America’s Draconian Computer Fraud and Abuse Act
by Stephen Lendman
It’s an anti-hacking law. It criminalizes accessing computer systems “without authorization.”
“(E)xceeds authorized access” terminology was left undefined. Misinterpretations and abuse followed. Overzealous prosecutors take full advantage.
In 1984, CFAA was enacted. It was amended numerous times. It’s primarily a criminal law. At issue are seven types of offenses.
They include obtaining national security information, compromising confidentiality, trespassing in a government computer, accessing a system to defraud and/or obtain value, damaging a computer or information therein, trafficking in passwords, and threatening to damage a computer.
A 1994 amendment permits civil actions. In 2001, Patriot Act provisions addressed computer crime. They require Internet service providers to report suspicious information or activity “without delay.”
In 2008, the Identity Theft Enforcement and Restitution Act criminalized conspiracy to commit CFAA related crimes.
The Electronic Frontier Foundation (EFF) calls CFAA “infamously problematic.” Reforming it is long overdue. Creative prosecutors game the law advantageously.
Charges unrelating to hacking follow. CFAA’s “disproportionately harsh penalty scheme” punishes innocent victims.
Alleged first-time offenders face up to five years imprisonment. Repeat ones get ten or more years and stiff fines.
Violations of other CFAA provisions impose longer sentences. In some cases, life in prison is possible.
Aaron Swartz was maliciously and wrongly charged with excessive CFAA penalties. EFF demands reform. Abusive legislation requires fixing. Punishments should fit crimes. CFAA is rife with problems. It’s outlandishly draconian.
Its undefined language encourages abuse. Minor no harm incidents become major ones. Criminal prosecutions follow. EFF’s proposal remains a work in progress. It’s three-part series discussed it.
Part 1 calls for “no prison time for violating terms of service.” CFAA’s greatest flaw criminalizes accessing computer systems “without authorization” or in ways that “exceeds authorization.”
Undefined terminology “gives the government tons of leeway to be creative in bringing charges.” Overzealous prosecutors take full advantage. Innocent people suffer.
“Vague laws are dangerous precisely because they give prosecutors and courts too much discretion to arbitrarily penalize normal, everyday behavior.”
Innocuous activities become crimes. Misstating age on Facebook can be criminalized. The website’s Rights and Responsibilities make users promise not to “provide any false personal information.”
Innocent misstatements can be criminalized. Inaccurately calling yourself tall, dark and handsome on Craigslist can bring long prison terms.
Its Terms of Service say users can’t post “false or fraudulent content.”
Buying a lotto ticket with Square invites trouble. Its Wallet User Agreement prohibits many types of transactions.
They include purchases “in connection with” membership clubs, identity theft protection services, lotto tickets, or “occult materials.”
Letting a friend log into your Pandora account violates its terms of service. Users must “agree (not to) allow others to use any aspect of your Account Information.”
Prosecution can follow posting impolite comments on The New York Times web site. Its Terms of Service demand courtesy, “respectful language,” and “debate (without) attack.”
Using Hootsuite to update your Google Plus page risks trouble. It lets users manage their Twitter and Facebook accounts.
It promotes Google Plus integration. Be wary, warns EFF. Google’s Terms of Service warns against “misuse (of) Services.”
It cautions users not to “try to access them using a method other than the interface and the instructions (it) provide(s).” Doing so risks criminal liability.
Don’t try sending sexy messages on eHarmony. Its Terms of Service prohibit using it for “sexually oriented” content. “Off-topic” or “meaningless” material is banned. Searching for love the wrong way invites trouble.
EFF is clear and unequivocal saying:
Abusive legislation may “land you in the Big House.”
“Internet users shouldn’t live in fear that they could face criminal liability for mere terms of service violations – especially given that website terms are often vague, lopsided and subject to change without notice.”
“Security testing, code building, and free speech – even if unabashedly impolite – are fundamental parts of the Internet’s character.”
Violating service terms or other private agreements shouldn’t risk criminal prosecution, imprisonment, and stiff fines. Support EFF “in calling on Congress to fix” glaring CFAA abuses.
EFF’s Part 2 offered ways to fix CFAA.
(1) Clarify unauthorized access. Define it precisely. Abandon the phrase “exceeds authorized access.”
Simplify CFAA. Streamline it. Make it consistent with related federal appeals court rulings. Don’t criminalize minor infractions.
(2) Two major penalties need fixing. More on them below. They’re redundant. They repeat other CFAA prohibitions. They let prosecutors game the law.
Remove the provision that lets litigants bring civil actions. They’re also redundant. They risk judicial misinterpretations. Criminal prosecutions can follow.
“Require repeat offenses to actually be subsequent offenses.” Doing so stops “prosecutors from leveraging the same course of conduct into a ‘repeat’ offense.” They do it for stiffer penalties.
Make first-time offenses misdemeanors “unless they are done for commercial advantage, private financial gain in excess of $10,000, or the offense is committed in furtherance of a felony.”
At issue is stopping unwarranted aggressive prosecutions. Curbing them should be prioritized. Government officials shouldn’t have discretion to turn minor offenses into felonies.
EFF’s Part 3 said “punishment should fit the crime.”
“Computer crime law should not double-count offenses.” CFAA’s section 1030(a)(3) criminalizes accessing without authorization either:
(a) computers used exclusively by the federal government or
(b) ones used by the government in ways that affect its computer use.
Section 1030(a)(4) criminalizes “knowingly and with intent to defraud” computer accessing without authorization and/or obtaining something of value as a result.
CFAA criminalizes this behavior elsewhere in the statute. Section 1030(2)(2)(B) criminalizes accessing computer systems without authorization and obtaining information from a US agency or department.
It also prohibits accessing without authorization any “protected computer.” The ill-defined term invites abuse. It can mean any government operated one.
Conduct prohibited under section 1030(a)(4) is redundant. It’s covered under the wire fraud statute (18 USC 1343). It criminalizes wire communications for fraudulent schemes.
Redundant sections let overzealous prosecutors pile one. They can add multiple charges. They can ratchet up penalties. They can turn minor infractions into major ones.
Other statutes also address computer crime. Employees using their computer credentials for access into corporate systems to obtain sensitive proprietary information can be charged with misappropriation of trade secrets under 18 USC 1832.
Improperly accessing Social Security numbers for identity theft purposes can be prosecuted under the identity theft statute (18 USC 1028).
Aggravated identity theft can be charged under 18 USA 1028A. Persons trafficking in stolen passwords for an online bank account face charges of trafficking in a stolen access device under 18 USC 1029.
“Repeat offenses should trigger harsher punishments only if they happen after a prior conviction,” says EFF.
Computer misdemeanors shouldn’t be criminalized. They’re misunderstood. Maximum penalties are one year or less imprisonment.
Felonies bring more than one year. Multiple ones pile on. Harsher punishment follows. Doing so should be restricted to serious crimes.
Offenses causing little or no harm should be minor misdemeanors. Lives shouldn’t be ruined for slight infractions. Loss of freedom is serious. Probation terms can be onerous. Minor violations can bring harsh punishment.
Felonies should be restricted to unauthorized access for commercial advantage or private fair market financial gain exceeding $10,000.
They should be related to other felonies. Examples include identity theft, obtaining trade secrets, criminal copyright infringement, or stealing classified government information.
They should apply to damaging computer systems if doing so impairs medical diagnoses or treatment, injures people other ways, creates public health or safety issues, affects government computers used for justice, national defense, or national security, and/or is done for commercial advantage or significant private financial gain.
After Aaron Swartz’s death, EFF called for fixing draconian computer crime law. Doing so requires penalties proportionate to wrongdoing.
EFF called Aaron Swartz “a close friend and collaborator.” His suspicious death was more than a personal tragedy. It was “the product of a criminal justice system rife with intimidation and prosecutorial overreach,” said EFF.
He spent months battling unjust charges. His case highlights profound CFAA abuses. Hacking laws are broad, vague and unfair. They call for excessive penalties. They overstep and overreach.
Aaron was no super-hacker. He was targeted to silence him. He may have been murdered in the process. Julian Assange thinks so. “Read his words,” he said. “Decide for yourself.”
“I believe Swartz was murdered by a team of copyright assassins who made it look like a simple suicide. Watch what you say or you may end up like” Aaron.
His girl friend, Taren Stinebrickner-Kaufffman, believes depression didn’t drive him to suicide. She researched clinical depression symptoms. “Aaron didn’t fit them,” she said.
He was energetic, not inactive, withdrawn and isolated. He had every reason to live, not die. He had much more he wanted to accomplish.
He “had a profound capacity for pleasure in everyday life.” His “death was not caused by depression.”
She blames “a criminal justice system that prioritizes power over mercy, vengeance over justice, a system that punishes innocent people for trying to prove their innocence instead of accepting plea deals that mark them as criminals in perpetuity.”
Others dismiss suicide entirely. Aaron’s own words excluded it they say. His Open Access Manifesto called information power.
“But like all power, there are those who want to keep it for themselves,” he said. He wanted scholarly/scientific “public culture” information shared.
“When things are hard – and he said it is the important things that are hard – you have to lean into the pain.” Does that sound like someone planning suicide?
It’s time to amend CFAA, says EFF. Doing so will prevent prosecutors from arbitrarily throwing the book at people “they don’t like.”
Aaron’s “memory should challenge us to make the Internet, the law, and the world better. One place to start is CFAA.”
Stephen Lendman lives in Chicago and can be reached at firstname.lastname@example.org.
His new book is titled “Banker Occupation: Waging Financial War on Humanity.”
Visit his blog site at sjlendman.blogspot.com and listen to cutting-edge discussions with distinguished guests on the Progressive Radio News Hour on the Progressive Radio Network Thursdays at 10AM US Central time and Saturdays and Sundays at noon. All programs are archived for easy listening.