Overcriminalizing the Digital World

30 Years of the Computer Fraud and Abuse Act

If depictions in movies are to be believed, hacking is an intense, dramatic act with aggressive typing and out-of-context buzzwords like “firewall” and “algorithm.” A techie will coolly utter “I’m in,” shortly before setting off nuclear weapons, shutting down power grids or emptying thousands of bank accounts. Unfortunately, U.S. cyberlaw and associated penalties are more suitable for films about hacking than the much more mundane reality.

Your average hacker, according to Hollywood. Photo by Brian Klug.

This year marks the 30th anniversary of the Computer Fraud and Abuse Act (CFAA), passed in 1986 to prohibit unauthorized access to computers. However, the law’s vague language and excessive penalties have created major problems in its application and contributed to the larger issue of overcriminalization in America.

Could you be arrested for sharing your Netflix password? Probably not, unless Netflix has directly asked you not to, but the answer isn’t perfectly clear. The question of what exactly “authorization” means is still being decided by the courts.

A key decision came in 2008 on an appeal of Facebook v. Power Ventures. In an attempt to attract more users to its social media aggregation website, Power incentivized users to connect their Facebook accounts to Power, allowing the aggregator to access Facebook content. Facebook issued a cease and desist notice and blocked one of Power’s IP address when it failed to comply. However, this block was ineffective due to the fact that Power was using multiple IP addresses.

The court ruled that, while users could give authorization to third parties (as Facebook users did for Power), Facebook’s effort to block Power’s access revoked that authorization and made Power’s subsequent actions a violation of the CFAA.

More recently, in United States v. Nosal, the Ninth Circuit ruled that permission from an authorized user was not necessarily sufficient to avoid punishment under the CFAA. After having his login credentials revoked by his former employer, David Nosal used the password of a former coworker (with that coworker’s permission) to access a company database. The court found that this violated the CFAA.

Not only is the definition of authorization unclear, the penalties can also be quite steep due to the mandatory minimum sentences included in the Act. First-time offenders could face between one and five years in prison, while a second offense earns 10 to 20. This, combined with a lack of clarity in what constitutes a violation, means one could easily spend years in prison for a purely accidental crime.

Nothing better exemplifies the problems with the CFAA’s penalties than the tragic story of Aaron Swartz. In 2011, Swartz was arrested for using a connection in an MIT wiring closet to download a large number of journal articles in JSTOR. Although JSTOR quickly fixed the the security flaw Swartz exploited and declined to press charges, Swartz was ultimately indicted charges carrying up to 35 years in prison, including 11 counts of violating the CFAA.

In 2013, Swartz was found dead in his apartment. His death was ruled a suicide, and while he left no note, those close to him blame the steep penalty and aggressive prosecution that he faced.

In a recent panel hosted by the Charles Koch Institute and the Electronic Frontier Foundation, Paul Rosenzweig, principal at Red Branch Consulting, noted that many of the crimes covered by the CFAA could also be prosecuted under other laws. The Nosal case, for example, also involves the theft of trade secrets. Yet the CFAA applies additional penalties solely because the crime involves a computer. As Rosenzweig points out, this parallels the way crimes involving guns are treated. However, while harsher sentences for gun crimes could at least be somewhat justified due to the added danger, the use of a computer to commit a crime should not make a difference.

The CFAA is clearly broken, and in many cases, unnecessary. Acts that were already illegal need not be treated especially harshly just because a computer was involved, and any law intended to address new computer use crimes must be carefully crafted to avoid needless overcriminalization of innocent acts.