Computer Fraud and Abuse Act

Aaron Swartz was prosecuted under the so-called “Computer Fraud and Abuse Act.” The statutory language of the CFAA is incredibly broad, and this allows prosecutors to level extremely broad charges against the smallest of potential infringements.

Among other things, the CFAA makes it illegal to gain access to protected computers “without authorization” or in a manner that “exceeds authorized access.” Unfortunately, the law doesn’t clearly explain what a lack of “authorization” actually means. Creative prosecutors have taken advantage of this confusion to craft criminal charges that aren’t really about hacking a computer but instead target other behavior the prosecutors don’t like.

An infamous example is United States v. Drew, a case in which a woman created a fake MySpace page to taunt a teenage girl. The girl became distraught and committed suicide. No crime made the bullying itself illegal, so prosecutors charged Drew under the CFAA, claiming her fake profile violated MySpace’s terms of use, which made her access to the social networking site’s computers “unauthorized.”

An obvious problem with this argument is that it would mean anyone who runs afoul of a web site’s fine print is a criminal — and many of us intentionally or unintentionally violate those agreements every day. Prosecutors wouldn’t bother filing criminal charges against most of us, of course. But if they wanted to, they would have the leeway to do it under the government’s theory.

The judge ultimately reached the right result, finding that Drew didn’t violate the CFAA just because she breached MySpace’s terms of use.

But other criminal defendants haven’t been so lucky.

The EFF is calling for the CFAA to be reformed. And it should be as a remembrance of Aaron Swartz. And you should sign this White House petition also calling for reform.

Towards Learning from Losing Aaron Swartz (cyberlaw.stanford.edu)
How To Honor Aaron Swartz (slate.com)
With the CFAA, Law and Justice Are Not The Same: A Response to Orin Kerr (cyberlaw.stanford.edu)

Several US Courts of Appeal have broadly applied the Computer Fraud and Abuse Act (enacted in the 1980s) in a way that criminalizes activities such as using a computer for purposes violating an employer’s Internet use policy or violating the terms of a service of a website. No reasonable person would view such “violations” as a crime and these courts have exposed people to needless prosecution.

But now, the Ninth Circuit has brought some sanity. From The Register:

In a highly anticipated test of the Computer Fraud and Abuse Act, the U.S. Court of Appeals for the Ninth Circuit construed the law narrowly Tuesday, saying prosecutors can’t use it to go after someone who checks sports scores from a work computer or fibs on Facebook. The 1984 law is an anti-hacking statute, not a tool to make federal criminals of anyone who violates employer computer policies or a website’s terms of service, the en banc panel said in a 9-2 opinion in U.S. v. Nosal, 10-10038.

“The government’s construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer,” Chief Judge Alex Kozinski wrote for the majority. “This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.”

You can read the decision here.

Court curbs computer fraud law to prevent overreach (electronista.com)
Court narrows prosecutors’ use of anti-hacking law (news.cnet.com)
Appeals Court Rules That Violating Corporate Policy Is Not a Computer Crime (eff.org)
Terms of service violations not a crime, appeals court rules (arstechnica.com)

Bits & Pieces

Your TSA: Beware of Dog!

Tag Archives: Computer Fraud and Abuse Act

Reform the Computer Fraud and Abuse Act

Computer Fraud and Abuse Act

Related articles

Related articles