It's past time for Congress to reform the Computer Fraud and Abuse Act (CFAA)—the law used in the aggressive prosecution of the late activist and Internet pioneer Aaron Swartz. While Aaron's case made national headlines, it was only of one of many instances where the CFAA has been used to threaten draconian penalties against defendants in situations where little or no economic harm had occurred.
Unfortunately, last week, the House Judiciary Committee floated changes to the CFAA that are the exact opposite of reforms proposed by EFF and a host of other organizations. The proposed changes increase penalties across the board, expand the scope of the statute, and criminalize new actions. These changes are completely unnecessary, as the CFAA already duplicates many crimes written into other laws. The changes only make the law much worse.
|Violation of the CFAA
|What It Is
|Crimes the CFAA Duplicates
|Accesses a computer without authorization to obtain classified information
|Accesses a computer without authorization and obtaining information
|Accesses a computer without authorization used by the US government
|Accesses a computer with the intent to defraud or to obtain information more than $5,000.
|(A) Intentionally damaging a computer.(B) Recklessly damaging a computer by intentional access. (C) Negligently causing damage to a computer without authorization.
|Trafficking in passwords
|Extortion involving computers
Even under EFF's reform, all of these other statutes could still be used to go after legitimate crimes, and it will still be a serious crime under the CFAA for an outsider to steal proprietary information, to knowingly transmit codes that cause damage to a computer, to traffic in passwords, or engage in extortion by using threats of intrusion.
Go here to tell you Congressional representative to reform the CFAA so it can only used to go after real criminals, instead of security researchers, activists, innovators, and entrepreneurs.