Calling All Engineers and Technologists: We Need Your Help to Reform the CFAA
Calling Internet engineers and technologists!
We need you to help fix the Computer Fraud and Abuse Act (CFAA)—the law used to prosecute the late activist and Internet pioneer Aaron Swartz. Specifically, we need you to start a conversation within your company about supporting CFAA reform.
The CFAA broadly criminalizes accessing a computer without or in excess of "authorization"— a vague term that is followed up by extremely harsh penalties. The law threatens technologists, developers, researchers, and others who tinker with software, conduct security research, or engage in many other kinds of innovation. Companies have used the CFAA to seek criminal charges against employees for violating employee contracts. In fact, the Justice Department has argued that anyone who violates a term of service could be committing a crime that can potentially carry many years of prison time.
After the tragic death of Aaron, who was aggressively prosecuted under the law, EFF and a number of organizations put together some proposed fixes to the CFAA that would bring a measure of sanity to computer crime law. But meanwhile, the House Judiciary Committee has floated a backwards proposal that would actually make the law worse.
We need your help. We need people who understand how technology works and how innovation happens to stand up to fix this law. We especially need tech companies and technologists to join us. Unfortunately, many lawyers and policy staffers at tech companies support the currently overbroad CFAA, or see fixing it as unimportant. Some are even working to make it worse. Some companies like the CFAA because it lets them call the cops on employees who disobey workplace policies.
If we're going to fix the CFAA, tech companies need to join in the fight on the right side. To get there, they need to hear from their valued employees about why the CFAA must be reformed. That means you.
If you work for a technology company, here's the challenge: Start the conversation about CFAA reform in your company. Figure out how best to do it—talk to your boss, talk to your CEO, talk to your policy team. Talk to the lawyers. Get the conversation started, and let them know that technologists need hacking laws to be sane, clearly bounded, and narrower than their current sprawling scope.
Urge your company to support CFAA reform that helps, not hurts, technologists, developers, researchers and consumers. Here are some points to bring up:
- The CFAA threatens reverse engineering and interoperability. Technologists know that making computer programs and services work well with each other requires access and experimentation. This kind of tinkering or "hacking" (as coders often describe our work) is part of innovation. But right now, the law treats these acts the same as those who steal information break into private computers or commit other malicious acts. Let your company know that its ability to innovate in the future may be at risk unless the CFAA is fixed.
- The CFAA makes routine actions of tinkerers, security researchers, innovators, and privacy seekers illegal. The line between "tinkering" and "hacking" is often a blurry one. Software engineers have a history of working their way around technical measures aimed at identification, tracking, or preventing interoperability with other programs and services. But like interoperability, the law treats those technologists like thieves.
- The CFAA criminalizes everyday violations of a websites' terms of service. The way the DOJ interprets the law now, anyone who lies about their age on Facebook or goes to many news websites while under 18 years old could suffer criminal penalties. Similarly, CFAA cases have also been brought against employees who violate their employers' policies and customers who breach software licenses.
- The CFAA's draconian penalty scheme and prison time are wildly out of proportion. Having laws that are available to prosecute serious and destructive computer intrusions is one thing, but such laws cannot have vague and indiscriminate scope. Too often, minor incidents with no real harm lead to threats of years of prison time. The punishment, in other words, should fit the crime.
This law directly affects the programming community. It's time for us to step up in response. Demand that your company support strong CFAA reform that fixes—instead of exacerbates—the problems.
For more information, visit our issue page on the CFAA.
We want to hear from you. Tell us how it went at firstname.lastname@example.org