Web Site Terms of Use

Web site terms of use have taken center stage with the recent press reports of the indictment of Lori Drew by a Los Angeles federal grand jury for violating the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. 1030. Drew, 49, is charged with breaching MySpace's terms of service by tormenting and harassing a 13-year-old girl who, as a result, committed suicide. Terms of use, like those predicating the Drew prosecution, are ubiquitous on the Internet. They are created by a Web site owner and purport to restrict how the public can use a Web site to obtain information, purchase goods or services or participate in Web-based social networking.

What is not readily apparent from the Drew case is that it is not just the U.S. Department of Justice that can employ the CFAA to enforce a Web site's terms of use. The CFAA also provides for a civil remedy for companies victimized by violations of the statute, '1030(g). This article examines how Web site terms of use, in conjunction with the CFAA, provide broad legal protections to companies and their Web site users.

The CFAA is particularly well-suited to enforcing terms of use. Four of the seven violations of the CFAA upon which a civil action can be based outlaw accessing a “protected computer without authorization, or exceeding authorized access.” ”1030(a)(2), (a)(4), 5(A)(ii) and 5(A)(iii). The CFAA has been interpreted broadly to include a Web site. Most significantly, the CFAA permits a Web site owner in its terms of use to “spell out explicitly what is forbidden” or not authorized access on its Web site. EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). This is because the “CFAA ' is primarily a statute imposing limits on access and enhancing control by information providers.” Id.

Absence of Terms of Use

Thus, a Web site owner can protect itself against competitors from using its Web site to gain a competitive advantage. Business Info. Sys. v. Prof'l Governmental Research & Solutions, No. Civ.A. 1:02CV00017, 2003 WL 23960534 (W.D. Va. Dec. 16, 2003), is a classic example in which the Web site owner could have protected itself from a competitor through terms of use. The litigants in that case were competitors “in the business of making scanned county land records available to subscribers of their respective [W]eb site.” Id. at 1. The defendant's president, using his own name, subscribed to the plaintiff's Web site and received a username and password through which he provided his customers with content from the competing BIS Web site.

The court found no violation of the CFAA because the defendants' access and use of BIS' data was not “unauthorized,” pointing out that BIS “placed no restrictions on its users as to how they could make use of the information that they retrieved from BIS's [W]eb site.” Id. at 7. The court recognized that “if BIS wanted to restrict its users in their abilities to make unfettered use of the records they were accessing then it could have done so easily through its terms and conditions of usage.” Id.

Competitve Use

Similarly, Register.com v. Verio Inc., 126 F. Supp. 2d 238, 245 (S.D.N.Y. 2000), affirmed on other grounds, 356 F.3d 393 (2d Cir. 2004), upheld terms of use to restrict competitive use of a Web site. Register.com, an accredited domain-name registrar, was required to permit online access to names and contract information for its customers “to provide necessary information in the event of domain-name disputes, such as those arising from cybersquatting or trademark infringement.” Id. at 242. The database permits “the user to collect registrant contact information for one domain name at a time by entering the domain name into the provided search engine.” Id.

The defendant Verio, a direct competitor of Register.com, built “an automated software program or 'robot'” and periodically downloaded all of Register.com's customer information so that the defendant could solicit those customers for the same Internet services offered by Register.com. Id. at 243. The robot's automatic downloading allowed Verio to contact Register.com's customers “within the first several days after their registration,” when they were most likely primed and ready to purchase the related services. Id. at 243. Relying on Register.com's terms of use prohibiting use of the data for marketing purposes, the court granted Register.com's motion for a preliminary injunction, finding that Verio's access to the data and its use of that data was “unauthorized” in violation of the CFAA.

Protecting Customers

In addition to protecting a business' competitive position, terms of use can protect customers. The one area to date in which the courts have enforced terms of use under the CFAA to protect customers is with junk e-mail known as spam. For example, in America Online Inc. v. LCGM Inc., 46 F. Supp. 2d 444 (E.D. Va. 1998), America Online (“AOL”)'s terms of use “bar[red] both members and nonmembers from sending bulk e-mail through AOL's computer systems.” Id. at 448. The defendants had “transmitted more than 92 million unsolicited and bulk e-mail messages advertising their pornographic Web sites to AOL members” during a six-month period. The court granted AOL summary judgment on its CFAA claims, finding that the “Defendants' actions violated AOL's Terms of Service, and as such was unauthorized.” Id. at 450.

The terms of use at issue in the Drew prosecution were designed to protect the personal safety of MySpace members. All MySpace members must agree to these terms as a condition to becoming members and gaining access to MySpace content and services. Thus, prospective members had to agree to “provide truthful and accurate registration information,” and “refrain from ' using any information obtained from MySpace services to harass, abuse, or harm other people, soliciting personal information from anyone under 18,” “promoting information that they knew was false or misleading,” and “promoting conduct that was abusive, threatening, obscene, defamatory, or libelous.” The indictment pending against Drew alleges that she violated MySpace's terms of service by creating a MySpace account using the alias “Josh Evans.” As the fictitious Josh Evans, a 16-year-old boy, Drew initiated and fostered an online relationship with the juvenile girl, a former friend of Drew's daughter identified in the indictment as M.T.M. About four weeks into this online relationship, Drew send M.T.M. a message stating “in substance, that the world would be a better place without M.T.M in it.” On that same day the young girl hanged herself.

Drew was charged with violating ”1030(a)(2)(C) and (c)(2)(B)(ii) of the CFAA, which make it a felony if one “intentionally accesses a computer without authorization ' and thereby obtains ' information from any protected computer if the conduct involved an interstate ' communication” and “the offense was committed in furtherance of any ' tortuous act [in this case intentional infliction of emotional distress] in violation of the ' laws ' of any State.” The indictment charges that Drew's access to the MySpace Web site was “without authorization” because her conduct directly violated MySpace's terms of service.

Questions to Ask When Implementing Terms of Use

The recent CFAA civil cases discussed above and the Drew criminal prosecution predicated on violations of terms of use make it imperative that all Web site owners institute or review terms of use with the following issues in mind:

• Are the terms of use sufficient to protect the company and members of the public who use the Web sites? No one size fits all. Thus, it is critical that the terms of use address the specific risks posed to the business and to those who use the Web site.
• Are the terms of use adequately communicated on the Web site? The terms must be clearly communicated and posted conspicuously on the Web site to delineate what conduct is or is not authorized. For example, in the Southwest Airlines case, the court found that it was sufficient that the prohibition on using an automatic robot was “accessible from all pages on the [W]eb site.”
• Should a company take the extra step of forcing Web site users to agree expressly to the terms of use? This can be accomplished either through a “clickwrap” agreement such as is required on MySpace whereby the user must assent to its terms by clicking on an accept button, or through a “browsewrap” agreement whereby the user's consent is inferred through his use of the benefits conferred by the Web site. The breach of the contract can be a separate basis to show lack of authorization under the CFAA ( see, U.S. v. Phillips, 477 F.3d 215, 220 (5th Cir. 2007)) and can provide a separate cause of action for enforcing the terms of use.
• Is the company adequately monitoring compliance with its terms of use and notifying those who are not complying? In both Southwest and Register.com, the courts found that the lack of authorization was further supported when direct notice of violations was communicated to the defendants.

Web site terms of use have taken center stage with the recent press reports of the indictment of Lori Drew by a Los Angeles federal grand jury for violating the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. 1030. Drew, 49, is charged with breaching MySpace's terms of service by tormenting and harassing a 13-year-old girl who, as a result, committed suicide. Terms of use, like those predicating the Drew prosecution, are ubiquitous on the Internet. They are created by a Web site owner and purport to restrict how the public can use a Web site to obtain information, purchase goods or services or participate in Web-based social networking.

What is not readily apparent from the Drew case is that it is not just the U.S. Department of Justice that can employ the CFAA to enforce a Web site's terms of use. The CFAA also provides for a civil remedy for companies victimized by violations of the statute, '1030(g). This article examines how Web site terms of use, in conjunction with the CFAA, provide broad legal protections to companies and their Web site users.

The CFAA is particularly well-suited to enforcing terms of use. Four of the seven violations of the CFAA upon which a civil action can be based outlaw accessing a “protected computer without authorization, or exceeding authorized access.” ”1030(a)(2), (a)(4), 5(A)(ii) and 5(A)(iii). The CFAA has been interpreted broadly to include a Web site. Most significantly, the CFAA permits a Web site owner in its terms of use to “spell out explicitly what is forbidden” or not authorized access on its Web site. EF Cultural Travel B.V. v. Zefer Corp. , 318 F.3d 58, 63 (1st Cir. 2003). This is because the “CFAA ' is primarily a statute imposing limits on access and enhancing control by information providers.” Id.

Absence of Terms of Use

Thus, a Web site owner can protect itself against competitors from using its Web site to gain a competitive advantage. Business Info. Sys. v. Prof'l Governmental Research & Solutions, No. Civ.A. 1:02CV00017, 2003 WL 23960534 (W.D. Va. Dec. 16, 2003), is a classic example in which the Web site owner could have protected itself from a competitor through terms of use. The litigants in that case were competitors “in the business of making scanned county land records available to subscribers of their respective [W]eb site.” Id. at 1. The defendant's president, using his own name, subscribed to the plaintiff's Web site and received a username and password through which he provided his customers with content from the competing BIS Web site.

The court found no violation of the CFAA because the defendants' access and use of BIS' data was not “unauthorized,” pointing out that BIS “placed no restrictions on its users as to how they could make use of the information that they retrieved from BIS's [W]eb site.” Id. at 7. The court recognized that “if BIS wanted to restrict its users in their abilities to make unfettered use of the records they were accessing then it could have done so easily through its terms and conditions of usage.” Id.

Competitve Use

Similarly, Register.com v. Verio Inc. , 126 F. Supp. 2d 238, 245 (S.D.N.Y. 2000), affirmed on other grounds, 356 F.3d 393 (2d Cir. 2004), upheld terms of use to restrict competitive use of a Web site. Register.com, an accredited domain-name registrar, was required to permit online access to names and contract information for its customers “to provide necessary information in the event of domain-name disputes, such as those arising from cybersquatting or trademark infringement.” Id. at 242. The database permits “the user to collect registrant contact information for one domain name at a time by entering the domain name into the provided search engine.” Id.

The defendant Verio, a direct competitor of Register.com, built “an automated software program or 'robot'” and periodically downloaded all of Register.com's customer information so that the defendant could solicit those customers for the same Internet services offered by Register.com. Id. at 243. The robot's automatic downloading allowed Verio to contact Register.com's customers “within the first several days after their registration,” when they were most likely primed and ready to purchase the related services. Id. at 243. Relying on Register.com's terms of use prohibiting use of the data for marketing purposes, the court granted Register.com's motion for a preliminary injunction, finding that Verio's access to the data and its use of that data was “unauthorized” in violation of the CFAA.

Protecting Customers

In addition to protecting a business' competitive position, terms of use can protect customers. The one area to date in which the courts have enforced terms of use under the CFAA to protect customers is with junk e-mail known as spam. For example, in America Online Inc. v. LCGM Inc. , 46 F. Supp. 2d 444 (E.D. Va. 1998), America Online (“AOL”)'s terms of use “bar[red] both members and nonmembers from sending bulk e-mail through AOL's computer systems.” Id . at 448. The defendants had “transmitted more than 92 million unsolicited and bulk e-mail messages advertising their pornographic Web sites to AOL members” during a six-month period. The court granted AOL summary judgment on its CFAA claims, finding that the “Defendants' actions violated AOL's Terms of Service, and as such was unauthorized.” Id. at 450.

The terms of use at issue in the Drew prosecution were designed to protect the personal safety of MySpace members. All MySpace members must agree to these terms as a condition to becoming members and gaining access to MySpace content and services. Thus, prospective members had to agree to “provide truthful and accurate registration information,” and “refrain from ' using any information obtained from MySpace services to harass, abuse, or harm other people, soliciting personal information from anyone under 18,” “promoting information that they knew was false or misleading,” and “promoting conduct that was abusive, threatening, obscene, defamatory, or libelous.” The indictment pending against Drew alleges that she violated MySpace's terms of service by creating a MySpace account using the alias “Josh Evans.” As the fictitious Josh Evans, a 16-year-old boy, Drew initiated and fostered an online relationship with the juvenile girl, a former friend of Drew's daughter identified in the indictment as M.T.M. About four weeks into this online relationship, Drew send M.T.M. a message stating “in substance, that the world would be a better place without M.T.M in it.” On that same day the young girl hanged herself.

Drew was charged with violating ”1030(a)(2)(C) and (c)(2)(B)(ii) of the CFAA, which make it a felony if one “intentionally accesses a computer without authorization ' and thereby obtains ' information from any protected computer if the conduct involved an interstate ' communication” and “the offense was committed in furtherance of any ' tortuous act [in this case intentional infliction of emotional distress] in violation of the ' laws ' of any State.” The indictment charges that Drew's access to the MySpace Web site was “without authorization” because her conduct directly violated MySpace's terms of service.

Questions to Ask When Implementing Terms of Use

The recent CFAA civil cases discussed above and the Drew criminal prosecution predicated on violations of terms of use make it imperative that all Web site owners institute or review terms of use with the following issues in mind:

• Are the terms of use sufficient to protect the company and members of the public who use the Web sites? No one size fits all. Thus, it is critical that the terms of use address the specific risks posed to the business and to those who use the Web site.
• Are the terms of use adequately communicated on the Web site? The terms must be clearly communicated and posted conspicuously on the Web site to delineate what conduct is or is not authorized. For example, in the Southwest Airlines case, the court found that it was sufficient that the prohibition on using an automatic robot was “accessible from all pages on the [W]eb site.”
• Should a company take the extra step of forcing Web site users to agree expressly to the terms of use? This can be accomplished either through a “clickwrap” agreement such as is required on MySpace whereby the user must assent to its terms by clicking on an accept button, or through a “browsewrap” agreement whereby the user's consent is inferred through his use of the benefits conferred by the Web site. The breach of the contract can be a separate basis to show lack of authorization under the CFAA ( see , U.S. v. Phillips , 477 F.3d 215, 220 (5th Cir. 2007)) and can provide a separate cause of action for enforcing the terms of use.
• Is the company adequately monitoring compliance with its terms of use and notifying those who are not complying? In both Southwest and Register.com, the courts found that the lack of authorization was further supported when direct notice of violations was communicated to the defendants.