Eric Goldman over at the Technology and Marketing Law Blog has some interesting trend analysis and useful practice pointers following the DOJ indictment of Lori Drew for CFAA violations. I strongly agree with his caution about overusing the laundry list when listing prohibitions. He also echoes the advice we always give our clients, namely that the most likely source of liability is not what is in or not in the legal policies, but rather when your legal policies don't match your actions in operations or enforcement.
Here's an excerpt of Eric's post:
As a result, the DOJ prosecutors appear to be trying to make the MySpace user agreement do more work than it was designed to do. In that respect, I see this case as part of a broader trend where government enforcement agencies are misreading and misusing website user agreements. Consider two other very recent examples of government folks attaching undue emphasis to restrictions in website user agreements:
* the New Jersey Attorney General's office apparently misread restrictions in JuicyCampus' user agreement to think they should constitute affirmative marketing representations
* Joe Lieberman thinks YouTube should wipe terrorist videos off its site because its community guidelines discourage users from posting violent videos
This disturbing trend prompts me to offer a practice pointer to those of you who draft user agreements. Many user agreements—including MySpace’s—have gotten bloated with lengthy lists of restrictive rules (a manifestation of the rule proliferation phenomenon I blogged about here). It's pretty clear to me that government enforcement actors, either because of their fundamental misunderstanding of contract law or for their own self-aggrandizement, will treat these restrictions as expectations that the conduct won't occur on the site. But because most websites don't proactively enforce the restrictions they announce, this sets up a mismatch between rules and actual behavior—a mismatch that enforcers appear all too happy to exploit.
Therefore, I think it is better practice for contract-drafters to rely more heavily on general restrictive clauses in website user agreement (e.g., "we can kick you off at our convenience") than on overly detailed/specific but underenforced lists of restrictions. I know this stance runs contrary to the prevailing sentiment among most Cyberlawyers, who seem to believe that for every bad user behavior, it's easy enough to add a new contract prohibition that putatively eliminates the problem. But if the contracts are being misread, rule proliferation may be doing more long-term harm than good.
