The CFAA is a Federal law that attempts to punish and deter hacking by criminalizing unauthorized computer access or computer access that exceeds authorization. Strong criminal penalties are needed to deter harmful hacking, including theft of sensitive information held by online intermediaries ( e.g. , emails or personal financial information). But as written and as interpreted by the courts, the CFAA is overbroad, failing to provide guidance to users and innovators as to what computer use is permissible and allowing prosecutors to bring multiple felony charges against individuals whose actions have not caused harms proportional to their punishments. Incarceration inevitably ruins lives and curtails lawful activities; criminal sanctions should be carefully reserved for punishing — and deterring — truly harmful hacking.
Recommendations
Congress should reform the CFAA to narrow its scope and ensure that punishments are calibrated to the seriousness of the offense, specifically:
- More clearly define what constitutes “ unauthorized access .” In doing so, they should ensure that violations of a website’s TOS or an employer’s acceptable computer use policy are not [themselves] punishable under the statute.
- Reduce prosecutorial discretion by eliminating redundant provisions that lead to duplicate charges and ensuring that criminal sanctions are proportional to harms perpetrators have actually caused.
- Go further than Aaron’s Law by clarifying that an Internet user’s attempt to remain anonymous by concealing personally identifiable information is not a criminal activity.
Background
What is the CFAA and what is it intended to do?
Congress passed the CFAA in 1986, making it a federal crime to (1) access a “protected computer” without proper authorization or (2) exceed one’s authorized access. The original intent of Congress was to protect specific entities from harmful hacking.
- The CFAA fails to define the phrase “without authorization” but at least attempts to define “exceeds authorized access.” 18 U.S.C. § 1030(e)(6) defines “exceeds authorized access” as accessing “a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.”
- Under 18 U.S.C. § 1030(e)(2), computers covered by the Act are those of financial institutions, the U.S. government, and computers used in or affecting interstate or foreign commerce or communication. In practice, this has extended to any computer connected to the Internet.
- Congress passed the CFAA as a federal anti-hacking criminal law with seven enumerated offenses. Following further amendments, the statute now permits plaintiffs to bring civil actions as well.
How has technology changed since the law was first drafted?
The CFAA was drafted back in the days when hacking into a computer meant utilizing a room-sized mainframe computer in a secure facility. Today, effectively all computers are networked together through the Internet. Accordingly, you can be said to gain access to countless computers whenever you go online. Shopping on Amazon is the same as accessing their servers; visiting a blog entails browsing the public files of the computer it’s hosted on.
What is the hierarchy of harms covered by the CFAA?
Because of these changes in technology, “unauthorized access” no longer necessarily entails NORAD supercomputers, inadvertent wars with the Soviet Union, or other large-scale harms. To better understand the sorts of activity that are indiscriminately criminalized by the CFAA, harms from access should be roughly classified by degree:
- Little or no harm from access: Given that casual Internet use involves accessing countless computers a day, some instances will probably not be “authorized.” This is especially true when “authorization” is interpreted as the conditions of use specified by a service provider or employer. Under the CFAA, failing to remain polite on message boards, sending sexual messages on dating sites, using company computers to play Angry Birds, or any other act that contravenes some private computer-use policy, could potentially constitute a criminal act requiring felony prosecution.
- Some potential harm: Other sorts of unauthorized computer access might be less innocent than minor violations of a Terms of Service Agreement (TOS). A newspaper reader might switch devices or change her IP address to view articles above the paywall limit, or an online shopper might delete their cookies in order to prevent behaviorally-adjusted prices on flights. Here, criminal sanctions may also be excessive, but there is room for debate.
- Actual but non-catastrophic harm: Activists, pirates, and opportunists hack into computers with various motives: selfish or selfless, noble or perverse. Aaron Swartz hacked the Jstor archive of scholarly articles because he had a genuine — some might say admirable, some misguided — conviction that publicly-funded research should be freely available. Nonetheless, hacktivism on this scale is criminal and does violate the privacy or intellectual property rights of others. While strict punishment may be necessary to deter these violations, the CFAA imposes punishments that many believe are vastly disproportionate.
- Catastrophic harm: When unauthorized access involves terrorism, industrial or political espionage, or theft of sensitive personal information, it can be truly devastating to the rights of private online entities or to national security and the well-being of all citizens. In these cases, clear law and strict punishments are desirable.
- Beneficial but still unauthorized access: Security research and testing. As in the case of “white hat hacker” Andrew “Weev” Auernheimer, a computer user may discover and reveal weaknesses in website security, which may contribute to and motivate subsequent improvements. Such users, however, will have necessarily accessed the website in a manner unauthorized by the website owner.
- Innovative tinkering and web-development. A user may want tinker with a website or make data streams from a site interoperable with other services ( e.g. , automatically sharing their tweets on another social network). Such innovations can benefit users enormously and drive competition. There may well be a role for legal limits on such access, determined on a case-by-case basis in copyright, patent, tort, or antitrust law, but such interoperability should not be prohibited outright under the CFAA’s criminal sanctions
Discussion
What are the societal and economic costs of the CFAA as it is currently drafted?
Whatever the law’s intentions, and whatever the value of deterring harmful hacking, the CFAA:
- Creates traps for the unwary and imposes harsh penalties on innocent or merely negligent offenders. By offering little guidance on what may qualify as “exceeding authorized access,” the CFAA leaves users guessing whether their normal computer use is actually felonious. Many Internet users may not even know that the CFAA applies to their casual browsing behavior, and some could unexpectedly suffer criminal consequences.
- Gives private entities too much say in what activities will be criminal. Criminalizing violations of a website’s TOS or an employer’s conditions of acceptable use empowers a vast array of private entities to determine what actions violate federal criminal law.
- Relies on inconsistent and politically-motivated prosecutorial discretion to avoid overcriminalization. The CFAA’s extreme breadth means only a fraction of those who might technically violate the law can actually be prosecuted. This gives prosecutors too much room to pick and choose defendants based on their visibility (or other political motivations) rather than actual degree of harm caused. The CFAA also allows prosecutors to bring abusive and trumped-up charges that are unnecessarily and unjustifiably redundant ( i.e. in the Aaron Swartz case). The law also fails to place clear limits on a prosecutor’s ability to seek an increase in the severity of a punishment, and results in inconsistent and unpredictable sentencing.
- Erodes the certainty and predictability of the rule of law online. Without a clear picture of what is and is not a crime, people cannot tailor and plan their computer use accordingly. The arbitrary enforcement of uncertain, overbroad laws treats transgressors as wrongdoers before they can even have known of their errors. As legal philosophers have written, such violations of the rule of law deny the dignity of individuals because they treat responsible adults as children or animals in need of discipline rather than intelligent beings capable of understanding and following intelligible rules. This loss of dignity is not mere academic mumbo-jumbo; it can cause real psychological trauma, ruining lives and families.
- Stifles innovation and security research by criminalizing benign or beneficial trespass. Like muscles, security systems that are not regularly exercised and challenged will eventually atrophy and fail. Using criminal law to aggressively prevent benign or well-meaning exposures of security weaknesses turns good samaritans into criminals and discourages behaviors that would ultimately strengthen data security technologies. Similarly, many innovations are born from initially questionable behavior. Individuals should be able to bend the rules of a website to improve the site or produce a better, more innovative competitor, if they are willing to face any potential civil consequences. The criminal law, however, should not prohibit these beneficial activities.
- Limits the ability of Internet users to remain anonymous or untracked if they so choose. Some Internet users may wish to utilize an online service while also taking care to anonymize their participation. This does not always indicate illegal activity and may be born of a reasonable desire to conceal medical histories, controversial political views, or other sensitive personal information. Some websites may, however, prohibit this anonymous access. Again, that prohibition may be something worthy of enforcement in contract law, but using criminal law to enforce such a term unduly weakens the position of users in contractual relationships, while also precluding efficient breach.
What is Aaron’s Law and does it fix these problems?
Aaron’s Law is a bipartisan bill proposed by Representatives Lofgren and Sensenbrenner and Senator Wyden that would narrow the focus of the CFAA toward truly damaging hacks. The bill addresses concerns over the breadth and vagueness of the CFAA by:
- Clarifying the definition of accessing a computer “without authorization.” The law would eliminate the phrase “exceeds authorized access” and explain what it means to access a computer “without authorization.” The proposed definition is to “obtain information on a protected computer; that the accessor lacks authorization to obtain; by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.” Technological or physical measures would include password protection, cryptography, or physically locked doors. No longer would a breach of a website’s TOS, an employer’s acceptable computer use agreement or some other contract be per se violations of the CFAA. However, other laws could still lead to criminal sanctions for these activities.
- Precluding prosecutors from bringing redundant charges . Because of redundant provisions of the CFAA, a defendant can receive duplicate charges for the same CFAA violation. Aaron’s Law would strike Section 1030(a)(4) because it is effectively identical to Section 1030(a)(2). This would prevent abusive prosecutors from bringing both charges and over-penalizing individuals for their actions.
- Ensuring penalties are proportional to the crime . Penalties under the CFAA currently escalate from not more than one year to not more than ten years if the offense occurs after “a conviction for another offense.” Aaron’s Law would impose harsher punishments only when they are repeat offenders and not first-time offenders facing multiple charges. The bill would also ensure that individuals need not fear punishment for harmless computer access that accompanies typical computer and Internet activity.
Our Position
Violating a website’s TOS or an employer’s acceptable computer use policy should not be a per se violation of the CFAA. Determining what actions are considered criminal ought to be the responsibility of lawmakers — not site operators and employers who lack democratic mandate and expertise in law or policy. Private terms and conditions are best enforced using private civil law because the party demanding justice bears the costs of the action in the event of a loss, but gains the benefits of damages or injunctions in the event of a victory. Incarceration is a powerful tool for deterring undesirable behavior, but it should be reserved for truly harmful activities. Any risk of incarceration will inevitably involve ruined lives and a reduction in lawful behavior, but policymakers must seek to minimize these consequences.
Unauthorized access should only be criminal when it leads to a bad act that causes actual damages. Given the varying degrees of harms that can result from unauthorized access to computers, the CFAA should criminalize only those acts that cause actual damages instead of chilling common online behavior, stifling innovation and security research. Users frequently access computers “unlawfully” under the CFAA but cause little or no harm. Imposing criminal sanctions for this type of behavior is inappropriate.
Punishments should fit the crime. The goals of criminal law are justice and optimal deterrence. The CFAA as it is currently written does not encourage prosecutors to attain these ends. Redundant provisions and unclear terms regarding the severity of punishments make for inconsistent, unpredictable indictments. The CFAA’s punishments should be proportional to the crime committed, so as not to over-deter certain lawful activities.
Aaron’s Law is only a first step. Ideally, the CFAA should clarify that masking personal information such as your real name, IP or MAC address, or device identifiers is not inherently criminal. There are many legitimate reasons why privacy-savvy Internet users might want to hide such information, from keeping gift purchases secret to avoiding political reprisal — these users shouldn’t have to worry that they may face criminal prosecution.
Further Reading
- Larry Downes, CFAA and Prosecutorial Indiscretion , Tech Liberation Front (April 5, 2013), http:// tch.fm/197MEYW
- Orin Kerr, Congress Considers Increasing Penalties, Adding Mandatory Minimum Sentences to the Computer Fraud and Abuse Act , The Volokh Conspiracy (May 24, 2011), http:// tch.fm/197MNM5
- Electronic Frontier Foundation, Computer Fraud and Abuse Act Reform , http:// tch.fm/197MSzd
- Zoe Lofgren and Ron Wyden, Introducing Aaron’s Law, a Desperately Needed Reform of the Computer Fraud and Abuse Act , Wired (June 20, 2013), http:// tch.fm/197MWin
- Text ( http:// tch.fm/197MXmE ) and summary ( http:// tch.fm/197MZuG ) of Aaron’s Law
- Technology policy coalition letter on the CFAA and innovation, http:// tch.fm/14nYwnx