Paid Advertising
web application security lab

ToS Abuse Abuse

Sorry I haven’t posted in a while. Not for lack of wanting to, but alas, the real world keeps pulling me away from the fun stuff. Maybe I’ll get a chance to post more over the holiday. No the title of this post isn’t a typo, I actually just wanted to spend some time iterating this case regarding the Megan Meier case about Cyberbullying and what that means for the average consumer. Like most cyber law I’ve come across, it’s not good.

Basically the verdict is that any violations of ToS can earn you jail time and fines. Yup, it’s a felony. So now, let’s put some haXor filters on that decision and talk about other consequences. Firstly, let’s look at Google’s ToS:

2.3 You may not use the Services and may not accept the Terms if (a) you are not of legal age to form a binding contract with Google, or (b) you are a person barred from receiving the Services under the laws of the United States or other countries including the country in which you are resident or from which you use the Services.

So if you are under eighteen and you DO you use Google, does that mean you committed a federal crime? And if so can you be tried as an adult, or do your parents take the rap? Or does your upstream for letting you use Google in the first place? Okay, that’s funky, but what about the fact that Google’s search engine is actually built into Firefox for domains typos? Does that mean if you typo a domain and you are underage you are committing a crime? How about those search boxes on everyone’s website that use Google? What about clicking on ads? Yah…

So, there’s a few ways to force people to commit crimes it seems. By creating hard to find TOS (Google’s isn’t on their front page, I might ad) and confusing language, it appears you can convict anyone of just about anything unless they really take the time to read your documents. That is, of course, unless your TOS strictly prohibits the reading of any part of their website. What about CSRF TOS abuse? Yah, you too can rickroll your friends right into the pokey. Believe it or not I’m actually not picking on Google here. They are just one of a million websites that can get you arrested for legal minutia. This is just a stupid law. Maybe the woman does deserve some jail time for what she did, but not for violating TOS - which she never even read. Her, along with every other MySpace user.

7 Responses to “ToS Abuse Abuse”

  1. Andy Steingruebl Says:

    A couple of points.

    1. She didn’t get convicted of a felony.
    2. We still don’t know what is going to happen on appeal.
    3. A semi-key element of the case is that she was aware of or should have been aware of the ToS.
    4. The judge still hasn’t ruled on the dismissal motion.
    5. The 9th circuit will almost certainly overrule on appeal.

    In several of the scenarios you’ve presented the user hasn’t accepted the ToS. In that case they couldn’t prosecute.

    I know this case has a lot of folks up in arms, and the CFAA has a bunch of problems in its language.

    There was a similar case related to the CFAA earlier this year. For some of my armchair analysis and much better by Mark Rasch, please see:

  2. Reelix Says:

    Just one thing I think everyone missed…

    Eligibility. Use of and Membership in the MySpace Services is void where prohibited. By using the MySpace Services, you represent and warrant that (a) all registration information you submit is truthful and accurate; (b) you will maintain the accuracy of such information; (c) you are 14 years of age or older; and (d) your use of the MySpace Services does not violate any applicable law or regulation. Your profile may be deleted and your Membership may be terminated without warning, if we believe that you are under 14 years of age.

    Now we see that MySpace requires users to be 14 or over.

    Although, you see by:

    That “Megan Meier, 13″ was in fact breaking the rules, and SHE didn’t read the ToS - Which in fact make the defendant “Lori Drew” totally innocent, as Megan shouldn’t have been on MySpace in the first place! :)

    Case Closed :p

  3. anonymous coward Says:

    s/ad/add ;-)

    call me a troll and/or delete this comment - but not without correcting the typo in the last paragraph :)

    thx & have some nice holidays

  4. Raphael Says:

    As far as I understand, the French ToS also include the “legal age” term. However, the German ToS [1] do not contain any age limitation for using Google’s services. They do also not contain any hint that they apply only to German citizens or people using the services from a computer located in Germany. Thus, I’d argue that you can always claim that you abide by the German ToS.


  5. Spider Says:

    I thought the legal age for revealing personal info was 13. I assumed that was the age they were referring to, but that may vary from state to state. Similar to the minimum age for marriage ( a form of contract ) varies as well, with some states setting it as low as 13 ( which for the record is disgusting and leads to all sorts of abuse).

  6. kik Says:

    This ToS point reminds me one of the dumbest law in France (don’t know if you have the same in your countries) : “No one is supposed to ignore the law”, which can be use in any trial when someone says “I didn’t know”.

    Actually, this makes *everybody* (even cops and judges) being outlaw, since no one can know every single law.

    I think the point in this law as in ToS is : how can we codify and turn in law what is supposed to be common sense?

  7. Cagekicker Says:

    Ignorance of the law is not an excuse, just as when you click “I agree to the terms of service”, whether you’ve actually read it or not, you are still in violation of the ToS.

    Cyber laws are always going to be a touchy subject, it’s the gray area of the justice system rather than most things which are generally black and white.

    @ Reelix: LOL. Nice rationale. :D