On Amending the Computer Fraud and Abuse Act (CFAA)

suicide of internet pioneer and genius Aaron Swartz under the crushing pressure of a heavy handed federal indictment charging multiple Computer Fraud and Abuse Act (CFAA) violations has turned a belated spotlight on this horrific law. While many rightly decry the aggressiveness of the government’s prosecution in this case, noted computer law scholar Orin Kerr is right that Swartz’s indictment is not defective on its face as a matter of law.  There’s not a real argument on this point.  The real issue is that the law is fundamentally unjust because it is so vague and ill considered it makes felonies of what should be civil violations at best and risks putting even the most innocuous computer user at the mercy of a career minded federal prosecutor. The CFAA was originally written in 1986, in computing’s Pleistocene era, before the advent of the internet, http, world wide web and a host of other digital realities we interact with on a daily basis.  It has its basis in common law trespass laws, but was born ill-formed from these laws when it quickly became apparent that common law trespass laws, laws that dealt with the physical world, didn’t work that well in the digital world.  The problem with this statutory birth of the CFAA from trespass laws is that where the common law of trespass had centuries to develop, the CFAA had no such gestation period.  It is an attempt to impose criminal and civil liability on a digital world that its authors didn’t understand at the time and one that has dramatically changed since the CFAA’s birth.  The common law just can’t keep up with the pace of technological change and as a result you get a bunch of case-law decided by people who know little about computing and who turn to ancient concepts of the common law meant for the physical world and contort them to fit a digital world they don’t understand. Here’s the issue: the CFAA imposes criminal and civil liability for unauthorized access to a protected computer (anything with a microchip) but nowhere defines unauthorized access.  The Court’s are all over the place on what this means, predicating liability under the CFAA on theories of contract law, agency law, the dictionary, common law trespass or the canard that you know it when you see it.  What you rarely see, if ever, is a serious analysis of how authorization and access is understood and implemented by the computing community, or a serious analysis of whether physical world legal analogies even work for cyberlaw.  This is a gift to federal prosecutors, who can pick and chose a definition of unauthorized access that is convenient to their case.  And given the draconian penalties easily available to prosecutors under the CFAA, and the fact that a defendant doesn’t even have to have been on notice (hello due process) for unauthorized access to occur, you have a recipe for disaster. That’s where the recently proposed “Aaron’s Law” comes in.  Arising from the wake of Aaron Swartz’s tragic suicide, it’s a noble attempt to amend the CFAA to try and prevent what happened to Aaron from happening again.  It does so under the mistaken impression that amending the CFAA’s non-definition of unauthorized access to exclude violations of terms of service contracts would have prevented Aaron’s prosecution. But this is incorrect.  If you removed all references to terms of service in Aaron’s indictment it would not have prevented his prosecutors from utilizing a host of other half baked definitions of unauthorized access to crush him.  Nonetheless, the mere fact that the conversation has started is a good thing. What really needs to happen with the CFAA is that its criminal scope needs to be radically circumscribed so that criminal liability is limited to situations where a significant and real harm has occurred.  Currently, you can be convicted of a felony under the CFAA by merely accessing a website without permission and looking at information.  This is something thousands if not millions of Americans do every day.  Everything else should be left to civil causes of action so the discretion to litigate is not left in the hands of career minded federal prosecutors.  Additionally, the definition of unauthorized access needs to be constrained to something that makes sense in the digital world, like hacking or bypassing a password, a definition that many state unauthorized statutes utilize.  The CFAA as it stands needs to be radically changed or its going to kill our best and brightest again.]]]]> ]]>