View Thread > Internet Law 2002 (St. John's) > Worm with a EULA > These actions are not covered by 18 USC 1030
A new email worm making the rounds offers recipients a "virtual postcard" from FriendGreetings. If a user clicks a link in this email message, the user is prompted to install software to view the card. The software comes with a long End-User License Agreement (EULA), which includes the following paragraph:
"1. Consent to E-Mail Your Contacts. As part of the installation process,
Permissioned Media will access your MicroSoft Outlook(r) Contacts list and
send an e-mail to persons on your Contacts list inviting them to download
FriendGreetings or related products. By downloading, installing,accessing
or using the FriendGreetings, you authorize Permissioned Media to access
your MicroSoft(r) Outlook(r) Contacts list and to send a personalized e-mail
message to persons on your Contact list. IF YOU DO NOT WANT US TO ACCESS
YOUR CONTACT LIST AND SEND AN E-MAIL MESSAGE TO PERSONS ON THAT LIST, DO
NOT DOWNLOAD, INSTALL, ACCESS OR USE FRIENDGREETINGS."
Users may click "Back", "Yes", or "No". If a user clicks "Yes", the software installation continues, sending the same FriendGreetings email to everyone on that user's Contacts list. Other parts of the EULA give Permissioned Media the right to send ads to the user's computer and to update its installed software at any time.
See http://www.sarc.com/avcenter/venc/data/friendgreetings.html for further details.
This software thus spreads like a worm or virus, but every infected user has putatively "accepted" the EULA. Do you see any violation of the Computer Fraud and Abuse Act here?
1030(a)(2) is designed to insure that it is punishable to misuse computers to obtain government information and, where appropriate, information held by the private sector. As the Senate Judiciary Committee said in 1986, the premise of 1030(a)(2), for the private sector, was "the protection, for privacy reasons, of computerized credit records and computerized information relating to customers' relationships with financial institutions." Further, 1030(a)(2)(A) is specifically limited to "information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.)." Since Permissioned Media's actions fall under none of the aforementioned categories, I do not believe that they have violated the Computer Fraud and Abuse Act.
However, assuming that Congress intended in the future to expand the Act's reach to this type of conduct, there may be grounds for a claim that Permissioned Media violated the Computer Fraud and Abuse Act. The first question is whether they "knowingly accessed a computer without authorization." Essentially, this depends upon whether the consent paragraph can be considered an informed consent giving Permissioned Media authorization after FULL DISCLOSURE. Since the License Agreement is long, this paragraph may be buried somewhere and thus not be an adequate means to gain authorization. In contrast to Shrinkwrap and Clickwrap, which protect a software company's products that consumers purchase, the Agreement here is more like a mass mailing, with a smaller or non-existent tangible benefit to the consumer. Thus, I feel that Permissioned Media may have acted without authorization, notwithstanding that paragraph.
Another argument that can be made is that Permissioned Media "exceed[ed their] authorized access" by sending ads to the user's computer and updating its installed software, as there was no option for the "downloader" to click "Back" or "No" to these paragraphs.