Congress should reconsider proposed update of CFAA
Congress passed the Computer Fraud and Abuse Act in the early days of the Internet to crack down on malicious hackers, but federal prosecutors have stretched the law since then to apply to computer users who merely violated a website’s terms of service. Now, the House Judiciary Committee is circulating a proposed update of the act that, instead of fixing its flaws, would enable prosecutors to threaten alleged violators with dramatically bigger penalties. That’s a dangerous step that lawmakers shouldn’t even consider in light of the well-documented misuses of the law.
The 1986 act makes it a crime to gain access to information on a computer in an unauthorized way — for example, by hacking through the passwords protecting a shopping website’s server and copying the credit card numbers stored there. That prohibition applies to both people who aren’t authorized to use the computer and to people who exceed the authority they were granted.
The problem is that the act doesn’t clearly define what it means by exceeding one’s authorization. As a result, some prosecutors have argued — and some judges have agreed — that simply violating a site’s terms of service is equivalent to gaining unauthorized access. The draft circulated by the Judiciary Committee’s staff maintains the sorry status quo, affirming that those who violate terms of service to obtain information from a government website or “sensitive or nonpublic information” from any other site could be prosecuted. As cyber-law expert Orin Kerr observed, “the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions.”
A much better idea is the proposal by Rep. Zoe Lofgren, D-Calif., to narrow the law so that merely violating a site’s terms of service to obtain information would not be a crime. Lofgren’s proposal is backed by numerous online groups and civil libertarians. The committee’s draft, however, reflects the Justice Department’s desire for an even bigger hammer to use against online offenders. Among other things, it would enable prosecutors to bring federal racketeering charges against people accused of two or more violations of the 1986 law.
It’s easy to understand lawmakers’ interest in more powerful tools to combat cyber criminals, who pose an ever-growing threat. But Congress’ first step should be to narrow the law to protect people against overzealous prosecutors. When people are being threatened with 35 years in prison for downloading too many articles from an academic database, or sentenced to 41 years for exposing a security flaw that revealed nothing but email addresses, there’s something seriously wrong with the law. Congress shouldn’t expand the Computer Fraud and Abuse Act in any way until it fixes that problem.