Amending the Computer Fraud and Abuse Act


1282931_untitledBack in February, I wrote about the crowdsourced effort to change the Computer Fraud and Abuse Act called Fork the Law. Now, Rep. Zoe Lofgren (D-CA) and Sen. Ron Wyden  (D-OR) have introduced legislation in the House and the Senate to make changes to the CFAA.

In an op-ed in Wired, Lofgren and Wyden introduced the bill as “Aaron’s Law,” in honor of Internet activist Aaron Schwartz, who committed suicide last year. Their bill would amend the CFAA to narrow the scope of its enforcement and clarify what constitutes a breach.

The Computer Fraud and Abuse Act, codified at 18 USC 1030 et. seq. amended the Counterfeit Access and Abuse Act, essentially criminalizing any intentional, unauthorized access to a protected computer that houses government data or is involved in interstate commerce. The statute can be used to prosecute crimes, and also allows for some civil actions.

The CFAA was introduced in 1986, and amended in 1994, so it hasn’t exactly kept up with technology. Terms of Service and EULAs for websites and applications are standard practice now, and courts have interpreted violating these contracts as “unauthorized access” of a computer, which can actually be prosecuted under the CFAA.

Remember the Lori Drew – Myspace- case from 2008? Drew was charged with violating the CFAA after she created a fake Facebook page and bullied a teenage girl, who later committed suicide. In that case, the district court found that she could be prosecuted under the CFAA.

More recently, the Aaron Schwartz case highlights the problems with this outdated law. Last year, Schwartz broke into a server room at MIT. He downloaded a large number of jStor articles – which were licensed by the school and entitled to copyright protection. He was caught. Schwartz never distributed the content, and he claimed to be committing an act of civil disobedience, to draw attention to the fact that public dollars had been spent on research that was being sold for a profit. Local prosecutors declined to prosecute him for trespass, but the federal prosecutors went after him for CFAA violations. Under the redundant sentencing provisions, they threatened him with 35 years in prison. Schwartz committed suicide.

Aaron’s Law would amend the CFAA provisions to more effectively target hackers – who break into computer networks to steal information and commit crimes. According to Wyden and Lofgren, this is the original target of the law. They aim to separate everyday, common use of the Internet from malicious, intentional criminal use. To this end, the amendments will:

“Establish that mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA.

Bring balance back to the CFAA by eliminating a redundant provision of the law that can subject an individual to duplicate charges for the same CFAA violation.

Bring greater proportionality to CFAA penalties.”

Seems like some good, common sense alterations. We’ll be following the bill’s progress here.