The Computer Fraud and Abuse Act is Stifling Security and Individual Rights

Adam G.
Adam G.
Jul 15, 2020 · 9 min read
Photo by Lucas Franco on Unsplash

The word hack has come to take on new meaning since the advent of the Internet. Once used to connote a violent often illegal attempt to gain access to a physical or digital space, the word hack has evolved to incorporate several positive connotations. Hack-ers locate and disarm computer bugs and viruses. Lifestyle hacks purport to improve our everyday efficiency and make us as individuals happier. Hack-tivists use digital town squares to spread messages of social change, including promoting free speech, human rights, and freedom of information among other political and social agendas. Yet our system of laws has yet to catch up to these myriads of new variations of the word hack resulting in absurd often draconian prosecutions of some, while others face no prosecution at all. The law most frequently applied for these prosecutions is the Computer Fraud and Abuse Act (CFAA), a 1986 Federal law that makes it a crime to access a protected computer without authorization or to exceed a user’s authorized access to obtain information. After nearly 30 years, the arbitrariness of the law’s application will finally be adjudicated by the Supreme Court this fall.

Van Buren v. U.S., the CFAA case which the Supreme Court will adjudicate, concerns a Georgia police officer Nathan Van Buren who was the subject of an FBI sting operation. During the sting operation Van Buren accessed a government database to determine if a local exotic dancer was an undercover police officer in exchange for the promise of receiving an illicit loan. Van Buren was subsequently charged and convicted with violating the CFAA as it was determined that his use of the government database exceeded his authorized use. A similar case United States v. Nosal was declined to be heard by the Supreme Court in 2017. While Van Buren’s actions were certainly criminal, a police officer should not have unlimited access to government databases — personal gain and private vendettas are blatant overreach — the CFAA is a poorly constructed and frequently abused statute. The Supreme Court in Van Buren v. U.S., therefore, will need to answer not only if Van Buren’s act was indeed criminal, but what aim the CFAA should serve in our modern society. The decision likely will not appease any of the stakeholders, as the outdated nature of the CFAA means it is long due for a legislative overhaul.

History of the CFAA

Many of the pitfalls of the CFAA could have been prevented. However, the CFAA fails in two key phrases “protected computer” and “without authorization.” Without a clear definition of either term, Federal prosecutors have aired on the side of over prosecution, rather than under prosecution. Like Facebook whose guidelines for moderators have grown from a single sheet to more than 50 pages, the United States Congress failed to foresee how complex adjudicating overbroad terms could be. As a result, “protected computer” has come to mean virtual any computer, including smartphones, tablets, and the like, and “unauthorized access” can be as simple as sharing a Netflix password with a friend. Under these absurdly broad standards literally anyone could be prosecuted. And, where a law can be applied at whim, it is typically applied in a fashion that disproportionately impacts those with less legal protection. Additionally, this over prosecution has a chilling impact on internet security research and investigations of discriminatory practices online.

Malicious Prosecutions

Photo by Grianghraf on Unsplash

Perhaps the best example of this type of vengeful prosecution is United States v. Swartz. A case that ended, only when then 26-year-old Aaron Swartz — a computer prodigy, pioneer of a free and open internet, and co-founder of Reddit — committed suicide. Swartz who also had his hand in developing standards for RSS, Markdown, and Creative Commons was prosecuted for setting up a computer to download academic journals from JSTOR, a digital library typically provided to students and library patrons free of charge at numerous universities and organizations, including the Massachusetts Institute of Technology (MIT) where Swartz set up his computer. As Swartz was neither a student of MIT, nor did JSTOR allow hundred of articles to be downloaded from its service at a time, Swartz was clearly in violation of JSTOR’s terms of service, but 11 violations of the CFAA and a possible 50 year jail sentence are also clearly disproportional to the offense. Swartz was acting as a hacktivist (as he believed in a free and open internet), was downloading materials that are already freely available to hundreds of thousands of individuals, and was accessing information that was neither sensitive, nor personally identifiable. JSTOR and by proxy the Federal prosecutor sought to hold Swartz out as an example.

Ironically, Swartz has become an example, an example of what is wrong with the CFAA. A bill titled “Aaron’s Bill” in 2013 sought to revise the CFAA to exclude Terms of Service violations from its application. The Bill stalled in committee, and again in 2015 when it was reintroduced. In a similar case, United States v. Matthew Keys, Keys, a journalist, was prosecuted and sentenced for sharing the password of the Tribune Company where he was a former employer. The login credentials were used by a third party to deface an article on the company’s website. The defacement to the page was live less than 40 minutes, and yet Keys faced 25 years in prison; he was eventually sentenced to two years. In United States v. Sergei Aleinikov, Aleinikov a former Goldman Sachs employee was twice prosecuted for taking source code with him on a usb thumb drive when he left the employ of Goldman. After numerous appeals over a seven-year period, he was eventually sentenced to time served. These types of prosecutions are a waste of government resources and time.

Security Research and Exposing Discriminatory Practices

Photo by Kaitlyn Baker on Unsplash

Hacking is also used to expose discriminatory practices that companies would be surely reticent to admit occur. Journalists have used web-scraping to unveil conditions at Chicago’s prisons, identify doctors who continue to practice after being caught sexually abusing patients, and unlawful discriminatory practices at companies such as Princeton Review and Airbnb. Many of these violations would not have been found if not for web scraping, as the massive data collection that occurs with web scraping allows for pattern recognition that would not have been possible otherwise. Interpreting the CFAA to include any violations of website terms would turn those who expose these injustices into criminals. A law that protects wrongdoers at the expense of those seeking to expose injustice only further promotes injustice. Clearly, the CFAA has not stood up to the test of time and needs to be revised. But where do we go from here?

The Road Forward

Prosecutors must also weigh the public good against the harm that was caused, as must judges. Even actions that run afoul of the CFAA can have strong benefits to society. After the 2016 elections there have been a rise of security experts testing election software and the networks, they operate on both with the permission of the software vendors and without. Do we really want to chill the work of these researchers? Also, there have been a number of cases where white hat hackers have broken into the software used by public transport providers including a group of MIT students who discovered a vulnerability in the software used by Massachusetts Bay Transit Authority that could be used to defraud the MBTA of transit fees. Common sense would say that many of these cases should not have been prosecuted or even had the threat of prosecution, but they have. Hacking is becoming more and more of a concern, which is why we need a law or set of law that protects against its most insidious effects. But the CFAA or whatever replaces it most also promote sunshine when it is necessary; we cannot protect against vulnerabilities or stop discrimination if we don’t know where they exist.

Digital Diplomacy

Tech, digital, and innovation, at the intersection with policy, government, and social good.

Adam G.

Written by

Adam G.

Data Privacy and Cybersecurity Professional | Attorney | CIPP/US & CIPP/E | Proponent of a Consumer Privacy Bill of Rights

Digital Diplomacy

Tech, digital, and innovation, at the intersection with policy, government, and social good.

Adam G.

Written by

Adam G.

Data Privacy and Cybersecurity Professional | Attorney | CIPP/US & CIPP/E | Proponent of a Consumer Privacy Bill of Rights

Digital Diplomacy

Tech, digital, and innovation, at the intersection with policy, government, and social good.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store