In our first post, we presented some initial thinking about how to fix the Computer Fraud and Abuse Act (CFAA) and wire fraud law in light of the tragic prosecution of Aaron Swartz.
Now we present part two: suggestions to address the CFAA's penalty structure. The CFAA, which is the primary federal computer crime law, allows for harsh punishments and makes too many offenses felonies. The statute is also structured so that the same behavior can violate multiple provisions of the law, which prosecutors often combine to beef up the potential penalties.
So once again we're showing our work, even as we continue to tinker. And again, would like to thank ACLU, CDT, and Jennifer Granick of Stanford's Center for Internet and Society and others who helped us draft these proposed changes, although given the press of time, we still don’t have endorsement from anyone but EFF yet. Please do join the conversation, let us know what you think, and tell us if you have other proposals or suggestions for changing the language.
Here's a summary of our proposal.
We suggest revising the concept of unauthorized access to a computer, which is a key part of several CFAA offenses, plus offer some explanations.
a) We basically took up former DOJ attorney and law professor Orin Kerr's suggestion that CFAA should just do away with the phrase "exceeds authorized access" and define for the first time access "without authorization." This definition should encompass all conduct considered "unauthorized." This makes the statute simpler, more streamlined, and helps to make it consistent with rulings from two federal appeals courts, the Fourth Circuit (PDF) and Ninth Circuit. Note that we don't agree with all of Professor Kerr's commentary on Aaron's case, but his suggestions for reforming the CFAA are generally sound.
b) We also clarified the definition of "without authorization" to make sure the CFAA doesn't penalize people who have permission to access data but use light technical workarounds to access that data in an innovative way. Since many of these techniques, such as changing IP addresses, have general application to protect the privacy of the user, they should not be cause to charge a felony.
We also adopt two major penalty changes suggested by Professor Kerr.
a) Remove two offenses in the CFAA, 18 U.S.C. §§ 1030 (a)(3) and (a)(4), which are repetitive of other prohibitions in the law. These provisions serve only to give prosecutors more power to ratchet up penalties based on the same behavior and put more pressure on a defendant. (These changes will cause renumbering throughout the statute.)
b) Remove the provision of the CFAA that allows litigatants to bring civil causes of action. Civil CFAA claims are generally redundant of other causes of action, like breach of contract or trade secrecy. This change would also prevent judicial interpretations of the CFAA in civil cases from creating precedent in criminal cases—where defendants stand not only to pay damages, but actually go to prison.
In addition, we also suggest changing the following:
c) Require repeat offenses to actually be subsequent offenses, thus stopping prosecutors from leveraging the same course of conduct into a "repeat" offense, to try to make penalities more severe.
d) Make first-time offenses misdemeanors unless they are done for commercial advantage, private financial gain in excess of $10,000, or the offense is committed in furtherance of a felony.
Obviously the prosecution of Aaron reflected profound problems with the criminal justice system far beyond the CFAA, including the incentives for prosecutors to pursue charges as aggressively as possible to try to make a defendant plead guilty. Nonetheless, we hope that, as part of honoring Aaron's legacy, we can ensure the CFAA no longer provides the government with the discretion to charge nearly any American who uses the Internet with a felony at prosecutors' whim.