Complexity, Contract, and Crime: US Senate to Consider Broad Amendment to Cybersecurity Bill

Legal complexity is nothing new. The scope of its unhappy consequences, however, seems to be getting ever wider thanks to the internet. Now texts land right in the living rooms — or the pants pockets — of half the planet at a keystroke. And, as a colleague once complained, computers and the internet “grease the skids of prolixity” where lawyers are concerned: ten words can become a hundred or a thousand at no marginal cost.

The terms of service “agreements” governing almost all the software and services you use are famously long and impenetrable. Just to read privacy policies alone would take a month, according to some estimates. Now there’s a risk that Americans will encounter not merely fatigue and ennui because of these EULAs (end user licence agreements) but a criminal conviction as well. The Senate is about to consider amendments to the proposed Cybersecurity Act that could take it beyond its core purpose of criminalizing hacking and sweep in as well violations of “contracts” between users and online providers of software and services. The Center for Democracy and Technology has a good summary of the situation.

The heart of the matter is the language of the amendment championed by Senator Leahy that makes it an offence to use a computer “in excess” of “authorization.” This is sufficiently vague to lead some to worry that it would criminalize breaches of contract — which happen quite regularly and in most cases innocently — such as accessing someone else’s Facebook account with their permission, for example.

I think that the risk this vague language will survive scrutiny of the US Senate is small. But the concern brings to the fore a larger worry, for me at least, which has to do with giving any legal impact to EULAs. On the one hand, companies will be unlikely to provide services in the manner they do now if the terms of their “agreements” are unenforceable; and on the other hand, it’s simply a fiction that end users do, or can, give informed consent to what these “agreements” require. These are not contracts in any but the most tortured sense, and it seems to me to do harm to law generally to continue to regard them as such. It may be necessary to create a new category of legal obligation that deals genuinely with the needs and situations of the parties and that recognizes that EULAs are forms of private legislation. There has been this need for some time in relation to a host of other contracts of adhesion – insurance contracts, for example — but the prevalence of EULAs and their proximity to critical national interests make them important in a way that we haven’t seen up till now.


  1. David Collier-Brown

    I’ll absolutely agree that these “agreements” are important, but I think they’re closer to terms and conditions that a monopoly imposes on their customers.

    Rather than creating a regime in which their rules can be enforced, I’d suggest we need one in which their power to dictate is limited by law. We have had good (well, pretty good) experiences with regulated monopolies in telecommunications. Ma Bell provided and still provides a near-universal service, one which has huge barriers to entry, and that service is one that we can, courtesy of the police power of the state, depend upon.

    Similar monopolies and duopolies, if they are critical to lives and fortunes, could be guided by a legal system that gives them some boundaries and standards, guided by the degree to which their customer’s lives and freedom are at stake.

    Lesser monopolies, with less power to do harm, need less policing, but could do with some oversight and some legal limits on what they can demand of a customer in the absence of a true contract, freely entered into via negotiation.

    To be concrete, I’d expect the internet service industry to be subject to some consciously controlling legislation, limiting some of the most egregious mis-behaviours, such as collecting and retaining volumes of personal information for “tracking”. For that, they should need a court order.

    Lesser monopolists, like the facebooks of the world, need less explicit regulation. They may well need to be compelled to admit security breaches, especially of personal or credit-card information, but little more.

    As to enforcement of their private rules, that is what I’d like to see most restricted. If I deal with any monopolist, I want to do so under the rule of law, and have the courts enforce a “bill of rights” on my behalf, against the private rule-makers.

    –dave (a philosopher, not a lawyer) c-b

  2. The US already has a law against unauthorized use of computers, in the Computer Fraud and Abuse Act. The case law under it can with extreme politeness be characterized as inconsistent. In particular results have varied in its application to employees and former employees who have used or accessed or taken home work-related materials etc.

    Canada has Criminal Code provisions against unauthorized access to computers and telecommunications services ‘without colour of right’. I don’t know that charges have been laid against individuals (employees or not) for violations of terms of employment. I have certainly not heard of charges laid for violation of a licence agreement of adhesion. I doubt that criminal charges would be appropriate for such a violation, even for their most clearly legitimate provisions.