The Computer Fraud and Abuse Act (CFAA), otherwise known as 18 U.S.C. §1030 was enacted in 1986. This law superseded the Comprehensive Crime Control Act of 1984. The CFFA was written to address the ever-evolving computer crimes and increasing the scope of the regulations. It added tougher criminal sanctions and limited the federal jurisdiction to cases that only involved the federal government. Since CFAA was enacted in 1984, it has been amended several times by itself and also by the USA PATRIOT Act. CFAA has been controversial since it has been passed. Several famous cases involving the use of the CFAA have shown some of the weaknesses and the strengths. The current version of the Computer Fraud and Abuse Act (18 U.S.C. § 1030) is ineffective in dealing with security researchers and should be amended.
Originally, the CFAA was intended to protect the federal government’s interest by criminalizing certain acts with computers. This included unauthorized access, trespassing, and added language to include altering, damaging, or destroying information. Trafficking in passwords was an additional section that was added. In the 1980s and 90s, the United States was still in a cold war with the Soviet Union. So, the target for the CFAA was hackers and spies.
In 1994 the CFAA was further amended to add civil penalties for violations of the act. The language was also expanded to include a new threat at that time that would come to be known as malware. The specific language was “knowingly causing the transmission of a program, information, code, or command which intentionally causes damage without authorization.” Since 9/11, the CFAA has been amended by the USA PATRIOT Act to increase its scope and penalties. This law is important and very much needed to prosecute hackers and criminals and also to protect companies and the government’s physical and intellectual property. However, there are several problems with the language of the law that need to be reformed to prevent abuses.
The CFAA has several problems. The biggest problem is that the language in the CFAA is very vague (Lofgren, 2013). For example, what is “unauthorized access”? Is it accessing a computer or resource on the internet in a way that evades the standard username and password process that is written by code? Alternatively, could it be a violation of a website’s Terms of Service (TOS)? In fact, it is both. The first example is when a hacker could use hacking tools such as password crackers to “crack” the password for a user account and then enter the system “without authorization.” That is an easy one. What if though a business or home has an open Wi-Fi network without a password and your cell phone sees it, logs on automatically, and uses the network without any authorization from the business or family. That is still a felony. The second example is so common that practically every child commits a crime every time they use the service. The TOS page that everyone clicks to agree to without reading the document could be violating the terms. A perfect example if Facebook. To date, a user has to be at least 13 years old to use Facebook. How many children or parents for that matter just click agree and create a Facebook account with reading the TOS. They are committing felonies. The age thirteen is significant, however. The Children’s Online Privacy Protection Act (COPPA) protects children under thirteen years old from privacy violations (Graber 2014). An excellent example of a court case involving the CFAA by violating the TOS is the case against Lori Drew. In 2008 she was charged with hacking by creating a false account on MySpace to essentially bully a teen girl that had a fight with her daughter. The girl ended up committing suicide. The public was obviously outraged by what happened by there were no laws on the books for cyberbullying (Zetter, 2014). So the courts charged her with violation of the CFAA.
Another famous case was against Aaron Swartz. Aaron Swartz was a computer genius and child prodigy that was partly responsible for creating the RSS protocols and the Creative Commons Licensing Framework. He was arrested by the police after breaking into the MIT network and server room to download over four million scholarly article from JSTOR. He did this by using a guest account issued to him by MIT. JSTOR is an online database of digital articles and papers that have been published in academic journals. It is used by universities all over the world, but users must have a subscription to access the database. Even though Swartz reached a deal with JSTOR that dropped their charges, the federal courts still charged him with violating the CFAA. His potential penalties were a one million dollar fine and 34 years of imprisonment (Zetter, 2015). This was due to him being prosecuted by thirteen counts of computer crimes. Which bring us to the next problem with the CFAA.
Currently, with the way the federal government charges the defendants, there is a tendency to overcharge by including every event or account into the charges. So, each time someone accesses an account he or she can be a charge for one crime, even if all of the violations happened during the same event or time. Another famous court case involved Fidel Salinas, who was charged with 44 felony counts of the CFAA. Each count had a potential ten-year sentence. The federal courts counted each time he accessed a victim’s account. After it was all said and done, he only served six months and was fined $10,000.
Despite the bad examples of court cases, there are valid reasons this law exist. The information that is contained on the federal governments and military computers is precious for both privacy and espionage reasons. Unauthorized access to these computers should be prosecuted. The banking and financial sectors and private sectors also have good reason to be protected. However, as the law is now and has been used it needs to be amended to define some of the vagueness of the law and to change the way the law works to prevent it from being abused.
The Electronic Frontier Foundation (EFF) is a non-profit organization that was founded in 1990 to protect civil liberties in the digital world. They have proposed several changes to the CFAA. The first one is to limit the criminal law to actual intrusions and harm. Users should not be sent to prison for violating a website’s TOS. The laws should not be written in a way that allows everyone to violate the law and then only prosecute the individuals that the company or federal government wants. Nobody should be able to “cherry pick” whom he or she want to charge.
The section on trafficking in passwords needs to be amended to prevent anyone from going to prison for sharing their passwords with family or friends. So, for those with Netflix or Hulu account, they will be safe if they share their passwords with their roommates.
EFF also proposes to eliminate two provisions of the CFAA. §1030 (a)(3) and §1030 (a)(4) (Cohn 2013). This is because of the way that they are being used to double charge, someone. The first section criminalizes accessing without authorization and the second section criminalizes “knowingly and with intent to defraud” access to a computer without authorization. So, someone could be charged with both sections for the same act.
Also, proposed by the EFF is to make more punishments as a misdemeanor rather than felonies. Felonies carry with it several indirect punishments that make them inappropriate for every violation. An example is with people that are not citizens. Even if someone is a lawful permanent resident he or she could be immediately deported if he or she receive a felony. Misdemeanors punishments can still be substantial. A judge could sentence someone to jail for one year and a $100,000 fine (Cohn 2013). This could be more than adequate for most of the violations.
Since the original law was enacted in 1986, there were needs for this law. It has even been amended several times as the technology has been more integrated with life in general. However, the scope of the law has been exceeded outside of the intent, and it has been abused by both the government and by companies using it to extend the punishments. Or, by throwing as much law violations at the defendants in hopes of making them plead guilty. Therefore, the Computer Fraud Abuse Act should be amended to correct these violations.
References
Cohn, Cindy. Hofmann, Marcia. (February 2013). Rebooting Computer Crime Law Part 2: Protect Tinkerers, Security Researchers, Innovators, and Privacy Seekers. Retrieved From. https://www.eff.org/deeplinks/2013/02/rebooting-computer-crime-law-part-2-protect-tinkerers-security-researchers
Zetter, Kim. (November 2014). Hacker Lexicon: What is the Computer Fraud and Abuse Act? Retrieved from https://www.wired.com/2014/11/hacker-lexicon-computer-fraud-abuse-act/
Lofgren, Zoe. Wyden, Ron. (June 2013). Introducing Aaron’s Law, A Desperately Needed Reform of the Computer Fraud and Abuse Act. Retrieved from https://www.wired.com/2013/06/aarons-law-is-finally-here/
Graber, Diana. (October 2014). 3 Reasons Why Social Media Age Restrictions Matter. Retrieved from http://www.huffingtonpost.com/diana-graber/3-reasons-why-social-media-age-restrictions-matter_b_5935924.html
Zetter, Kim. (October 2015). The Most Controversial Hacking Cases of the Past Decade. Retrieved from https://www.wired.com/2015/10/cfaa-computer-fraud-abuse-act-most-controversial-computer-hacking-cases/