The Department of Justice proposed expanding federal cybersecurity laws to make violations of website terms of service agreements a criminal offense. Under this interpretation, actions as mundane as uploading a video that ran afoul of a platform’s content policies or creating a pseudonymous social media profile could carry federal criminal penalties.

The Proposed Expansion of the Computer Fraud and Abuse Act

The DOJ sought to broaden the Computer Fraud and Abuse Act (CFAA) so that a website’s terms of service would legally define what constitutes “authorized” use. Under this framework, agreeing to a site’s terms of service would carry the legal weight of a contract, and violating those terms, even unknowingly, could expose users to criminal prosecution.

The implications were far-reaching. Millions of Americans routinely violate terms of service agreements without realizing it, whether by providing an approximate age on a registration form, sharing login credentials with a family member, or uploading content that later receives a takedown notice. On platforms like YouTube, users sometimes learned months or years after posting that their content had been flagged as a terms of service violation based on a single user complaint.

Legal Experts Sound the Alarm

Attorney Stewart Baker warned that under the proposed amendments, uploading a copyrighted video to YouTube more than once could be classified as “a pattern of racketeering,” subjecting the user to severe criminal penalties far exceeding what would be expected for a civil copyright matter.

The distinction between civil and criminal liability was central to the controversy. Website terms of service had traditionally been treated as civil agreements, with violations handled through account suspensions or civil lawsuits rather than criminal prosecution. The DOJ’s proposal would have erased that boundary entirely.

Broad Coalition Pushes Back

An ideologically diverse coalition of organizations came together to oppose the legislation. The American Civil Liberties Union, Americans for Tax Reform, the Electronic Frontier Foundation, and FreedomWorks jointly submitted a letter to the Senate criticizing the proposed changes.

Their letter highlighted the absurdity of the legal framework: assuming a fictitious identity at a social gathering carried no federal consequences, but adopting the same pseudonym on a social network that prohibited fake names could trigger a federal criminal investigation. The coalition characterized this as “a gross misuse of the law.”

Part of a Broader Push to Regulate Online Activity

The CFAA expansion was not an isolated effort. It coincided with several other legislative proposals aimed at increasing government control over internet activity. Companion legislation known as the “Rogue Websites Bill” proposed creating a government-maintained block list that would require internet service providers to deny access to specified websites, a mechanism critics compared to internet censorship systems used by authoritarian governments.

Additionally, proposals for mandatory internet identification systems were circulating in Congress, which would have required users to verify their real identity before accessing certain online services. Privacy advocates argued these proposals collectively represented a fundamental threat to internet anonymity and free expression.

The debate over the CFAA expansion underscored a persistent tension in digital policy between the government’s interest in controlling online behavior and the public’s expectation of privacy and freedom on the internet.