Fixing the Worst Law in Technology – Anatomy of CFAA
On the opening day of this year’s South by Southwest festival, in Austin, an audience gathered in a giant conference hall to remember the life and tragic suicide of Aaron Swartz. Tim Berners-Lee, the inventor of the World Wide Web, spoke of Swartz’s curious and restless mind. Swartz’s girlfriend Taren Stinebrickner-Kauffman described him as a man who was constantly asking whether what he was doing was the most important thing that he could be doing. (A quality extensively documented by Larissa MacFarquhar in her Profile of Swartz.) The proceedings were yet another reminder that Swartz’s suicide was heartbreaking beyond belief, and that something must be done about the law that he was aggressively prosecuted under, the Computer Fraud and Abuse Act (CFAA).
As if to underline the point, last Thursday, federal prosecutors indicted that Matthew Keys, a social-media editor at Reuters, under the same law for helping with an online prank. Keys helped hackers vandalize a news story on the Web, messing with the contents of the article and changing a headline to read “pressure builds in house to elect chippy 1337”—which was an inside joke. The damage was trivial, yet he is threatened with two hundred and fifty thousand dollars in damages and up to twenty-five years in prison.
These prosecutions have brought a rare moment of public attention to the breadth and severity of this law. Congress could change the law, but everyone knows that waiting for congressional action nowadays is a fool’s game. The Obama Administration can, and should, set things right by changing its enforcement policy. And if the Justice Department declines to act, President Obama, as the ultimate enforcer of the law, should step in and set things right.
The Computer Fraud and Abuse Act (CFAA) is the most outrageous criminal law you’ve never heard of. It bans “unauthorized access” of computers, but no one really knows what those words mean. Orin Kerr, a former Justice Department attorney and a leading scholar on computer-crime law, argues persuasively that the law is so open-ended and broad as to be unconstitutionally vague. Over the years, the punishments for breaking the law have grown increasingly severe—it can now put people in prison for decades for actions that cause no real economic or physical harm. It is, in short, a nightmare for a country that calls itself free.
It wasn’t always this way. The act was born, in 1984, as a narrow statute enacted for the reasonable goal of combating malicious hackers: people who break into computer systems and steal valuable data (like credit-card numbers) or do real economic damage. But it is in the nature of law to mutate and expand beyond the original justification. Over the years, Congress expanded the statute five times, adding private rights of action and making misdemeanors into felonies. Both private litigants and the Justice Department began to use the law against not only hackers but also otherwise legitimate users who violate the “terms of service” policies that come with nearly ever piece of software and service we use on computers today.
What are terms of service? Remember the last time you signed up for a Web site and clicked through several pages of fine print? Yep, that was it. Chances are, you didn’t read it, and didn’t think that it might be a federal felony to violate the provisions that it contained. The Justice Department has repeatedly taken the position that such violations are felonies. In the prominent cyberbullying case United States v. Drew, a federal prosecutor asserted that violating MySpace’s terms of service would be a federal felony. Similarly, the indictment threatening Aaron Swartz with thirty-five years in prison depended, in part, on a terms-of-service violation: when Swartz tried to download thousands of academic articles, he did so as an authorized guest user of the M.I.T. network. He didn’t actually “hack” or “break” into the network; he violated the terms of service for guests by downloading too much stuff.
The broadest provision, 18 U.S.C. §1030(a)(2)(c), makes it a crime to “exceed authorized access, and thereby obtain… information from any protected computer.” To the Justice Department, “exceeding authorized access” includes violating terms of service, and “any protected computer” includes just about any Web site or computer. The resulting breadth of criminality is staggering. As Professor Kerr writes, it “potentially regulates every use of every computer in the United States and even many millions of computers abroad.” You don’t have to be a raving libertarian to think that might be a problem. Dating sites, to borrow an example from Judge Alex Kozinski, usually mandate that you tell the truth, making lying about your age and weight technically a crime. Or consider employer restrictions on computers that ban personal usage, like checking ESPN or online shopping. The Justice Department’s interpretation makes the American desk-worker a felon.
When judges or academics say that it is wrong to interpret a law in such a way that everyone is a felon, the Justice Department has usually replied by saying, roughly, that federal prosecutors don’t bother with minor cases—they only go after the really bad guys. That has always been a lame excuse—repulsive to anyone who takes seriously the idea of a “a government of laws, not men.” After Aaron Swartz’s suicide, the era of trusting prosecutors with unlimited power in this area should officially be over.
What can be done? Congresswoman Zoe Lofgren has drafted a bill that attempts to curtail the act’s sprawling breadth. But even in the best of times, Congress rarely scales back criminal laws—and we have the do-nothingest Congress in history. The problem is compounded by industry resistance. At a recent White House meeting, Oracle and other companies made clear their suspicion of Lofgren’s bill. Big data firms prefer the law just the way it is, and why wouldn’t they? If you’re a prosecutor or a firm with lots of data, the law is just about perfect. It’s just too bad for the rest of us.
The Lofgren bill is a worthy effort, but betting on this Congress to pass a law that is opposed by industry and that diminishes prosecutorial authority is to bet on the political version of an inside straight. The memory of Swartz’s suicide will fade, and we will be left with the sword of Damocles dangling. There needs to be a better way.
There is a much more immediate and effective remedy: the Justice Department should announce a change in its criminal-enforcement policy. It should no longer consider terms-of-service violations to be criminal. It can join more than a dozen federal judges and scholars, like Kerr, who adopt a reasonable and more limited interpretation. The Obama Administration’s policy will have no effect on civil litigation, so firms like Oracle will retain their civil remedies. President Obama’s dream Act enforcement policy, under which the Administration does not deport certain illegal immigrants despite Congress’s inability to make the act a law, should be the model. Where Congress is unlikely to solve a problem, the Administration should take care of business itself.
All the Administration needs to do is to rely on the ancient common-law principle called the “rule of lenity.” This states that ambiguous criminal laws should be construed in favor of a defendant. As the Supreme Court puts it, “When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” So far, at least thirteen federal judges have rejected the Justice Department’s interpretation of the Computer Fraud and Abuse Act (CFAA). If that’s not a sign that the law is unclear and should be interpreted with lenity, I don’t know what is.
If neither the Justice Department nor the Attorney General will budge, it falls to the President, who bears ultimate public responsibly for law enforcement, to do what is right. The Computer Fraud and Abuse Act (CFAA) is egregiously overbroad in a way that has clearly imposed on the rights and liberties of Americans. With just one speech, the President can set things right.
CFAA – Fixing the Worst Law in Technology – New Yorker March 18, 2013, By Tim Wu
DOJ Finally Releases Its Internal, Mostly-Vague CFAA Prosecution Guidelines