In the wake of social justice activist Aaron Swartz's tragic death, Internet users around the country are taking a hard look at the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking law. As we've noted, the CFAA has many problems. In this three-part series, we're exploring these problems in detail and giving more explanation of our suggested fixes. For more details about our proposal for CFAA reform, see part 1 and part 2.
As we've noted before, we suggest four basic penalty changes to the CFAA.1 As Aaron's case indicated, the CFAA's current broad language and draconian penalty scheme allow overreaching prosecutors to abuse their discretion. This can turn minor incidents with no real harm into serious criminal prosecutions, with the threat of long prison sentences and the consequences that go along with a felony conviction—like not being able to vote.
Our suggested changes aren't a get-out-of-jail-free card for computer criminals. Computer crime can be serious and law enforcement should properly investigate and prosecute those who use computers to cause financial harm and violate the privacy of others. But at the same time, punishments should fit crimes.
Our full reform proposal (which is still a work in progress) attempts to ensure the CFAA isn't used to target innovative uses of technology or violations of contractual restrictions, but still retains enough measured and proportionate punishment to deter malicious criminals. If we were able to start from scratch, we might change the law even more, but starting from the current CFAA we've suggested some modest amendments even the most anti-crime Congressperson should be able to support. Specifically on penalties, we suggest:
1. Computer Crime Law Should Not Double-Count Offenses
Along with former federal prosecutor and law professor Orin Kerr, we've suggested eliminating two provisions of the CFAA—§§ 1030(a)(3) and 1030(a)(4)—because they're duplicative of other offenses in the statute. Section 1030(a)(3) criminalizes accessing without authorization either (1) a computer used exclusively by the federal government or, (2) a computer used by the government in a way that affects the government's use of the computer. Meanwhile, § 1030(a)(4) makes it a crime to "knowingly and with intent to defraud" access a computer without authorization and obtain something of value as a result.
Striking these provisions is a good idea because the CFAA already criminalizes the same behavior elsewhere in the statute. Section 1030(a)(2)(B) says it's a crime to access a computer without authorization and obtain information from a department or agency of the United States, or access without authorization any "protected computer," a term defined so broadly that it reaches pretty much any computer. Plus, the conduct prohibited in § 1030(a)(4) is also prohibited by the wire fraud statute, 18 U.S.C. § 1343, which makes it illegal to use a wire communication to execute a fraudulent scheme. These duplicative sections allow prosecutors, as they did in Aaron's case, to stack up multiple charges against him for the same actions and thereby ratchet up the potential penalties.
Both § 1030(a)(2) and the wire fraud statute carry penalties that are just as serious as the two provisions of the CFAA that we support eliminating. In fact, the wire fraud statute has an even higher maximum punishment—20 years—than § 1030(a)(4).
Aside from § 1030(a)(2) and § 1343, there are plenty of other statutes that can be used to punish computer crime. For example, an employee who uses his computer credentials to get into a corporate computer to copy sensitive corporate information can still be charged with misappropriation of trade secrets under 18 U.S.C. § 1832. Anyone who improperly gains access to social security numbers and provides them to an identity theft ring can be prosecuted under the identity theft statute, 18 U.S.C. § 1028, as well as potentially the aggravated identity theft statute in 18 U.S.C. § 1028A, which has a two-year mandatory minimum sentence that must run consecutive to any other charges. And a person who knowingly trafficks in stolen passwords for an online bank account can be charged with trafficking in a stolen access device under 18 U.S.C. § 1029.
2. "Repeat" Offenses Should Trigger Harsher Punishments Only if They Happen After a Prior Conviction
The CFAA currently imposes harsher penalties on individuals who violate the CFAA "after a conviction" for another CFAA offense. This makes sense: people who haven't learned their lesson the first time should be punished more harshly the second time. But because of the Supreme Court's decision in Deal v. United States, prosecutors and courts can leverage the same course of conduct in an indictment into multiple counts, thus increasing maximum penalties. That's precisely what happened to Aaron. In his first indictment, he was charged with four counts, facing a theoretical maximum punishment of 35 years, according to the government. But prosecutors later filed a superseding indictment, stretching those four counts into thirteen, meaning the additional CFAA counts were treated as repeat offenses although they were based on one course of conduct: accessing JSTOR over several days. And in turn that increased the maximum punishment to 50 years.
Our proposed changes would ensure that offenses actually have to happen after a person has been convicted and his sentence has been served before triggering the CFAA's harsher penalties for repeat offenders.
3. We Should Punish More Computer Crime Offenses as Misdemeanors, Which Still Have Serious Consequences
Although "felony" and "misdemeanor" are words that have entered the popular lexicon, they're often misunderstood. A "misdemeanor" refers to a crime that has a maximum punishment of one year or less. A "felony" can be punished by more than one year in prison.
EFF's proposal would make most offenses with little economic harm into misdemeanors instead of felonies, so that low-impact offenses that aren't coupled with other criminal behavior would still be criminally punished, but not effectively ruin someone's life.
Obviously, felony punishment should be reserved for more serious crimes. That's because in addition to longer prison sentences, felony convictions have major consequences, including the loss of the right to own a firearm and a loss of the right to vote in some states. Some felony convictions—including those involving fraud or deceit in which the loss to the victim exceeds $10,000—can get non-U.S. citizens automatically deported. Beyond this is the tremendous social stigma that comes with the label of "convicted felon." It's tougher to get a job or a mortgage or get financial aid for school with a felony conviction on your record.
That's why the CFAA's felony punishments should apply only to more egregious behavior.
But that doesn't mean individuals who commit minor violations of the CFAA that only rise to the level of a misdemeanor escape without punishment. A judge could still sentence a defendant convicted of a misdemeanor CFAA crime with up to one year in jail, as well as a fine up to $100,000. Misdemeanor defendants are also subject to a one-year term of supervised release following their release from custody. While on supervised release, defendants are under the supervision of a probation officer, who may require a defendant to report to a probation office weekly, restrict their ability to use a computer or access certain websites, and submit to home visits and drug testing. In some states, including California, individuals convicted of misdemeanors are stripped of their Fourth Amendment rights. Violations of supervised release conditions can land the person right back into jail. If the court wants to extend the period of supervision for a person convicted of a misdemeanor, rather than impose a prison term, the court can place the person on probation for up to five years, subject to strict conditions and the threat of a one year jail sentence looming over their head for violating probation.
Losing your freedom for a year is a big deal and probation terms can be onerous, especially for someone just starting out in life and beginning a career. Misdemeanors are serious, but can hopefully deter someone from heading down the wrong path without having a disastrous effect on the rest of their lives.
Under our proposal, felony punishments would still remain for those who:
- gain unauthorized access to a computer for commercial advantage or private financial gain where the fair market value of the information obtained exceeds $10,000;
- gain unauthorized access to a computer in furtherance of another felony, including identity theft, trade secrets, criminal copyright infringement or stealing classified government information;
- cause damage to a computer if the damage (1) impairs medical diagnosis or treatment, (2) results in physical injury to any person, (3) creates a threat to public health or safety, (4) affects a U.S. Government computer used in the administration of justice, national defense, or national security, or (5) is done for commercial advantage or private financial gain and causes loss of more than $10,000.
Those convicted of these felony offenses will face a longer potential prison sentence starting from five years and going up from there, up to $250,000 in fines, and longer periods of supervised release following their reintegration into society. Plus, felony punishments would also apply to individuals who've previously been convicted of violating the CFAA in a separate case.
If we truly want to fix the CFAA, we need to ensure that the law's penalties are actually proportionate to the wrongdoing they're meant to punish. Please join EFF in calling on Congress to pass fix the CFAA by sending an email to your elected representatives now.
- 1. We also suggest removing the provision of the CFAA that ties civil liability and criminal liability together, something Professor Kerr advocates as well. Civil CFAA claims are generally redundant of other causes of action like breach of contract or trade secrecy. More importantly, much of the overreach of the CFAA comes from the broad interpretation of the law in civil cases that then creates broad criminal liability.