Part 2: EFF's Additional Improvements to Aaron's Law
In our first post, we presented some initial thinking about how to fix the Computer Fraud and Abuse Act (CFAA) and wire fraud law in light of the tragic prosecution of Aaron Swartz.
Now we present part two: suggestions to address the CFAA's penalty structure. The CFAA, which is the primary federal computer crime law, allows for harsh punishments and makes too many offenses felonies. The statute is also structured so that the same behavior can violate multiple provisions of the law, which prosecutors often combine to beef up the potential penalties.
So once again we're showing our work, even as we continue to tinker. And again, would like to thank ACLU, CDT, and Jennifer Granick of Stanford's Center for Internet and Society and others who helped us draft these proposed changes, although given the press of time, we still don’t have endorsement from anyone but EFF yet. Please do join the conversation, let us know what you think, and tell us if you have other proposals or suggestions for changing the language.
Here's a summary of our proposal.
We suggest revising the concept of unauthorized access to a computer, which is a key part of several CFAA offenses, plus offer some explanations.
a) We basically took up former DOJ attorney and law professor Orin Kerr's suggestion that CFAA should just do away with the phrase "exceeds authorized access" and define for the first time access "without authorization." This definition should encompass all conduct considered "unauthorized." This makes the statute simpler, more streamlined, and helps to make it consistent with rulings from two federal appeals courts, the Fourth Circuit (PDF) and Ninth Circuit. Note that we don't agree with all of Professor Kerr's commentary on Aaron's case, but his suggestions for reforming the CFAA are generally sound.
b) We also clarified the definition of "without authorization" to make sure the CFAA doesn't penalize people who have permission to access data but use light technical workarounds to access that data in an innovative way. Since many of these techniques, such as changing IP addresses, have general application to protect the privacy of the user, they should not be cause to charge a felony.
We also adopt two major penalty changes suggested by Professor Kerr.
a) Remove two offenses in the CFAA, 18 U.S.C. §§ 1030 (a)(3) and (a)(4), which are repetitive of other prohibitions in the law. These provisions serve only to give prosecutors more power to ratchet up penalties based on the same behavior and put more pressure on a defendant. (These changes will cause renumbering throughout the statute.)
b) Remove the provision of the CFAA that allows litigatants to bring civil causes of action. Civil CFAA claims are generally redundant of other causes of action, like breach of contract or trade secrecy. This change would also prevent judicial interpretations of the CFAA in civil cases from creating precedent in criminal cases—where defendants stand not only to pay damages, but actually go to prison.
In addition, we also suggest changing the following:
c) Require repeat offenses to actually be subsequent offenses, thus stopping prosecutors from leveraging the same course of conduct into a "repeat" offense, to try to make penalities more severe.
d) Make first-time offenses misdemeanors unless they are done for commercial advantage, private financial gain in excess of $10,000, or the offense is committed in furtherance of a felony.
Obviously the prosecution of Aaron reflected profound problems with the criminal justice system far beyond the CFAA, including the incentives for prosecutors to pursue charges as aggressively as possible to try to make a defendant plead guilty. Nonetheless, we hope that, as part of honoring Aaron's legacy, we can ensure the CFAA no longer provides the government with the discretion to charge nearly any American who uses the Internet with a felony at prosecutors' whim.
Recent DeepLinks Posts
May 2, 2015
May 1, 2015
May 1, 2015
May 1, 2015
May 1, 2015
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Know Your Rights
- Trade Agreements
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Defending Digital Voices
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2015 Copyright Review Process
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student and Community Organizing
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games