One of the most frustrating things about law is how slowly it changes, leaving courts to apply old laws to facts that Congress never anticipated. That’s certainly the case with the Computer Fraud and Abuse Act (CFAA)—the federal “anti-hacking” statute, which was passed back in 1986 and is notoriously out of touch with how we use computers today. This year has seen some minor victories for the CFAA, but we still have a long way to go.
The CFAA makes it illegal to intentionally access a "protected computer"—which includes any computer connected to the Internet—without authorization or in excess of authorization. But it doesn’t tell us what "without authorization" means. This has given overzealous prosecutors broad discretion to bring criminal charges under an anti-hacking statute for behavior that in no way qualifies as “hacking.”
Unfortunately, like every other year, this year has seen prosecutors pursuing trumped up and politically motivated CFAA charges. The most well known of this year’s convictions is probably the case of journalist Matthew Keys, who was charged and convicted of three felony counts under the CFAA as a result of what would amount to low-level vandalism in the physical world. Keys, who will be sentenced in January, faces up to 25 years in federal prison—even while a prosecutor on the case publically acknowledged that “[t]his is not the crime of the century.” It’s also likely not what Congress had in mind when it passed the CFAA.
We’ve been pushing for CFAA reform for years as a result of such abuse of prosecutorial discretion. And this year Rep. Zoe Lofgren (D-Calif.) and Sen. Ron Wyden (D-Ore.) reintroduced legislation—dubbed “Aaron’s Law” in honor of Internet hero Aaron Swartz—aimed at reining in some of that discretion. The law would have limited both the CFAA’s steep penalties and prosecutors’ ability to bring duplicate charges for what amounts to the same conduct, and it would have ensured that people could not face criminal liability for violating terms of service or other contractual agreements.
That legislation didn’t make it through Congress this year, but we did manage to fend off a dangerous "reform" that would have taken things in the opposite direction—reform which Sen. Sheldon Whitehouse tried to slip through Congress via an amendment to the already-terrible Cybersecurity Information Sharing Act of 2015 (CISA). The amendment would have only increased—not alleviated—the CFAA’s harshness, overbreadth, and confusion. And it would have potentially chilled important security research by expanding the statute’s password trafficking prohibition to include any “means of access.”
Thankfully, the amendment was not ultimately included in the bill—a fact Sen. Whitehouse blames on the "pro-botnet" caucus. We like to think it had something to do with the many emails from our supporters opposing it.
We’ve also been fighting the CFAA in court. We convinced the Second Circuit Court of Appeals to join the Fourth and Ninth Circuit Courts of Appeal in ruling that violations of private use restrictions cannot give rise to CFAA liability, widening the circuit split on the issue. The court took to heart our warning that the government’s expansive interpretation of the law would turn millions of innocent individuals into criminals on the basis of innocuous online behavior, like violating an employer’s computer use policy. The court recognized that prosecutors should not enjoy such broad discretion, stating that “[w]hile the Government might promise that it would not prosecute an individual for checking Facebook at work, we are not at liberty to take prosecutors at their word in such matters.”
We also argued before the Ninth Circuit in Facebook v. Power Ventures, urging the court to overrule a district court’s determination that merely designing a computer program to have the capacity to bypass an IP address block is a violation of the CFAA. As Law Professor Orin Kerr argues in a forthcoming law review article, bypassing an IP address block is routine online behavior and should not give rise to CFAA liability. The case was brought by Facebook back in 2008 under the CFAA’s provision allowing private computer owners to bring civil CFAA causes of action, and it’s a prime example of how judicial interpretations of the law in civil cases can have disastrous effects on the scope of criminal law.
And we are still waiting for a decision from the Ninth Circuit in another CFAA case argued this year, U.S. v. Nosal (up in the Court of Appeals for the second time), which addresses whether password sharing is a crime. We filed an amicus brief in the case late last year arguing that it’s not. We expect a decision from the court sometime next year.
With the Second Circuit joining the Fourth and Ninth Circuits in limiting the scope of the CFAA, we’ve certainly seen some progress this year. But CFAA reform is still desperately needed. And it’s scary to think that some representatives in Congress actually think this draconian law needs to be expanded, rather than curtailed. Next year, we will continue our fight to rein in the CFAA—both in Congress and in the courts—and we hope to see even more progress despite the efforts there will surely be to undue what we’ve already accomplished. Please add your voice to the fight.