CFAA: Where the computer security law is broken

CFAA would allow frivolous prosecutions and stiffer penalties, while damping invention and free speech, opponents say

Educators and activists representing a swath of organizations and institutions -- from the Electronic Frontier Foundation to George Washington University -- took to Reddit Tuesday in an Ask Me Anything interview, seeking to educate the public about the controversial CFAA (Computer Fraud and Abuse Act) and to push for reform.

"We are here to discuss the [CFAA] which we are striving to reform, and under which Aaron Swartz, Andrew Auernheimer (weev), and others have been prosecuted and which potentially makes felons out of millions of Americans by criminalizing website terms of service violations," the participants explained.

Spawned in 1984, the CFAA was intended to reduce cracking of computer systems and to address federal computer-related offenses. Critics of the law have long decried it as excessively overreaching. Following Swartz's suicide earlier this year, lawmakers pledged to fix the law. However, the draft legislation that since emerged would expand it by raising the penalties for some hacking-related crimes and expanding activities covered by the statute.

The participants in yesterday's Reddit AMA laid out their case as to why the CFAA needs reform in the opposite direction: "We hail from across the political spectrum and we have somewhat divergent opinions about what the ideal CFAA would look like. But we all agree that the CFAA allows law enforcement to engage in frivolous prosecutions and/or to seek penalties that are severely disproportionate to alleged offenses -- and that this stifles innovation and speech and must be fixed."

The reform proponents fielded dozens of questions about the law, its flaws, what sort of reforms they advocated, and how the public could get involved. The following are excerpts from the discussion on Reddit.

On what CFAA is and why it needs reform
Orin Kerr, professor of law at George Washington University:

The CFAA was enacted ... to punish computer hacking. But Congress has broadened the law every few years, and today it extends far beyond hacking. The law now criminalizes computer use that "exceeds authorized access" to any computer.

The problem is that a lot of routine computer use can exceed "authorized access." Courts are still struggling to interpret this language. But the Justice Department believes that it applies incredibly broadly to include "terms of use" violations and breaches of workplace computer-use policies.

Breaching an agreement or ignoring your boss might be bad. But should it be a federal crime just because it involves a computer? If interpreted this way, the law gives computer owners the power to criminalize any computer use they don't like. Imagine the Republican Party setting up a public website and announcing that no Democrats can visit. Every Democrat who checked out the site could be a criminal for exceeding authorized access.

On what changes proponents of CFAA reform would like to see
Mark Jaycox, policy analyst and legislative assistant for EFF:

We want to reform a vague, overly expansive law that was originally intended to only deal with malicious computer trespass of a very small subset of computers. The law has been used in an aggressive manner by the DOJ, which believes that violating a terms of service should be punishable under the CFAA.

We're trying to:

  • Make sure the CFAA doesn't criminalize simple terms of service violations
  • Make sure that security, researchers, engineers, and innovators can create add-ons, new products, and new services without the threat of a criminal prosecution
  • Decrease some of the penalties in the law so that low-level offenses aren't punished by an overbearing heavy-handed regime

On how the CFAA would affect civil forfeiture provisions
Ryan Radia, associate director of technology studies at Competitive Enterprise Institute (CEI):

The proposed civil forfeiture provisions are indeed troubling. Currently, "[a]ny property, real or personal, which constitutes or is derived from proceeds traceable to a violation of [the CFAA]" is subject to civil forfeiture. But the CFAA discussion draft would expand this to include "[a]ny property ... used, or intended to be used, to commit or facilitate the commission of [a CFAA violation]." This means your computer could be seized if you access a website in violation of its ToS, even if the government doesn't even charge (let alone convict) you of any crime.

1 2 Page 1
Page 1 of 2
How to choose a low-code development platform