In the wake of social justice activist Aaron Swartz's tragic death, Internet users around the country are taking a hard look at the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking law. In addition to the below overview, we have a three part series explaining these problems in detail and why they need to be fixed. For more details about our proposal for CFAA reform, see part 1, part 2, and part 3.
In the wake of Aaron Swartz's tragic death this month, EFF has been working with a coalition of legislative staffers and experts on the Computer Fraud and Abuse Act (CFAA) to finalize a proposal for changes that would make major improvements to the law. We've written a series of posts outlining our ideas as they've developed, but that analysis has built on the foundation of the intricacies of the law. Here are the three areas of the CFAA that we've zeroed in on. We believe it's critical to fix them immediately.
No Criminal Exposure for Violating Private Agreements or Duties
Violations of contractual obligations like a website's terms of service must not be the basis for criminal charges. The original "Aaron's Law" proposal from Rep. Zoe Lofgren focused exclusively on this issue, and was based on a bi-partisan bill first introduced by Senators Franken, Lee and Grassley. In two recent cases, federal circuit courts have decided that simple violations of computer use policies and duties of loyalty are not criminal activities. Rep. Lofgren has asked for those holdings to be codified into law, and we agree.
Put simply, there should be no criminal penalties for violating the fine print written by a website or service. Users may face civil liability for violating those terms, or even criminal liability if they go on to do worse things like destroy data. But it is dangerous for a private one-sided contract to be enforceable upon punishment of severe criminal penalties at a prosecutor's whim.
If You're Allowed to Access Information, Doing it in an Innovative Way Shouldn't Be a Crime
As the CFAA is written today, users can expose themselves to criminal liability if they are authorized to access data, but do so while engaging in commonplace "circumvention" techniques like changing IP addresses, MAC addresses, or browser User Agent headers. But these "circumvention" activities can have great benefits: they can help protect privacy, ensure anonymity, and aid in testing security. Furthermore, technical barriers are sometimes put into place not to protect data or computers from intrusion at all. Quite often they are an accidental result of misconfigured servers or network equipment.1
Apart from these accidents, technological barriers increasingly serve purposes far removed from preventing computer intrusion, such as giving people in one location a better price than people in another and blocking competitors from seeing information otherwise available to the general public. EFF's proposal would clarify that if access to data is already authorized, gaining that access in a novel or automated way is not a crime.
For more details on these first two proposals, see our public discussion draft.
Make Penalties Proportionate to Offenses
As a general principle, minor violations of the CFAA should be punishable with minor penalties. As the law is currently written, first-time offenses can be too easily charged as felonies instead of misdemeanors. Our proposal would fix that.
Furthermore, several sections of the CFAA are redundant with other parts of the law, which lets prosecutors "double dip" to pursue multiple offenses based on the same behavior. And the stiff penalties for "repeat" offenses can be used to dole out harsher punishment for multiple convictions based on the same conduct. Our proposal would ensure that prosecutors can't count the same actions more than once to ratchet up the pressure for a plea bargain by threatening a defendant with decades of jail time.
For more details on our proposals around penalties, see our proposed legislative language.
Since the death of Aaron Swartz, we have seen a number of groups propose fixes to the CFAA. It's encouraging to see that energy focusing on a law that has for years been dangerously vague and subject to prosecutorial misuse. We feel very strongly that no proposal is complete until it addresses these three areas â€” please tell your legislators that you support these changes to the CFAA.
- 1. Typical examples might include a webserver which incorrectly parses User Agent strings and blocks clients with "unsupported browsers"; false-positive triggers from reactive Intrustion Detection Systems; innocent users who are affected by IP blocks targetted at other people (Wikipedia editors have often experienced this problem); or authorized network users with new devices whose MAC addresses are blocked by default.