Time to Gut CFAA Like The Rotten Fish It Is: Protests and Reform Proposals for Computer Crime, with Added Matthew Broderick

It’s not usually our dealio here at Digital Fourth to weigh in on federal digital rights, because terrific organizations like EFF, Fight for the Future, Demand Progress and the ACLU generally do that heavy lifting for us. But so much has happened regarding prosecutions under the Computer Fraud and Abuse Act that it’s worth focusing on what this law is, why it’s in such a mess, and what can usefully be done about it.

When originally passed way back in 1986, the intent of the CFAA was to ban hacking. This kind of hacking:

Wait, Ally Sheedy was in this? I must watch it again.
Wait, Ally Sheedy was in this?

In other words, what they were concerned about was access to “Federal interest computers”, namely computers belonging to the government, or at certain designated utilities like nuclear power stations or financial institutions. Now, however, the law covers pretty much any computer held by anyone.

Why is that a problem? Read on!

The penalties developed for the kind of unauthorized access that could potentially start World War III, if applied generally to any computer at any institution, become grossly disproportionate and unjust. Recent prosecutions include vandalizing a news article on a “protected computer” belonging to The Tribune Company, and downloading information on IPad subscribers from the AT&T website. Employers now frequently use the CFAA to assert violations by ex-employees, when it’s routine for ex-employees to have some company data on their personal computers. In proposed updates to CFAA now being considered by Congress, simply lying in an online registration or violating a website’s Terms of Service would now class as a CFAA violation.

These are not offenses that rise anywhere near the level of a national security threat. We’re a long way from the scenario of WarGames here.

Eric Goldman’s new article in Forbes, “The Computer Fraud and Abuse Act Is A Failed Experiment”, breaks down an even deeper problem with the CFAA [disclosure: Professor Goldman is a friend of a friend]. He observes that the CFAA tries to create ways that using someone else’s electronic property causes a definable harm, in order to apply ancient offline legal doctrines to the physical world. If you take a car for a joyride, you’ll probably not return it in the same condition.

Cars have odometers.
Cars have odometers.

But if you access a digital file, and observe the information in it, you leave it in exactly the same condition you found it in – there’s no damage. So CFAA jurisprudence allows the file owner to count the cost of trying to prevent the defendant’s usage as “damage.” In the case of Aaron Swartz, JSTOR suffered nothing that any reasonable observer would be able to recognize as being “damage”: it still possessed all of its academic articles after Swartz’s intrusion, and Swartz did not attempt to sell them to others. He was still threatened with $1 million in fines.

To correct this kind of fake damages claim, Professor Goldman argues that the law should presume that when we connect a computer to the Internet, we do it with the intent of exchanging packets of information. He believes that the ordinary law of contract is enough to deal with situations where private users violate private companies’ terms of service. He recommends as follows:

1) Repeal most provisions of the CFAA (that don’t relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.

2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.

3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.

4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).

We agree.

If you’d like to let Congress know that they should sharply limit the CFAA, consider signing the petition for Aaron’s Law here. And if you’d like to join Demand Progress’s Aaron’s Law protest in Boston, you can RSVP here.

2 thoughts on “Time to Gut CFAA Like The Rotten Fish It Is: Protests and Reform Proposals for Computer Crime, with Added Matthew Broderick

  1. It appears to have been originally passed as part of the Comprehensive Crime Control Act of 1984, but, under the title of the Computer Fraud and Abuse Act, is generally cited as the “Computer Fraud and Abuse Act of 1986”. So it’s certainly true that federal legislation has existed on the subject since 1984.

Leave a Reply