20130402

Why the CFAA's Excessive Criminalization Needs Reform

It's past time for Congress to reform the Computer Fraud and Abuse Act (CFAA)—the law used in the aggressive prosecution of the late activist and Internet pioneer Aaron Swartz. While Aaron's case made national headlines, it was only of one of many instances where the CFAA has been used to threaten draconian penalties against defendants in situations where little or no economic harm had occurred.

Unfortunately, last week, the House Judiciary Committee floated changes to the CFAA that are the exact opposite of reforms proposed by EFF and a host of other organizations. The proposed changes increase penalties across the board, expand the scope of the statute, and criminalize new actions. These changes are completely unnecessary, as the the CFAA already duplicates many crimes written into other laws. The changes only make the law much worse.

Below are just some of the many instances where the CFAA is redundant. Some of these examples are directly drawn from the DOJ's own Computer Crimes Manual. Other examples include claims companies can pursue—like breach of contract, tortious interference, and other state laws—instead of pushing for Congress and the Justice Department to criminalize website terms of service and employee terms of use violations.


Violation of the CFAA What It Is Crimes the CFAA Duplicates
1030(a)1 Accesses a computer without authorization to obtain classified information
  • 18 USC § 794: Prohibits gathering or delivering defense information to aid a foreign government
  • 18 USC § 1362: Interfering with government communication systems
  • 18 USC § 793: Gathering, transmitting or losing defense information
1030(a)2 Accesses a computer without authorization and obtaining information
1030(a)3 Accesses a computer without authorization used by the US government
1030(a)4 Accesses a computer with the intent to defraud or to obtain information more than $5,000.
  • Breach of contract
  • Conversion
  • Intentional interference with prospective economic advantage
  • 17 USC §§ 1201-1202, 1204: Circumventing technological measures aimed at protecting copyrighted works for financial gain
  • 18 USC § 1343: Fraud by wire, radio, or television
  • 18 USC § 1341: Federal mail fraud
  • 18 USC § 1832: Theft of trade secrets
1030(a)5 (A) Intentionally damaging a computer.(B) Recklessly damaging a computer by intentional access. (C) Negligently causing damage to a computer without authorization.
  • Breach of contract
  • Conversion
  • Intentional interference with prospective economic advantage
  • 18 USC § 1362: Prohibits damage to a US government computer
1030(a)6 Trafficking in passwords
1030(a)7 Extortion involving computers
  • Breach of contract
  • Conversion
  • Intentional interference with prospective economic advantage
  • 18 USC § 1951: Interfering with commerce by robbery, extortion, threats or violence
  • 18 USC § 875(d): Interference with commerce by extortion.
  • 18 USC § 2113(a): Financial theft

Even under EFF's reform, all of these other statutes could still be used to go after legitimate crimes, and it will still be a serious crime under the CFAA for an outsider to steal proprietary information, to knowingly transmit codes that cause damage to a computer, to traffic in passwords, or engage in extortion by using threats of intrusion.

Go here to tell you Congressional representative to reform the CFAA so it can only used to go after real criminals, instead of security researchers, activists, innovators, and entreprenuers.

No comments: