December 30, 2011 | By Marcia Hofmann

2011 in Review: Hacking Law

As the year draws to a close, EFF is looking back at the major trends influencing digital rights on 2011 and discussing where we are in the fight for free expression, innovation, fair use, and privacy.

EFF has long been concerned about the Computer Fraud and Abuse Act (CFAA), a federal law that allows people to be sued civilly and charged criminally with a host of anti-hacking offenses. 2011 has been a landmark year for prosecutions under the statute, with the feds pursuing aggressive, high-profile cases against members of Anonymous and LulzSec, as well as open access advocate Aaron Swartz.

Among other things, the CFAA makes it illegal to "intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] . . . information from any protected computer." Courts have struggled to figure out exactly what this hopelessly vague provision means. Over the past few years, private companies and the government have argued for a broad interpretation that would make it illegal to access computers in violation of private agreements like employment policies or website terms of use—the long, one-sided documents that users often "agree" to without ever having read. This is a bad idea because it would give companies great coercive power to criminalize behavior they don't like, harming the interests of consumers and innovation.

Some companies tried to push the law far beyond its limits again in 2011. In Sony v. Hotz, a case that eventually settled, Sony claimed that users violate the CFAA when they access their own video game consoles in ways Sony doesn't like. And in Lee v. PMSI, Inc., a company struck back against a former employee who filed suit for wrongful termination, unsuccessfully arguing that she violated the CFAA by spending too much time surfing the Internet at work in violation of company policy.

But the long-running debate over the scope of the CFAA took a troubling twist when a three-judge panel of the Ninth Circuit decided in United States v. Nosal that employees break the law when they use their work computers for purposes that violate a company's computer use policy—a decision with potentially serious implications for Internet users who violate terms of use. The court recently reheard the case en banc and is considering whether to change the result.

As these cases unfolded in the courts, the Obama Administration pushed to expand the scope of the CFAA and enhance penalties, which is a dangerous move when it's so unclear what the law criminalizes. Thankfully, Senators Grassley, Franken and Lee introduced a proposal to clarify that it's generally not a crime to violate website terms of service or acceptable use policies. Though we think the amendment could be even better, it's a step in the right direction and we hope the Senate passes it in 2012.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

The clock is ticking on Section 215 sunset, but the Senate is in stalemate on NSA spying powers: https://eff.org/r.tpwa

May 22 @ 10:58pm

BREAKING: At the behest of @SenateMajLdr, the Senate will meet Sunday, May 31st in the afternoon, mere hours before Section 215 expires.

May 22 @ 10:20pm

BREAKING: Senator Rand Paul objecting to even one more day of extending Section 215.

May 22 @ 10:08pm
JavaScript license information