The great divide: Reforming the CFAA

From prison at the Metropolitan Detention Center in Booklyn, Auernheimer has been actively tweeting, thanks to a friend who is posting his remarks for him after she receives them via email. He said he is committed to abolishing the CFAA: “You're lucky that I'm a poor [expletive] from Arkansas. Brawling in prison is my idea of fun. I have the strength to fight this.” In another Twitter diatribe posted a couple of days earlier, Auernheimer said existing wire fraud statues already address cyber crimes, and it's unfair that there is a special law for computer infractions. 

“The CFAA doesn't hinder Romanians, Estonians, Chinese or the RBN [Russian Business Network]” he tweeted. “It only hurts researchers and activists...The idea one should be punished extra for using a computer is backward. Unfortunately, the billions of [dollars of] theft and money laundering finance industry criminals do with paper goes unpunished.” Instead, he said, lawmakers should focus their attention on encouraging the development of more robust IT systems, ones that aren't prone to common vulnerabilities, like memory corruption.

Expanding the law

But while many want to see the CFAA amended, or extinguished altogether, a class of security professionals, prosecutors and lawmakers has expressed trepidation over any efforts to diminish its enforcement effectiveness. With security breaches becoming a mainstream norm, it's easy to understand how some, particularly those vested with deflecting attacks and guarding valuable data, can get a little spooked.

“I see hundreds and hundreds of attempted break-ins every day, and frankly, I don't think we have a handle on them as it is,” says Brett Glass, owner of Lariat, a small internet service provider based in Laramie, Wyo. “I think weakening your legal recourse, we have to seriously consider whether we want to.”

Others, such as Nicole Muryn, a lobbyist representing BITS, the technology arm of the Financial Services Roundtable, says her organization actively supports maintaining the CFAA in its current form, considering its member banks represent a significant target for cyber attackers. That includes keeping intact controversial sections of the law, such as the terms-of-service component, which she says is necessary considering the growing usage of social media accounts by financial institutions. “We would prefer that it would stay the way the law is written now,” she says.

Alexander Southwell, who served as a U.S. attorney in the Southern District of New York from 2001 to 2007, says the deterrence that the CFAA provides should not be underestimated, particularly when one is referencing the threat posed by so-called malicious insiders. Richard Downing, deputy section chief for computer crime and intellectual property at the DoJ, agrees. He told the House Judiciary Committee in 2011 that “limiting the use of such terms to define the scope of authorization would, in some instances, prevent prosecution of exactly the kind of serious insider cases the department handles on a regular basis.”

However, the EFF's Fakhoury disagrees, arguing that existing laws such as those covering the misappropriation of trade secrets, already covers those acts.

And what about someone like Aaron Swartz, who was not seeking to defraud his employer, but merely wanted to strike back against a for-profit academic system with which he disagreed? Or what about Lori Drew, whose intentions may have been abominable, but who never actually hacked anything?

“That's really a debate about prosecutorial discretion, not about the statute,” says Southwell, now a partner at New York-based law firm Gibson, Dunn and Crutcher, and an adjunct professor of law at Fordham University. “My personal view is there is an appropriate balance struck now. There could be some clarity brought to the law, but I'm not sure it needs a wholesale contraction...I have more faith in prosecutorial discretion of judicial interpretation than perhaps others.”

Never mind a contraction, there are efforts underway within the House Judiciary Committee to actually pass legislation to expand the CFAA, keeping in place the sections that Lofgren and company want to see reformed, while stiffening penalties, expanding “conspiracy” thresholds and adding language that conflates certain forms of hacking with racketeering. The language is similar to a 2011 effort backed by President Obama and the Department of Justice, and which almost turned into law.

So, just like that, Lofgren now finds herself in a tug-of-war that surely would make Aaron Swartz's blood boil, among others who believe they are being unfairly persecuted under the CFAA. 

And, who knows, maybe Abraham Lincoln as well. 

Photo of Zoe Lofgren by Jay Westcott/NewSport; Photo inset of Aaron Swartz by Daniel J. Sieradski/Zuma; Photo of Aaron Swartz funeral: © Michael Tercha/MCT/ZUMAPRESS.com