Law professor and historian Tim Wu has called the Computer Fraud and Abuse Act (CFAA) the “worst law in technology.” The Ninth Circuit Court of Appeals has described the government’s interpretation of it “expansive,” “broad,” and “sweeping.” And Orin Kerr, former federal prosecutor and law professor, has detailed how the government could use it to put "any Internet user they want [in jail]."
So it's pretty surprising to see that now, instead of reining in the CFAA’s dangerous reach, the House Judiciary Committee is floating a proposal to dramatically expand it and is reportedly planning to rush it to the floor of Congress during its April “cyber” week.
The CFAA, of course, is also the computer trespass law that prosecutors misused to hound the late activist and Internet pioneer Aaron Swartz. Aaron’s tragic death resulted in outrage across the political spectrum and led to calls for real reform that would bring the law back to its reasonable purpose of criminalizing malicious computer intrusions, rather than handing out draconian penalties for minor infractions and turning terms of service violations into criminal acts.
So why is the House Judiciary Committee floating a proposal that goes so clearly against the public opinion? Their reasoning is almost hard to fathom.
Techdirt’s Mike Masnick posted a new draft and analysis of the CFAA expansion bill on Monday. The changes are nothing short of outrageous and should brand supporters in Congress as out of touch and downright hostile to the Internet. Users concerned about Internet rights should contact their representatives immediately.
Perhaps the most disturbing aspect: instead of reducing the penalties for crimes that don’t cause much economic damage, it dramatically increases them. For example, Aaron faced four charges under section (a)(4) of the CFAA, which had a maximum sentence of five years each. EFF, Orin Kerr and many others have proposed removing (a)(4) entirely since it creates double penalties for the same behavior criminalized elsewhere in the law. What does the new draft do? It increases the maximum under (a)(4) to twenty years for each charge. As Internet law scholar James Grimmelmann remarked Monday, the thought of Aaron facing more time is “simply obscene.”
The new draft also now turns CFAA violations into a “racketeering” offense, adding yet another layer of charges the DOJ can add to the charge sheet of a hacker it doesn’t like. It also adds a broad conspiracy charge that carries the same penalty for actually committing an offense. Essentially, talking about committing computer crimes without actually doing so can land you in prison.
Most troublingly for innovation and for user empowerment, the bill “clarifies” its definition of “exceeding authorized access” to include accessing information for an “impermissible purpose”—even if you have permission to access the information in the first place. That codifies the misguided idea that any terms of service violation is indeed a crime, effectively undoing good rulings in the 9th and 4th Circuits.
The CFAA already reaches computer intrusions, serious denial of service attacks, password misuse and attacks on national security computers. Those provisions are important. The Department of Justice has more than enough tools it needs to go after real criminals using this law and a host of others—including criminal copyright, trade secrets, identity theft and other laws. It should use those tools rather than coming back to Congress for more, especially now that it's just been caught misusing the law so egregiously in Aaron’s case.
Quite simply, this bill is a nightmare for Internet users' rights. That the House Judiciary Committee would introduce it in the wake of Aaron’s death demonstrates just how out of step they are.
Law professor Orin Kerr agrees, concluding the proposed bill’s language is a “a step backward, not a step forward” and says its meant “to give DOJ what it wants, not to amend the CFAA in a way that would narrow it.”
One thing is clear: Congress is not going to fix the CFAA without an enormous, sustained effort from regular folks to implore them to fix it. In fact, this proposal shows that if we stand silent, they are likely to make it worse. Let’s remind Congress about the last time they decided to go against the wishes of Internet users across the country—CFAA could be SOPA II.
Call your member of Congress and tell them that representing you means that they will work to fix the CFAA, not make it worse. Tell them that the CFAA already carries incredibly harsh penalties for conduct that would be considered a minor crime, or no crime at all, in the physical world. Tell them that the law meant for real criminals, should not also engulf activists, security researchers, innovators, and entrepreneurs.
In the name of Aaron—and the next person to face an overreaching prosecutor harboring a grudge—implore them to fix the CFAA.