Since the untimely death of activist Aaron Swartz in January, EFF has been pushing for Congress to reform the Computer Fraud and Abuse Act (CFAA), the law that hands out wildly disproportionate penalties for computer crimes, chills innovation, and potentially turns every computer user into a criminal. And new examples of the CFAA’s dangerous reach continue to make headlines.
As we explained last week, this isn’t just about Aaron. If prosecutors had pursued Steve Jobs, Bill Gates, and Mark Zuckerberg when they were younger with the same zeal they exhibited in going after Aaron Swartz, the three tech giants may have been behind bars instead of creating Apple, Microsoft, and Facebook.
It now seems we may be able to add Twitter co-founder Jack Dorsey to that list of Internet giants. In a profile for 60 Minutes on Sunday, Dorsey recounted a story of the time, as a teenager, he “found a way into the website” by “a security hole.” When 60 Minutes correspondent Laura Logan responded, “is that the same thing as hacking?” Jack calmly explained the difference between criminal hacking and the type of “hacking” done by security researchers, developers, and innovators:
Jack Dorsey: It's-- ha-- yes. Hacking-- hacking is-- hacking is-- is--
Lara Logan: A crime.
Jack Dorsey: Well, no. Criminal hacking is a crime. Hacking is actually a--
Lara Logan: Hacking for a job application is not a crime?
Jack Dorsey: No, no, no, no, no. No, not a crime at all. And I emailed them and I said, "You have a security hole. Here's how to fix it. And I write dispatch software." And--
Lara Logan: And they hired you.
Jack Dorsey: And they hired me a week later. And it was a dream come true, which is a weird dream for a kid.
Under today's CFAA and aggressive prosecution strategy by the Justice Department, Dorsey's dream could've turned into a nightmare. It’s not clear what Dorsey did, but it's likey he accessed a website without “authorization” as part of finding the security hole, and he could have ended up behind bars.
Dorsey's story is just another example of why an impressive array of innovators and tech companies sent a letter to Congress last week explaining how the CFAA hurts competition and innovation, and in turn, is bad for the economy. EFF was proud to work with CDT, Tech Freedom, and the Competitive Enterprise Institute in reaching out to those innovators. You can add your voice to the growing chorus by going to our action center and telling Congress to reform the CFAA.
CFAA Expanded Dramatically Since It First Passed
While the Swartz case brought renewed attention to the law, it has long been abused by prosecutors. And the prosecutors have been aided by Congress, which has made it harsher and harsher over time. As CNET’s Declan McCullagh explained in this excellent and entertaining history of the CFAA, Aaron Swartz “was prosecuted under a law that was never intended to cover what he was accused of doing.”
As McCullough notes, since it was passed in 1986, when it was intended to protect defense department and university research computers, the CFAA has been expanded “at least nine times... at the urging of the Justice Department—without contemplating how the amendments might eventually sweep in normal activities on the 21st century Internet.” At this point, the law essentially applies “to every computer in the United States.”
The CFAA’s incredible reach was also in the crosshairs of professor Tim Wu’s scathing piece in this week’s New Yorker, where he called the CFAA “the most outrageous criminal law you’ve never heard of” and “a nightmare for a country that calls itself free.” He implored the government that “something must be done” to fix “the worst law in technology,” and urged the Justice Department to act to formally to rein in prosecutors even if Congress won’t.
Two Recent Cases Highlight Law's Draconian Punishments and Reach
But this is only one of several significant developments that have occurred in the past few days. First, Reuters journalist Matthew Keys was indicted on Thursday under three counts of the CFAA for allegedly helping members of Anonymous break-in and vandalize one article on the LA Times website for half an hour. Given that the damage to the LA Times website was negligible, the maximum sentence of twenty-five years touted in the Justice Department press release has alarmed many who had not heard of the CFAA previously.
The New York Times ran a feature story on the "lightning rod" of a case and how it has sparked more calls for reform. Though the article downplays the signifcance of the maximum sentence broadcasted in the DOJ's press release, EFF’s Hanni Fakhoury noted last week how the “maximums” advertised by the Justice Department do matter in criminal prosecutions—despite the Attorney General’s attempt to convince Congress that they do not.
Meanwhile, a few days after Keys was indicted, Andrew Auernheimer—better known as "Weev"—was sentenced to more than three and half years under the CFAA. Underscoring the law's draconian nature, he was convicted after someone else wrote a script to collect thousands of iPad owners' email addresses from AT&T, addresses that AT&T had failed to secure. As we explained in January, “Auernheimer's involvement in the ‘hack’ appears to have been primarily telling journalists about the vulnerability after the fact.”
EFF will represent Auernheimer on appeal, along with law professor Orin Kerr and others. Essentially, Weev is facing more than three years in prison because he pointed out that a company failed to protect its users' data, even though his actions didn't harm anyone. This is exactly the type of act that should never be considered a crime.