Yesterday the Senate Judiciary Committee approved a trio of data security and data breach notification bills. One of the bills, which was sponsored by Committee Chairman Senator Leahy, includes a crucial amendment [pdf] to clarify that it's not illegal under the notoriously vague Computer Fraud and Abuse Act to violate agreements like website terms of service or acceptable use policies.
A bipartisan coalition of senators (including Chairman Leahy himself) voted for the amendment to the anti-hacking law, which private litigants and prosecutors alike have creatively used to try to punish violations of terms of use over the past few years in cases like United States v. Drew, Facebook v. Power Ventures, United States v. Lowson, and United States v. Nosal.
EFF, along with a group of civil liberties organizations and scholars, has twice urged [pdfs] the committee to ensure the CFAA doesn't punish ordinary computer users who happen to breach terms of use.
EFF is thankful to Senators Franken and Grassley for introducing this important amendment, which we believe is a huge step in the right direction. But the legislation could be better still. As the bill is currently written, government employees who violate employment agreements remain vulnerable to contract-based prosecutions under the CFAA. We urge Congress to protect all computer users against such charges, no matter where they work.