The great divide: Reforming the CFAA

A call for reform

Surprising as it may be, the CFAA originally was crafted in 1984, prompted in part by the release of the film War Games, starring Matthew Broderick, which stoked U.S. government fears of the vulnerability of its defense infrastructure. The law has been expanded no fewer than eight times since, each time its scope broadened as more computers came online and the world increasingly became connected by the internet. The penalties are severe, too: Offenders can face up to 20 years in prison for each violation.

“Our lawmaker and the DoJ is a little out of touch,” says Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation, a digital advocacy group. “To the extent they're aware of what goes on online, they're maybe a little nervous about it. There's the great cyber crime panic going on right now, and I think jacking up the CFAA is one of the responses to that.”

But the EFF says the CFAA does little to curb the threat of espionage and fraud emanating from countries like China, Iran and Russia, which often is used as justification by Congress to tighten computer crime laws here. Writing on the EFF's blog, policy analyst Mark Jaycox said he is aware of only a “handful” of extraditions under the CFAA. “Many foreign hacks—like the ones revealed in the recently released Mandiant report [on a Chinese military unit that stole U.S. intellectual property] — are not private individuals, but are state or quasi-state sponsored citizens…. And the U.S. will find it hard, if not impossible, to extradite [them]. In the case of China and Russia, there are strong legal prohibitions that bar the government from handing over a citizen to another country.” That can apply even to its closest allies. The United States had been trying for years to force accused U.S. government hacker Gary McKinnon to face trial here, but the British home secretary in December withdrew an extradition order against him. 

But Swartz was afforded no such luxury. The reason he faced more than three decades in prison was because of language in a section of the CFAA that states that a person can be held liable for violating the law if they've “knowingly accessed a computer without authorization or [exceeded] authorized access.” Prosecutors could interpret this to mean an infraction is as seemingly innocuous and common as violating a company's computing policy (visiting YouTube, for example) or a website's terms of service (for instance, lying about one's age when setting up a Facebook account) – possibilities that didn't exist when the law was passed. Swartz's indictment partially relied on this provision. 

Lofgren proposed her first idea for a reform to the bill – which The New Yorker called “the worst law in technology” – in January, days after Swartz's death. Two weeks later, after consulting the Reddit community and other IT professionals, she released a revised version of the draft, with some additional caveats, including protection for web users and researchers who seek to defend their privacy, in addition to adding language specifying that a violation can only occur if someone purposefully evades security measures, such as password controls or a firewall.

“Like the first draft, this revised draft explicitly excludes breaches of terms of service or user agreements as violations of the CFAA and wire fraud statute,” Lofgren wrote on Reddit. “This revised draft also makes clear that changing one's MAC or IP address is not in itself a violation of the CFAA or wire fraud statute. In addition, this draft limits the scope of CFAA by defining ‘access without authorization' as the circumvention of technological access barriers. Taken together, the changes in this draft should prevent the kind of abusive prosecution directed at Aaron Swartz and would help protect other internet users from outsized liability for everyday activity.”

Lofgren says the tweaks to the CFAA aren't a rewrite, and are by no means meant to water down the bill's enforcement ability. “My thought is that we should make changes to the statute so that if someone did something like Aaron, they would not be facing a 35-year prison sentence,” she says. “On the other hand, there are in fact cyber criminals. I am not of the view that cyber crime is non-existent.”

The congresswoman is reticent to make the issue political. She does not want to accuse the U.S. attorney's office of overreach and misconduct, preferring to leave that investigation up to the House's Committee on Oversight and Government Reform. “It seemed to me the positive role I could play was to examine the statute itself and learn what was in it that could allow a prosecutor to file 13 felony charges for what was an act of civil disobedience,” she says.

The EFF, among other civil liberties groups, has joined Lofgren in her fight to rework the bill. In addition to the alterations that Lofgren seeks, the EFF is hoping to revamp what it calls the CFAA's harsh penalty scheme, which “makes first-time offenses for accessing a protected computer without sufficient authorization...punishable by up to five years in prison each.”

 “We want the law to be proportionate and want that to apply to everyone,” Fakhoury says. “Whether you are a legitimate researcher or you're the worst credit card scammer, that will have a net benefit for everyone.”

One of the most outspoken critics of the CFAA is a man who was recently jailed because of it. In March, Andrew “Weev” Auernheimer, a brash, self-proclaimed internet troll, was sentenced to 41 months in prison following his conviction last year for discovering and exploiting a weakness on the website of AT&T that allowed him and a co-conspirator to obtain data on roughly 120,000 Apple iPad users, including politicians and celebrities. 

Like Swartz, Auernheimer never sought to profit off the information he found. To the contrary, his intention only was to shame the nation's largest telecom company because of its shoddy security practices. And like Swartz, he didn't use any classic hacking techniques, like brute force or SQL injection. But make no mistake, the two are not exactly comparable – Auernheimer never balked over the possibility of getting prison time. In fact, he embraced it.