The Computer Fraud and Abuse Act (CFAA) is currently the most prominent United States law set in place to fight against cybercrime. The CFAA has been amended several times since its first enactment over three decades ago in 1986 although it still seems to hold a very broad and unrefined interpretation. This, along with the rapidly changing technological landscape and several cases in which the CFAA was questionably utilized has brought attention to it in recent years in terms of reform.
The CFAA in general was intended to target hackers accessing computers and stealing information. The key takeaways being that it prohibits gaining “unauthorized access” or to “exceed authorized access” to any “protected computer” to cause damage or take away data. It is important to mention that when the CFAA was initially constructed, a “computer” was fairly new. The main problem with the CFAA is that as technology was constantly improving and changing, the broad interpretation of the CFAA stayed generally the same. Thus, resulting in a law that could be abused on both sides of the court due to its vague language in a world of all new technology. It seems in the attempt to prepare for and protect future technology the CFAA unintentionally made it so that a large array of internet activities that people do on a daily basis falls under criminal offences.
Because of the CFAA’s broad nature and being so open to interpretation, small things that millions of people do online such as lying about their age or breaking terms of service would be considered a violation of the CFAA and be punishable by time in prison or fines. Even worse, security researchers using techniques such as reverse engineering or penetration testing may be at risk from the CFAA doing their own jobs. Ironically, a type of job that does exactly what the CFAA strives to achieve is being limited by the CFAA itself; that is, security.
One of the most well known cases having to do with the CFAA is US v. Swartz. Aaron Swartz was faced with the CFAA after downloading millions of scholarly articles from an academic database JSTOR at M.I.T. with plans to release them to the public as he believed information should be free. Overall, the act itself was generally harmless as JSTOR was able to quite quickly patch and block out Swartz from continuing downloading articles. Due to the CFAA’s harsh penalties and redundant provisions, Swartz was faced with up to 35 years in prison and a fine of up to one million dollars. Unsure what to do, Aaron Swartz committed suicide. His death sparked a widespread plead to reconsider the CFAA’s language and severe punishment. A proposal by the name of “Aaron’s Law” looks to redefine the CFAA by establishing that simple breaches of TOS, employment agreements, or contracts, are not automatic violations of the CFAA. Eliminating redundant provisions that subjects an individual to duplicate charges. And allowing for a wider proportion of penalties such as non-felony charges. Aarons Law is definitely a road in the right direction for obtaining a fair CFAA that can be utilized effectively and properly.
Sources:
https://www.wired.com/2013/06/aarons-law-is-finally-here/
https://fedsoc.org/commentary/publications/updating-the-computer-fraud-and-abuse-act-1
https://mttlr.org/2019/09/stretched-beyond-the-breaking-point-the-cfaa-and-iphone-batteries/
https://www.eff.org/issues/cfaa
Written by Cristian DeCastro
RIT Cyber Security Policy and Law Class Blog 