. Even if we do that, chattel owners are hardly defenseless. They can still take advantage of a panoply of other legal doctrines, they can still use (properly formed) contracts to bargain back the rights from users, and they can still use technological controls. As a result, these proposed changes will end the adverse consequences from the online trespass to chattels experiment while letting chattel owners prevent socially disadvantageous online usage of their chattels.
[Photo Credit: A "Private Property" sign in a field in rural North Yorkshire // ShutterStock]