Computer Fraud And Abuse Act Reform
After the tragic death of programmer and Internet activist Aaron Swartz, EFF calls to reform the infamously problematic Computer Fraud and Abuse Act (CFAA). In June 2013, Aaron's Law, a bipartisan bill to make common sense changes to the CFAA was introduced by Reps. Lofgren and Sensenbrenner. You can help right now by emailing your Senator and Representative to reform the draconian computer crime law. The CFAA is the federal anti-hacking law. Among other things, this law makes it illegal to intentionally access a computer without authorization or in excess of authorization; however, the law does not explain what "without authorization" actually means. The statute does attempt to define "exceeds authorized access," but the meaning of that phrase has been subject to considerable dispute. While the CFAA is primarily a criminal law intended to reduce the instances of malicious hacking, a 1994 amendment to the bill allows for civil actions to be brought under the statute.
Creative prosecutors have taken advantage of this confusion to bring criminal charges that aren't really about hacking a computer, but instead target other behavior prosecutors dislike. For example, in cases like United States v. Drew and United States v. Nosal the government claimed that violating a private agreement or corporate policy amounts to a CFAA violation. This shouldn't be the case. Compounding this problem is the CFAA's disproportionately harsh penalty scheme. Even first-time offenses for accessing a protected computer without sufficient "authorization" can be punishable by up to five years in prison each (ten years for repeat offenses), plus fines. Violations of other parts of the CFAA are punishable by up to ten years, 20 years, and even life in prison. The excessive penalties were a key factor in the government's case against Aaron Swartz, where eleven out of thirteen alleged crimes were CFAA offenses, some of which were "unauthorized" access claims. EFF is championing reforms to the CFAA. These suggestions expand on Zoe Lofgren's terrific draft bill known as Aaron's Law. We will expand on this and address other flaws of the CFAA, as well.
- Proposal Language
- An Overview
- Part 1: No Prison Time For Violating Terms of Service
- Part 2: Protect Tinkerers, Security Researchers, Innovators, and Privacy Seekers
- Part 3: The Punishment Should Fit the Crime
Specific Reasons to Improve the CFAA
- The CFAA Hampers Security Research
- The CFAA Stifles Innovation
- The CFAA Must Allow for Anonymity and Privacy
Initial Suggestions for improving Aaron's Law
Additional Suggestions for improving the Penalty Scheme
EFF Related Content: Computer Fraud And Abuse Act Reform
- Terms-of-service agreements, which most Internet users consent to without even knowing it, do not explicitly ban pair testing. Rather, they ban the techniques that underlie it. CareerBuilder, the site that Villarreal used to look for work, has rules against providing false personal information and engaging in scraping, a method of...
- Imagine being convicted of a crime for logging into a friend's social media account with their permission? Or for logging into your spouse’s bank account to pay a bill, even though a pop-up banner appeared stating that only account holders were permitted to access the system? The Ninth Circuit Court...
- Date:Fri, 08/26/2016
- Date:Fri, 08/19/2016
- “If you make it illegal for bots to access websites, you’ve given existing search engines a monopoly,” EFF staff attorney Nate Cardozo told TechCrunch. “Google and Bing got started by crawling the entire web. That’s essentially what LinkedIn is talking about here. To call scraping a CFAA violation is extremely...