The Computer Fraud and Abuse Act was originally introduced in 1984 to reduce the cracking of computer systems owned by financial institutions and the government; nearly 30 years and seven amendments later, the law is regarded by many lawyers andacademics as overly “expansive” and “sweeping,” as it lets the government incarcerate “any Internet user they want,” according to former federal prosecutor Orin Kerr.
“The Computer Fraud and Abuse Act is the most outrageous criminal law you’ve never heard of,” said Tim Wu, of the New Yorker. “It bans ‘unauthorized access’ of computers, but no one really knows what those words mean.”
Despite the dangerous reach of the Computer Fraud and Abuse Act as it currently stands – it was the same law used by prosecutors to torment late Internet activist Aaron Swartz prior to his suicide on Jan. 11 — the House Judiciary Committee has actually proposed a number of expansions to the law in a new draft, which Tech Dirt says will be “rushed” to Congress during its “cyber week” in the middle of April.
You can read the proposed Computer Fraud and Abuse Act draft in its entirety here.
Among the many additions, the new CFAA draft expands the number of ways a person could be found guilty by punishing anyone who “conspires to commit” violations in the same way as those that have already “completed” the offense. It also adds computer crimes as a form of “racketeering activity,” to allow the Department of Justice to hit computer criminals with further charges in court. But once you’re found guilty, the new CFAA endorses more severe punishments for any offenders by raising the maximum sentences available for certain violations.
Here’s an example of the extreme nature of these recommended punishments: Aaron Swartz, who illegally tapped into and downloaded millions of scholarly papers from digital journal archive JSTOR while visiting the Massachusetts Institute of Technology, faced four charges under section (a)(4) of the CFAA, with a maximum sentences of five years per charge, for a possible total of 20 years in jail. While many lawyers and experts have recommended reducing these penalties or removing them entirely, the new draft actually increases the maximum for each charge under (a)(4) to 20 years, which means Swartz could have been forced to serve a whopping 80 years in prison. NYU law professor James Grimmelman on Monday called this notion “simply obscene.”
But what’s perhaps most troubling is how the new CFAA bill actually expands the law to include accessing information for an “impermissible purpose,” which means even if you have the right to access the information in the first place, it’s still considered a crime if someone deems you are misusing your access in some way.
According to Kerr, a law expert, the language in the new CFAA would make it a felony to “lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions,” or if you violate the Terms of Service on a government website.
“In short, this is a step backward, not a step forward,” Kerr said. “This is a proposal to give DOJ what it wants, not to amend the CFAA in a way that would narrow it.”
The Electronic Frontier Foundation is tackling the Computer Fraud and Abuse Act with its own proposals to legislature, which include eliminating duplicative penalties and reducing computer crimes from felonies to misdemeanors, and the organization also offers ways to contact your congressman about fixing the CFAA.