The Computer Fraud and Abuse Act, also known as the CFAA, is the federal anti-hacking statute that prohibits unauthorized access to computers and networks.
In 1984, the world was just emerging from its digital Dark Age. CompuServe, the world’s first commercial email provider, was still trying to interest users in its fledgling service, and computer viruses and worms were still largely the stuff of engineering-school pranks. But even through the foggy haze of the internet’s early days, lawmakers saw clearly the importance that computers and computer crime would have on society. That’s when Congress enacted the Computer Fraud and Abuse Act, also known as the CFAA. The federal anti-hacking statute prohibits unauthorized access to computers and networks and was enacted to expand existing criminal laws to address a growing concern about computer crimes. But lawmakers wrote the law so poorly that creative prosecutors have been abusing it ever since.
The law, which went into effect in 1986, was passed just in time to be used to convict Robert Morris, Jr., the son of an NSA computer security worker, who unleashed the world’s first computer worm in 1988. Since then, it has been wielded thousands of times to convict high-profile hackers and low-level criminals alike. But as computer crimes have expanded and increased, so have prosecutors’ use and interpretation of the law, stretching it far beyond what it was originally intended to cover. And in 1994 the law moved beyond criminal matters with an amendment that allowed civil actions to be brought under the statute as well. This opened the way for corporations to bring lawsuits for unauthorized access against workers who steal company secrets.
Calls for reform
There have been many calls over the years to reform the CFAA, due to the overzealous nature of prosecutors who have used it—some would say abused it—to charge conduct that critics say does not constitute a true computer crime.
One case in particular was the prosecution of Lori Drew, a then-49-year-old mother who was charged in 2008 for using a fake MySpace profile to cyberbully a teenage girl. Drew was charged with conspiring with her daughter and her daughter’s friend to create the fake MySpace page of a boy in order to draw 13-year-old Megan Meier into an online friendship with the nonexistent boy, then humiliate her. Meier committed suicide, resulting in a public outcry to punish Drew for cyberbullying. But because there was no federal statute against cyberbullying at the time, federal prosecutors adopted a novel interpretation of the CFAA. They charged Drew with “unauthorized access” to MySpace’s computers for creating a fake MySpace account in violation of the web site’s terms of service. The web site’s user agreement required registrants to provide factual information about themselves when opening an account and to refrain from using information obtained from MySpace services to harass other people.
The prosecution turned what would normally have been a civil matter—breaching a contract—into a criminal matter. The case, if successful, would have potentially made a felon out of anyone who violated the terms of service of any website. Fortunately, although a jury convicted Drew (on lesser misdemeanor charges), the judge overturned the conviction on grounds that the government’s interpretation of the CFAA was “constitutionally vague” and overreached the bounds of the law.
Another case involving misuse of the statute also occurred in 2008 when three MIT students were barred from giving a presentation at the Def Con hacker conference. The students had found flaws in the electronic ticketing system used by the Massachusetts Bay Transportation Authority that would have allowed anyone to obtain free rides. The MBTA sought and obtained a temporary restraining order to bar the students from speaking about the flaws. In granting the temporary gag order, the judge invoked the CFAA, saying that information the students planned to present would provide others with the means to hack the system. The judge’s words implied that simply talking about hacking was the same as actual hacking. The ruling was publicly criticized, however, as an unconstitutional prior restraint of speech, and when the MBTA subsequently sought a court order to make the restraining order permanent, another judge rejected the request, ruling in part that the CFAA does not apply to speech and therefore had no relevance to the case.
A high-profile suicide
The most concerted effort to revise the CFAA came after a U.S. attorney used it to launch a heavy-handed prosecution against internet activist Aaron Swartz for what many considered a minor infraction. Swartz, who helped develop the RSS standard and was a cofounder of the advocacy group Demand Progress, was indicted after he gained entry to a closet at MIT and allegedly connected a laptop to the university’s network to download millions of academic papers that were distributed by the JSTOR subscription service. Swartz was accused of repeatedly spoofing the MAC address of his computer to bypass a block MIT had placed on the address he used. Although JSTOR did not pursue a complaint, the Justice Department pushed forward with prosecuting Swartz. U.S. Attorney Carmen Ortiz insisted that “stealing is stealing” and that authorities were just upholding the law.
Swartz, in despair over his pending trial and the prospect of a felony conviction, committed suicide in 2013. In response to the tragedy, two lawmakers proposed a long-overdue amendment to the law that would help prevent prosecutors from overreaching in their use of it. The amendment, referred to as Aaron’s Law, was introduced months after Swartz’s death by Rep. Zoe Lofgren (D-Calif.) and Sen. Ron Wyden (D-Oregon). The amendment would exclude breaches of terms of service and user agreements from the law and also narrow the definition of unauthorized access to make a clear distinction between criminal hacking activity and simple acts that exceed authorized access on a minor level. Instead, the amendment proposes to define unauthorized access as “circumventing one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering” information on a protected computer. The amendment also would make it clear that the act of circumvention would not include a user simply changing his MAC or IP address to gain access to a system.
“Taken together, the changes in this draft should prevent the kind of abusive prosecution directed at Aaron Swartz and would help protect other Internet users from outsized liability for everyday activity,” Lofgren wrote on Reddit when she announced the changes. The amendment, however, has withered in Congress and has so far failed to gather the support it needs to get passed.
“This reform only captured the attention of a small group of people. It’s not an issue that resonates with the public—at least yet,” Orin Kerr, professor of law at George Washington University Law School, told Forbes recently.
Some have attributed the amendment’s failure to lobbying on the part of corporations who use it to bring civil suits for theft of corporate secrets and don’t want to see it changed. Others say the problem is its association with Swartz, a figure some members of Congress don’t find sympathetic. Regardless, many say that reform of the CFAA is inevitable; it’s just a question of which case will finally force it to occur.
By Kim Zetter