Our Fight to Rein In the CFAA: 2016 in Review
Laws enacted out of fear, not facts, are a recipe for disaster. That’s what happened with the Computer Fraud and Abuse Act (CFAA)—the federal statute that makes it illegal to break into computer systems to access or alter information. The law’s notoriously vague language has confused courts, chilled security research, and given overzealous prosecutors broad discretion to bring criminal charges for behavior that in no way qualifies as breaking into a computer. And it’s out of touch with how we use computers today. We were hard at work in 2016 pushing courts to limit the CFAA to what Congress intended and advocating for reform that would rein the law back in. We’ve seen some minor victories as well as a few setbacks, but we anticipate a big fight next year against efforts to expand the law without correcting its many problems. We stand ready.
The CFAA was passed back in 1986—in the very early years of the Internet, long before the vast majority of people were even using email—after a House of Representatives report cited WarGames, a 1983 techno thriller staring Matthew Broderick and Ally Sheedy, as a "realistic representation of the automatic dialing and access capabilities of the personal computer." And because Congress was trying to solve a problem it didn’t fully understand, it gave us a law with incredibly vague language. The CFAA makes it illegal to intentionally access a “protected computer”—which includes any computer connected to the Internet—“without authorization” or in excess of authorization. But it doesn’t tell us what “without authorization” means. This language is so vague that, if not applied narrowly, it could criminalize routine online behavior like checking the weather while at work or using a family member’s Netflix password.
A few years back, the U.S. Ninth Circuit Court of Appeals clarified that terms of service violations—like using a work computer for personal reasons or creating a Facebook account with anything other than your real name—cannot give rise to CFAA liability. Two other circuit courts, the Second Circuit and Fourth Circuit, have since followed suit, along with numerous district courts across the country. But this year, we learned that even though the three most recent federal circuit courts to address the issue agree, federal prosecution guidelines still recommend pursuing an overbroad and constitutionally suspect interpretation of the statute in any jurisdiction that hasn’t explicitly rejected it. The government released the guidelines in a pending ACLU lawsuit, which challenges the CFAA on First Amendment grounds for chilling research into online discrimination. The guidelines make one thing clear: our fight against the government’s problematic interpretation of the CFAA is far from over. And we’re prepared to go to court to continue this fight.
Password sharing and the CFAA also came to a head in 2016. The Ninth Circuit issued two troubling decisions in July with reasoning that threatened to criminalize routine password sharing. We filed an amicus brief in both cases, U.S. v. Nosal and Facebook v. Power Ventures, urging the court to reconsider these dangerous holdings en banc. In our briefs, we pointed out how the two decisions, written by two different three-judge panels, were inconsistent not only with each other, but also with CFAA precedent and sound public policy. While the court declined to reconsider either case, both panels revised their decisions, attempting to walk back their holdings by clarifying that the decisions were limited to the “stark” facts before them. They say they really, really didn’t mean to criminalize all password sharing, just the particular instances of password sharing at issue in these cases—where both defendants had received “particularized notice” that the computer owner had “affirmatively revoked” their authorization to access the computers at issue. But because neither panel actually modified the flawed reasoning underlying these opinions, both cases still raise a host of questions about how the CFAA will be applied to password sharing and other types of terms of service violations in the future. We’ll be fighting to ensure that that the CFAA, a law meant to target computer break-ins, is not turned into a mechanism for enforcing terms of service violations across the board, and that these cases are limited to the very specific facts at issue—just as the judges said they should be. We’ll also keep advocating for reform clarifying that the CFAA is not and was never intended to be a massive computer misappropriation statute.
We also fended off yet another legislative proposal in 2016 that would have taken CFAA reform in the wrong direction. It was called the Botnet Prevention Act of 2016 and ostensibly directed at stopping botnets. But it was vague, its prohibitions were covered by existing law, and it would have empowered government officials to obtain court orders to force companies to “hack” computer users for a wide range of activity completely unrelated to botnets. Botnet, a portmanteau of “robot” and “network,” refers to a network of private computers or devices infected with malicious software and controlled without the owner’s knowledge. It appears that folks in Congress are worried about botnets. And there is some cause for concern, as illustrated by the Mirari botnet that took over insecure Internet of Things devices and “broke the Internet” in September. But the way to protect against the threat of botnets is by bolstering security research—not by passing yet another vague, fear-based law that would exacerbate the CFAA’s harshness, overbreadth, and confusion, and only further chill the important security research that will keep us all safe.
Because some representatives in Congress seem to think that expanding the CFAA is the way to address all of our “cyber” problems, we expect a fight on the horizon against further proposals to make this draconian law worse. Keep your ears open in 2017. We’ll need your help to reign in the CFAA—and to fight back against the same type of fear-based proposals that got us here in the first place.
This article is part of our Year In Review series. Read other articles about the fight for digital rights in 2016.