Computer Fraud And Abuse Act Reform
After the tragic death of programmer and Internet activist Aaron Swartz, EFF calls to reform the infamously problematic Computer Fraud and Abuse Act (CFAA). In June 2013, Aaron's Law, a bipartisan bill to make common sense changes to the CFAA was introduced by Reps. Lofgren and Sensenbrenner. You can help right now by emailing your Senator and Representative to reform the draconian computer crime law. The CFAA is the federal anti-hacking law. Among other things, this law makes it illegal to intentionally access a computer without authorization or in excess of authorization; however, the law does not explain what "without authorization" actually means. The statute does attempt to define "exceeds authorized access," but the meaning of that phrase has been subject to considerable dispute. While the CFAA is primarily a criminal law intended to reduce the instances of malicious hacking, a 1994 amendment to the bill allows for civil actions to be brought under the statute.
Creative prosecutors have taken advantage of this confusion to bring criminal charges that aren't really about hacking a computer, but instead target other behavior prosecutors dislike. For example, in cases like United States v. Drew and United States v. Nosal the government claimed that violating a private agreement or corporate policy amounts to a CFAA violation. This shouldn't be the case. Compounding this problem is the CFAA's disproportionately harsh penalty scheme. Even first-time offenses for accessing a protected computer without sufficient "authorization" can be punishable by up to five years in prison each (ten years for repeat offenses), plus fines. Violations of other parts of the CFAA are punishable by up to ten years, 20 years, and even life in prison. The excessive penalties were a key factor in the government's case against Aaron Swartz, where eleven out of thirteen alleged crimes were CFAA offenses, some of which were "unauthorized" access claims. EFF is championing reforms to the CFAA. These suggestions expand on Zoe Lofgren's terrific draft bill known as Aaron's Law. We will expand on this and address other flaws of the CFAA, as well.
- Proposal Language
- An Overview
- Part 1: No Prison Time For Violating Terms of Service
- Part 2: Protect Tinkerers, Security Researchers, Innovators, and Privacy Seekers
- Part 3: The Punishment Should Fit the Crime
Specific Reasons to Improve the CFAA
- The CFAA Hampers Security Research
- The CFAA Stifles Innovation
- The CFAA Must Allow for Anonymity and Privacy
Initial Suggestions for improving Aaron's Law
Additional Suggestions for improving the Penalty Scheme
EFF Related Content: Computer Fraud And Abuse Act Reform
- Jamie Williams, a lawyer at the Electronic Frontier Foundation, says people no longer live in the world in which CFAA was written. “It didn’t even envision the type of world we live in today, where we use other people’s computers all the time,” Williams said. “Every time I check my...
- Can you imagine being prosecuted for checking personal email while at work because your employer says you can only use your computer for “company business”? Of course not. Violating a company rule is not—and should not be—a computer crime. Prosecutors have tried to use the federal Computer Fraud and...
- Jamie Williams is an attorney for the Electronic Frontier Foundation, a digital rights non-profit. She breaks down the cases and what they mean for letting friends and family use your Hulu password.
- Jamie Williams, a legal fellow and lawyer for the Electronic Frontier Foundation, says the CFAA needs to be amended to clarify what is and isn't a crime, so "prosecutors do not have broad discretion to just go after whatever violation they choose to at any particular point in time for...
- Three judges of the Ninth Circuit Court of Appeals have taken a step back from criminalizing password sharing, limiting the dangerous rationale of a decision issued by a panel of three different judges of the same court last week. That’s good, but the new decision leaves so many...