It's an anti-hacking law.
It criminalizes accessing computer systems "without authorization."
"(E)xceeds authorized access" terminology was left undefined. Misinterpretations
and abuse followed. Overzealous prosecutors take full advantage.
In 1984, CFAA was enacted. It was amended numerous times. It's primarily
a criminal law. At issue are seven types of offenses.
They include obtaining national security information, compromising confidentiality,
trespassing in a government computer, accessing a system to defraud and/or
obtain value, damaging a computer or information therein, trafficking
in passwords, and threatening to damage a computer.
A 1994 amendment permits civil actions. In 2001, Patriot Act provisions
addressed computer crime. They require Internet service providers to report
suspicious information or activity "without delay."
In 2008, the Identity Theft Enforcement and Restitution Act criminalized
conspiracy to commit CFAA related crimes.
The Electronic Frontier Foundation (EFF) calls CFAA "infamously problematic."
Reforming it is long overdue. Creative prosecutors game the law advantageously.
Charges unrelating to hacking follow. CFAA's "disproportionately harsh
penalty scheme" punishes innocent victims.
Alleged first-time offenders face up to five years imprisonment. Repeat
ones get ten or more years and stiff fines.
Violations of other CFAA provisions impose longer sentences. In some cases,
life in prison is possible.
Aaron Swartz was maliciously and wrongly charged with excessive CFAA penalties.
EFF demands reform. Abusive legislation requires fixing. Punishments should
fit crimes. CFAA is rife with problems. It's outlandishly draconian.
Its undefined language encourages abuse. Minor no harm incidents become
major ones. Criminal prosecutions follow. EFF's proposal remains a work
in progress. It's three-part series discussed it.
Part 1 calls for "no prison time for violating terms of service." CFAA's
greatest flaw criminalizes accessing computer systems "without authorization"
or in ways that "exceeds authorization."
Undefined terminology "gives the government tons of leeway to be creative
in bringing charges." Overzealous prosecutors take full advantage. Innocent
"Vague laws are dangerous precisely because they give prosecutors and
courts too much discretion to arbitrarily penalize normal, everyday behavior."
Innocuous activities become crimes. Misstating age on Facebook can be
criminalized. The website's Rights and Responsibilities make users promise
not to "provide any false personal information."
Innocent misstatements can be criminalized. Inaccurately calling yourself
tall, dark and handsome on Craigslist can bring long prison terms.
Its Terms of Service say users can't post "false or fraudulent content."
Buying a lotto ticket with Square invites trouble. Its Wallet User Agreement
prohibits many types of transactions.
They include purchases "in connection with" membership clubs, identity
theft protection services, lotto tickets, or "occult materials."
Letting a friend log into your Pandora account violates its terms of service.
Users must "agree (not to) allow others to use any aspect of your Account
Prosecution can follow posting impolite comments on The New York Times
web site. Its Terms of Service demand courtesy, "respectful language,"
and "debate (without) attack."
Using Hootsuite to update your Google Plus page risks trouble. It lets
users manage their Twitter and Facebook accounts.
It promotes Google Plus integration. Be wary, warns EFF. Google's Terms
of Service warns against "misuse (of) Services."
It cautions users not to "try to access them using a method other than
the interface and the instructions (it) provide(s)." Doing so risks criminal
Don't try sending sexy messages on eHarmony. Its Terms of Service prohibit
using it for "sexually oriented" content. "Off-topic" or "meaningless"
material is banned. Searching for love the wrong way invites trouble.
EFF is clear and unequivocal saying:
Abusive legislation may "land you in the Big House."
"Internet users shouldn't live in fear that they could face criminal liability
for mere terms of service violations - especially given that website terms
are often vague, lopsided and subject to change without notice."
"Security testing, code building, and free speech - even if unabashedly
impolite - are fundamental parts of the Internet's character."
Violating service terms or other private agreements shouldn't risk criminal
prosecution, imprisonment, and stiff fines. Support EFF "in calling on
Congress to fix" glaring CFAA abuses.
EFF's Part 2 offered ways to fix CFAA.
(1) Clarify unauthorized access. Define it precisely. Abandon the phrase
"exceeds authorized access."
Simplify CFAA. Streamline it. Make it consistent with related federal
appeals court rulings. Don't criminalize minor infractions.
(2) Two major penalties need fixing. More on them below. They're redundant.
They repeat other CFAA prohibitions. They let prosecutors game the law.
Remove the provision that lets litigants bring civil actions. They're
also redundant. They risk judicial misinterpretations. Criminal prosecutions
"Require repeat offenses to actually be subsequent offenses." Doing so
stops "prosecutors from leveraging the same course of conduct into a 'repeat'
offense." They do it for stiffer penalties.
Make first-time offenses misdemeanors "unless they are done for commercial
advantage, private financial gain in excess of $10,000, or the offense
is committed in furtherance of a felony."
At issue is stopping unwarranted aggressive prosecutions. Curbing them
should be prioritized. Government officials shouldn't have discretion
to turn minor offenses into felonies.
EFF's Part 3 said "punishment should fit the crime."
"Computer crime law should not double-count offenses." CFAA's section
1030(a)(3) criminalizes accessing without authorization either:
(a) computers used exclusively by the federal government or
(b) ones used by the government in ways that affect its computer use.
Section 1030(a)(4) criminalizes "knowingly and with intent to defraud"
computer accessing without authorization and/or obtaining something of
value as a result.
CFAA criminalizes this behavior elsewhere in the statute. Section 1030(2)(2)(B)
criminalizes accessing computer systems without authorization and obtaining
information from a US agency or department.
It also prohibits accessing without authorization any "protected computer."
The ill-defined term invites abuse. It can mean any government operated
Conduct prohibited under section 1030(a)(4) is redundant. It's covered
under the wire fraud statute (18 USC 1343). It criminalizes wire communications
for fraudulent schemes.
Redundant sections let overzealous prosecutors pile one. They can add
multiple charges. They can ratchet up penalties. They can turn minor infractions
into major ones.
Other statutes also address computer crime. Employees using their computer
credentials for access into corporate systems to obtain sensitive proprietary
information can be charged with misappropriation of trade secrets under
18 USC 1832.
Improperly accessing Social Security numbers for identity theft purposes
can be prosecuted under the identity theft statute (18 USC 1028).
Aggravated identity theft can be charged under 18 USA 1028A. Persons trafficking
in stolen passwords for an online bank account face charges of trafficking
in a stolen access device under 18 USC 1029.
"Repeat offenses should trigger harsher punishments only if they happen
after a prior conviction," says EFF.
Computer misdemeanors shouldn't be criminalized. They're misunderstood.
Maximum penalties are one year or less imprisonment.
Felonies bring more than one year. Multiple ones pile on. Harsher punishment
follows. Doing so should be restricted to serious crimes.
Offenses causing little or no harm should be minor misdemeanors. Lives
shouldn't be ruined for slight infractions. Loss of freedom is serious.
Probation terms can be onerous. Minor violations can bring harsh
Felonies should be restricted to unauthorized access for commercial advantage
or private fair market financial gain exceeding $10,000.
They should be related to other felonies. Examples include identity theft,
obtaining trade secrets, criminal copyright infringement, or stealing
classified government information.
They should apply to damaging computer systems if doing so impairs medical
diagnoses or treatment, injures people other ways, creates public health
or safety issues, affects government computers used for justice, national
defense, or national security, and/or is done for commercial advantage
or significant private financial gain.
After Aaron Swartz's death, EFF called for fixing draconian computer crime
law. Doing so requires penalties proportionate to wrongdoing.
EFF called Aaron Swartz "a close friend and collaborator." His suspicious
death was more than a personal tragedy. It was "the product of a criminal
justice system rife with intimidation and prosecutorial overreach," said
He spent months battling unjust charges. His case highlights profound
CFAA abuses. Hacking laws are broad, vague and unfair. They call for excessive
penalties. They overstep and overreach.
Aaron was no super-hacker. He was targeted to silence him. He may have
been murdered in the process. Julian Assange thinks so. "Read his words,"
he said. "Decide for yourself."
"I believe Swartz was murdered by a team of copyright assassins who made
it look like a simple suicide. Watch what you say or you may end up like"
His girl friend, Taren Stinebrickner-Kaufffman, believes depression didn't
drive him to suicide. She researched clinical depression symptoms. "Aaron
didn't fit them," she said.
He was energetic, not inactive, withdrawn and isolated. He had every reason
to live, not die. He had much more he wanted to accomplish.
He "had a profound capacity for pleasure in everyday life." His "death
was not caused by depression."
She blames "a criminal justice system that prioritizes power over mercy,
vengeance over justice, a system that punishes innocent people for trying
to prove their innocence instead of accepting plea deals that mark them
as criminals in perpetuity."
Others dismiss suicide entirely. Aaron's own words excluded it they say.
His Open Access Manifesto called information power.
"But like all power, there are those who want to keep it for themselves,"
he said. He wanted scholarly/scientific "public culture" information shared.
"When things are hard - and he said it is the important things that are
hard - you have to lean into the pain." Does that sound like someone planning
It's time to amend CFAA, says EFF. Doing so will prevent prosecutors from
arbitrarily throwing the book at people "they don't like."
Aaron's "memory should challenge us to make the Internet, the law, and
the world better. One place to start is CFAA."