Computer Fraud And Abuse Act 2013: New CFAA Draft Aims To Expand, Not Reform, The ‘Worst Law In Technology’

  on

The Computer Fraud and Abuse Act was passed in 1984 to combat the cracking of huge computer systems owned by financial institutions and the government. Nearly 30 years and seven amendments later, the law is regarded by many lawyers and academics as overly “expansive” and “sweeping,” as it lets the government incarcerate “any Internet user they want,” according to former federal prosecutor Orin Kerr.

“The Computer Fraud and Abuse Act is the most outrageous criminal law you’ve never heard of,” Tim Wu, a Columbia law professor and pioneer of network neutrality, wrote in the New Yorker. “It bans ‘unauthorized access’ of computers, but no one really knows what those words mean.”

Despite the enormous reach of the Computer Fraud and Abuse Act as it currently stands – it was the same law used by prosecutors to torment late Internet activist Aaron Swartz prior to his suicide on Jan. 11 -- the House Judiciary Committee has actually proposed a number of expansions to the law in a new draft, which Tech Dirt says will be “rushed” to Congress during its “cyber week” in the middle of April.

You can read the proposed Computer Fraud and Abuse Act draft in its entirety here.

Among many additions, the new CFAA draft expands the number of ways a person could be prosecuted by punishing anyone who “conspires to commit” violations just like those that have already “completed” the offense. It also adds computer crimes as a form of “racketeering activity,” to allow the Department of Justice to hit computer criminals with further charges in court. And if you’re found guilty, the new CFAA endorses more severe punishments for any offenders by raising the maximum sentences available for certain violations.

Here’s an example of the extreme nature of these recommended punishments: Aaron Swartz, who illegally tapped into and downloaded millions of scholarly papers from the digital journal archive JSTOR while visiting the Massachusetts Institute of Technology, faced four charges under section (a)(4) of the CFAA, with a maximum sentences of five years per charge, for a possible total of 20 years in prison. While many lawyers and experts have recommended reducing these penalties or removing them entirely, the new draft actually increases the maximum for each charge under (a)(4) to 20 years, which means Swartz could have gotten 80 years. NYU law professor James Grimmelman on Monday called this notion “simply obscene.”

But what’s perhaps most troubling to Internet freedom advocates is how the new CFAA even expands the law to include accessing information for an “impermissible purpose,” which means even if you have the right to access the information in the first place, it’s still considered a crime if someone deems you are misusing your access in some way.

According to Kerr, a computer law expert, the language in the new CFAA would make it a felony to “lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions,” or if you violate the terms of service on a government website.

“In short, this is a step backward, not a step forward,” Kerr said. “This is a proposal to give DOJ what it wants, not to amend the CFAA in a way that would narrow it.”

The Electronic Frontier Foundation is tackling the Computer Fraud and Abuse Act with its own alternative proposals, which include eliminating duplicative penalties and reducing computer crimes from felonies to misdemeanors, and the organization also offers ways to contact your congressman about fixing the CFAA.

Follow Dave Smith on Twitter

Join the Discussion