The Computer Fraud and Abuse Act is Stifling Security and Individual Rights
The word hack has come to take on new meaning since the advent of the Internet. Once used to connote a violent often illegal attempt to gain access to a physical or digital space, the word hack has evolved to incorporate several positive connotations. Hack-ers locate and disarm computer bugs and viruses. Lifestyle hacks purport to improve our everyday efficiency and make us as individuals happier. Hack-tivists use digital town squares to spread messages of social change, including promoting free speech, human rights, and freedom of information among other political and social agendas. Yet our system of laws has yet to catch up to these myriads of new variations of the word hack resulting in absurd often draconian prosecutions of some, while others face no prosecution at all. The law most frequently applied for these prosecutions is the Computer Fraud and Abuse Act (CFAA), a 1986 Federal law that makes it a crime to access a protected computer without authorization or to exceed a user’s authorized access to obtain information. After nearly 30 years, the arbitrariness of the law’s application will finally be adjudicated by the Supreme Court this fall.
Van Buren v. U.S., the CFAA case which the Supreme Court will adjudicate, concerns a Georgia police officer Nathan Van Buren who was the subject of an FBI sting operation. During the sting operation Van Buren accessed a government database to determine if a local exotic dancer was an undercover police officer in exchange for the promise of receiving an illicit loan. Van Buren was subsequently charged and convicted with violating the CFAA as it was determined that his use of the government database exceeded his authorized use. A similar case United States v. Nosal was declined to be heard by the Supreme Court in 2017. While Van Buren’s actions were certainly criminal, a police officer should not have unlimited access to government databases — personal gain and private vendettas are blatant overreach — the CFAA is a poorly constructed and frequently abused statute. The Supreme Court in Van Buren v. U.S., therefore, will need to answer not only if Van Buren’s act was indeed criminal, but what aim the CFAA should serve in our modern society. The decision likely will not appease any of the stakeholders, as the outdated nature of the CFAA means it is long due for a legislative overhaul.
History of the CFAA
The CFAA was intended to cover a very real concern — the lack of existing tort law protecting intangible property. The fear was that a large subset of computer-related crimes would go unpunished simply because the item(s) being stolen was not physical in nature. Like most poorly constructed legislation, the fear being codified into law was not entirely understood by its drafters. In fact, the House Committee Report accompanying the CFAA actually references a movie starring Matthew Broderick as “a realistic representation of the automatic dialing and access capabilities of the personal computer.” The film, WarGames, depicts a teen breaking into a military supercomputer and almost starting World War III. Because of this base understanding of hacking, the CFAA was too broadly written, and its applications have spilled over to contract law despite its initial intent to only deal with cases having a compelling Federal interest. Amendments to the CFAA in 1989, 1994, 1996, 2001, 2002, and 2008 have further extended the already absurdly broad reach of the CFAA and resulted in a surge of bizarre cases filed under the Act.
Many of the pitfalls of the CFAA could have been prevented. However, the CFAA fails in two key phrases “protected computer” and “without authorization.” Without a clear definition of either term, Federal prosecutors have aired on the side of over prosecution, rather than under prosecution. Like Facebook whose guidelines for moderators have grown from a single sheet to more than 50 pages, the United States Congress failed to foresee how complex adjudicating overbroad terms could be. As a result, “protected computer” has come to mean virtual any computer, including smartphones, tablets, and the like, and “unauthorized access” can be as simple as sharing a Netflix password with a friend. Under these absurdly broad standards literally anyone could be prosecuted. And, where a law can be applied at whim, it is typically applied in a fashion that disproportionately impacts those with less legal protection. Additionally, this over prosecution has a chilling impact on internet security research and investigations of discriminatory practices online.
Much of the over prosecution that has occurred stems from a prosecutorial interpretation of the CFAA that “protected computer” and “unauthorized access” can be unilaterally defined by the computer owner’s policies for its networks i.e. a private company can decide if someone has violated a criminal statute. The Second, Fourth, and Ninth Circuits of the Federal Court system have struck down this interpretation, however, other jurisdictions such as the Eleventh, where United States v. Van Buren originated still allow this interpretation of the CFAA. Regardless, prosecutors have continued to bring prosecutions even in jurisdictions where the scope of CFAA has been limited in hopes of producing plea deals or setting examples of those prosecuted. In essence, CFAA prosecutions have become a form of vendetta both by the Federal Government directly, and at the urging of private companies. This type of prosecution is completely anathema to our understanding of justice and must end.
Perhaps the best example of this type of vengeful prosecution is United States v. Swartz. A case that ended, only when then 26-year-old Aaron Swartz — a computer prodigy, pioneer of a free and open internet, and co-founder of Reddit — committed suicide. Swartz who also had his hand in developing standards for RSS, Markdown, and Creative Commons was prosecuted for setting up a computer to download academic journals from JSTOR, a digital library typically provided to students and library patrons free of charge at numerous universities and organizations, including the Massachusetts Institute of Technology (MIT) where Swartz set up his computer. As Swartz was neither a student of MIT, nor did JSTOR allow hundred of articles to be downloaded from its service at a time, Swartz was clearly in violation of JSTOR’s terms of service, but 11 violations of the CFAA and a possible 50 year jail sentence are also clearly disproportional to the offense. Swartz was acting as a hacktivist (as he believed in a free and open internet), was downloading materials that are already freely available to hundreds of thousands of individuals, and was accessing information that was neither sensitive, nor personally identifiable. JSTOR and by proxy the Federal prosecutor sought to hold Swartz out as an example.
Ironically, Swartz has become an example, an example of what is wrong with the CFAA. A bill titled “Aaron’s Bill” in 2013 sought to revise the CFAA to exclude Terms of Service violations from its application. The Bill stalled in committee, and again in 2015 when it was reintroduced. In a similar case, United States v. Matthew Keys, Keys, a journalist, was prosecuted and sentenced for sharing the password of the Tribune Company where he was a former employer. The login credentials were used by a third party to deface an article on the company’s website. The defacement to the page was live less than 40 minutes, and yet Keys faced 25 years in prison; he was eventually sentenced to two years. In United States v. Sergei Aleinikov, Aleinikov a former Goldman Sachs employee was twice prosecuted for taking source code with him on a usb thumb drive when he left the employ of Goldman. After numerous appeals over a seven-year period, he was eventually sentenced to time served. These types of prosecutions are a waste of government resources and time.
Security Research and Exposing Discriminatory Practices
What the CFAA could not envision is that private companies would actually pay hackers to hack into their own systems. Known as white hack hackers, these hackers and security researchers’ jobs are to expose network vulnerabilities. As the CFAA is a Federal Statute, private companies while having the ability to report suspected violations of the CFAA, do not have the same power to contractually offer immunity to hackers and security researchers. As such, white hack hackers can and have been prosecuted for literally doing their jobs. Bug bounties, a less formalized way of paying white hat hackers to discover vulnerabilities, offer an additional set of challenges. Those who discovery bug bounties do not have any contract with the companies they are hacking. As such, whether they receive reward money or are subjected to the CFAA rests on how receptive the company they hacked is to receiving the news that their network and computer systems are vulnerable. In fact, this exact scenario played out in the Equifax data breach. Equifax has been warned six months prior to the breach by a security researcher and failed to act. However, the security researcher could not sound the alarm, otherwise he risked facing prosecution and a lengthy jail sentence.
Hacking is also used to expose discriminatory practices that companies would be surely reticent to admit occur. Journalists have used web-scraping to unveil conditions at Chicago’s prisons, identify doctors who continue to practice after being caught sexually abusing patients, and unlawful discriminatory practices at companies such as Princeton Review and Airbnb. Many of these violations would not have been found if not for web scraping, as the massive data collection that occurs with web scraping allows for pattern recognition that would not have been possible otherwise. Interpreting the CFAA to include any violations of website terms would turn those who expose these injustices into criminals. A law that protects wrongdoers at the expense of those seeking to expose injustice only further promotes injustice. Clearly, the CFAA has not stood up to the test of time and needs to be revised. But where do we go from here?
The Road Forward
The simple fix to the CFAA is to not apply it to mere violations of website terms of service. This would protect those who either intentionally or unintentionally violate these rules to uncover security vulnerabilities or discriminatory practices. However, this would not protect all white hat hackers and activists, since some operate outside legal norms to uncover vulnerabilities and injustices. More fittingly would be to limit the CFAA to specific types of hacks and/or specific industries. Most privacy laws in the United States are industry specific — i.e. HIPAA and Gramm-Leach-Bliley — so it would make sense that the CFAA only covered industries and data that are already protected by privacy laws. The counterargument would be that the CFAA would not protect against stolen items that hold a monetary value i.e. a song or video, but of course we have the Digital Millennium Copyright Act to protect against this, and if the items in question are not copyrighted or not copyrightable than a company still has civil recourse.
Prosecutors must also weigh the public good against the harm that was caused, as must judges. Even actions that run afoul of the CFAA can have strong benefits to society. After the 2016 elections there have been a rise of security experts testing election software and the networks, they operate on both with the permission of the software vendors and without. Do we really want to chill the work of these researchers? Also, there have been a number of cases where white hat hackers have broken into the software used by public transport providers including a group of MIT students who discovered a vulnerability in the software used by Massachusetts Bay Transit Authority that could be used to defraud the MBTA of transit fees. Common sense would say that many of these cases should not have been prosecuted or even had the threat of prosecution, but they have. Hacking is becoming more and more of a concern, which is why we need a law or set of law that protects against its most insidious effects. But the CFAA or whatever replaces it most also promote sunshine when it is necessary; we cannot protect against vulnerabilities or stop discrimination if we don’t know where they exist.