Is the CFAA Unconstitutionally Vague?
The best way to tackle inventing the future, according to Peter Thiel in his book, Zero to One, is to ask yourself: what is something you believe to be true that most people believe to be false? I’ve been looking at the world through this lens since my sophomore year at the United States Air Force Academy, when my Philosophy professor assigned a similar exercise as a capstone assignment. Eleven years before its repeal in 2011, I chose to argue against the military’s effective LGBT discrimination policy called “Don’t Ask Don’t Tell,” and gave my speech to a mostly male, conservative classroom. This didn’t endear me to my classmates, but it got me an A in the class.
When so many thoughtful and powerful people disagree with the law and United States Attorneys’ conduct, why why has the law not been amended?
As a novice web developer, I’ve spent most of the past year coding a web app that uses the 3TAPS API, and building out an initial user base for an idea that was several years in the making. But last week’s settlement between Craiglist and 3TAPS means I have to abandon the effort. Throughout the protracted legal battle, I had faith 3TAPS could get the Computer Fraud and Abuse Act (CFAA) charge dismissed. After all, it had the EFF on its side and its founder is a well-connected Bay Area investor. I’m not one for sour grapes, and my familiarity with the CFAA was limited to the 2013 New Yorker piece on Aaron Swartz, so I used this opportunity to gather the latest news surrounding the CFAA and do my part in moving the issue forward. I set out to answer the question: more than two years after Aaron Swartz’s death, when so many thoughtful and powerful people disagree with the law and United States Attorneys’ conduct in these cases, why are we still seeing abuses of the CFAA, and why has the law not been amended?
Courts have ruled that violations of a site’s terms of service (TOS) can be considered unauthorized access, even though the CFAA is primarily a criminal statute originally meant to prosecute hacks into federal computers.
First, all problems with the CFAA stem from the law being vague. Violations of the CFAA generally require an unauthorized access — either an “access without authorization” or an act that “exceeds authorized access” — to a computer, and it’s over the definition of unauthorized access that federal courts and prosecutors disagree sharply. As currently written, courts have ruled that violations of a site’s terms of service (TOS) can be considered unauthorized access, even though the CFAA is primarily a criminal statute originally meant to prosecute hacks into federal computers. But federal courts have not been consistent regarding the applicability of CFAA to TOS or even in their interpretation of “unauthorized access” generally. In a situation like this, the Supreme court will often intervene to resolve the circuit split, but that hasn’t happened. This has allowed corporations to have a field day, enabling them to construct TOS to prosecute to death competitive upstarts who use their data (see Facebook vs. Power Ventures) or by prosecuting former employees for behavior deemed competitive as they left their places of employment (see United States vs. Nosal or International Airport Centers, L.L.C vs. Citrin) .
The second big problem with the CFAA relates to the aggressive behavior of prosecutors. According to Jennifer Granick, Director of Civil Liberties for the Center for Internet and Society at Stanford Law School, and many, many other smart people, this problem is endemic to the U.S. criminal justice system, where prosecutorial discretion is increasingly abused to overcharge and impose harsh sentences to force a plea instead of going to trial. On this front, plenty of people made their voices heard and rallied to remove U.S. District Attorneys from office in the wake of Aaron’s Swartz’s death, to the tune of 61, 179 for Carmen Ortiz, and 28,964 for Stephen Heymann. The response? Former Attorney General, Eric Holder, responded that “it was a “good use of prosecutorial discretion.” And the White House waited 18 months to address the petitions before dismissing them with: “We will not address agency personnel matters in a petition response, because we do not believe this is the appropriate forum in which to do so.”
Regarding efforts to amend the law, on one side are organizations like the EFF, Demand Progress, prominent lawyers and scholars, and members of the cybersecurity industry and on the other are large corporations and the Department of Justice (DOJ), which has an incentive to keep the law vague in order to prosecute the ever-evolving range of security threats, which in their latest incarnation — the sale and renting of botnets — they’ve been unable to prosecute.
In 2013, Congresswoman Zoe Lofgren (D-Calif.) and Senator Ron Wyden (R-Ore.) worked with the EFF to submit a bill called Aaron’s Law, but it didn’t go past committee, whether as a result of successful lobbying — Oracle spent on average $1.5 million each quarter (see Q2, Q3, Q4) lobbying to stop Aaron’s Law in 2013, according to Swartz documentarian Brian Knappenberger— or because the bill was considered dead in the water in light of the White House’s own plans to amend the CFAA. (Aaron’s Law was reintroduced in April.) In January of this year, The White House suggested amendments that would, among other things, increase the minimum penalty to 3 years and expand the criminalization of trafficking in passwords to include “means of access;” i.e. sharing knowledge on jail breaking your phone. Criticism from the EFF, the Center for Democracy and Technology, and the cybersecurity industry was unanimous in declaring these proposals worse than the status quo.
None of the recent developments gives hope. If anything, they’re even more worrisome. In researching this issue, I’ve been struck by the range of innocuous behavior that has been successfully prosecuted under the CFAA. It reeks of a saying made famous by the Soviet KGB secret police: “Show me the man, and I’ll find you the crime.” Which is why I think there needs to be a grassroots effort to pressure legislators to amend the law based on its being unconstitutionally vague. The U.S. constitution has a strong protection against capricious enforcement of law, called the “Vagueness Doctrine:”
A constitutional rule that requires criminal laws to state explicitly and definitely what conduct is punishable. Criminal laws that violate this requirement are said to be void for vagueness. Vagueness doctrine rests on the due process clauses of the Fifth and Fourteenth Amendments of the U.S. Constitution. By requiring fair notice of what is punishable and what is not, vagueness doctrine also helps prevent arbitrary enforcement of the laws.
Indeed five years ago, one of the most vocal critics of the CFAA, Orin Kerr, a former prosecutor and the foremost legal scholar on cybersecurity, published a paper exposing the CFAA as potentially unconstitutionally vague:
The meaning of unauthorized access is remarkably unclear, however, with courts and commentators disagreeing sharply as to how much conduct counts and what principle of authorization the statute adopts. The void-for-vagueness doctrine requires courts to adopt narrow and clear interpretations of unauthorized access to save the constitutionality of the statute. The CFAA has become so broad, and computers so common, that expansive or uncertain interpretations of unauthorized access will render it unconstitutional. Such interpretations would either provide insufficient notice of what is prohibited or fail to provide guidelines for law enforcement in violation of the constitutional requirement of Due Process of the law.
It’s bad enough that corporations have been pursuing frivolous CFAA lawsuits to defend monopolistic positions. It’s even worse that prosecutors use this vague law to hand down savage penalties to force a plea rather than go to trial, and effectively pass sentence rather than establish guilt. As Clive Crooke put it so well in the Atlantic: “If prosecutors are not only going to rule on guilt unilaterally but also, in effect, pass sentence as well, one wonders why we can’t also dispense with judges.”
“The public can speak loudly thanks to the Internet. And when it does, lawmakers will listen.”
- Representative Lofgren and Senator Wyden
But what the average citizen should care about is that no one is immune from this type of prosecutorial abuse and that the CFAA is a serious impediment to the U.S.’s entrepreneurial ecosystem. A social media user shouldn’t have to worrry about breaking the law by sharing his or her password. Nor should an entrepreneur pursuing an innovative idea using publicly available data. Permissionless innovation is what Silicon Valley was built on. Furthermore, if the kind of hacker we rely on to keep the web safe can be criminally prosecuted for exposing a breach of sensitive information, what kind of message does that send to the cybersecurity industry and what hope to we have in safeguarding ourselves against future threats? If you’re as alarmed by the state of affairs as I am, the one thing you can do is let your representatives know. Tweet to them here. In Representative Lofgren’s and Senator Wyden’s own words: “The public can speak loudly thanks to the Internet. And when it does, lawmakers will listen.” Efforts to amend the CFAA will continue to go nowhere without enraged citizens doing their part.
