Future Tense

The Hacking Law That Can’t Hack It

The five cases that show how the frustrating and confusing 30-year-old Computer Fraud and Abuse Act is.

Computer Fraud and Abuse Act anniversary.
The Computer Fraud and Abuse Act was enacted in 1986 at a time when computer networks were largely confined to universities and military institutions.

shironosov/Thinkstock

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. On Thursday, Sept. 29, Future Tense and New America’s Open Technology Institute will host a lunchtime event in Washington, D.C., on the legacy of the Computer Fraud and Abuse Act. For more information and to RSVP, visit the New America website.

At first glance, the cases of Robert Morris Jr. and Lori Drew have nothing in common except the internet. Morris was a 22-year-old graduate student in computer science at Cornell University in the fall of 1988 when he released a worm he had designed to replicate itself across network computers by exploiting security vulnerabilities in common email and directory software. His code spread faster and more frequently than he anticipated, crashing a significant number of machines on the early internet and causing thousands of dollars in damage.

Lori Drew was a 47-year-old housewife living in O’Fallon, Missouri, in the fall of 2006 when she set up a MySpace profile for a fictitious 16-year-old boy named Josh Evans and began using it to send flirtatious messages to 13-year-old Megan Meier, a former classmate of Drew’s daughter. A few weeks later, “Josh” sent Megan some messages with a decidedly different tone: “You are a bad person and everybody hates you. Have a shitty rest of your life. The world would be a better place without you.” Later that day, Meier hanged herself in her bedroom closet—and Drew deleted the MySpace profile for Evans.

On Jan. 22, 1990, a jury in Syracuse, New York, found Morris guilty of violating the Computer Fraud and Abuse Act—the first time a jury had ever convicted anyone of breaking that law. On Nov. 26, 2008, a Los Angeles jury found Drew guilty of breaking the same law, raising a perplexing question: What, exactly, does this law make it illegal to do online?

The very different cases of Drew and Morris illustrate some of the deep confusion and conflicts about the Computer Fraud and Abuse Act, enacted in 1986—at a time when computer networks were largely confined to universities and military institutions. What that law means today, in a world of ubiquitous smartphones and personal computers where we rely on the internet for a million routine everyday tasks from chatting with friends to ordering food, is less clear than ever before. “Since the CFAA was passed the amount of conduct it can apply to has grown much larger just because of the rise of computers,” said Kendra Albert, who works on CFAA cases at Zeitgeist Law.

Legend has it that the Computer Fraud and Abuse Act was born of the blockbuster 1983 movie WarGames, in which the young Matthew Broderick guesses a programmer’s password and gets access to what he believes is a computer game but is actually—you guessed it—the military computer system that launches real nuclear weapons.* The true moral of the movie is that you shouldn’t use your children’s names as passwords, but Congress drew a different lesson from it and began drafting a broad piece of legislation against computer crimes. (It even showed a four-minute clip of the movie at a 1983 congressional hearing to help illustrate the threat.) It would go on to become one of the most controversial, confusing, and inconsistently interpreted laws in the country.

Former New Jersey Rep. William J. Hughes, who introduced the CFAA in April 1986, doesn’t remember WarGames, or any other specific incident, playing a significant role in the law’s drafting or passage. What he remembers is a forward-looking Congress trying to write legislation that would help address future problems. “We were attempting to anticipate the problems that surely would evolve over time,” Hughes said during a recent interview. “We had statutes that dealt with breaking and entering homes and taking valuables,” so Congress wanted a parallel law to deal with “breaking into computers and taking information.”

The parallel that Congress came up with was accessing a computer “without authorization” or “exceeding authorized access” to a computer. The CFAA, like many laws, includes a list of definitions of many terms referenced in the law, including “computer,” “financial institution,” and “person.” Not included on that list are any definitions of either “access” or “authorization,” despite the fact that both terms are central to what the law prohibits. “It was pretty obvious what those words meant,” Hughes said of the decision not to define them.

But it has turned out to be not at all obvious what it means to access a computer, much less what it means to do so without authorization or in excess of authorization. Many people—and many courts—interpreted these terms in a variety of different ways, giving rise to some tremendously inconsistent and bewilderingly contradictory rulings, as well as significant criticism and concern about the law’s unintended consequences.

Morris, for instance, appealed his conviction, arguing that since he was a student who had permission to use the computers at several universities, he had been authorized to access the computers at the Massachusetts Institute of Technology that he used to release his worm. But in March 1991 the 2nd U.S. Circuit Court of Appeals upheld the conviction, determining that Morris’ access was, in fact, unauthorized because he did not use email or the user directory “in any way related to their intended function. He did not send or read mail nor discover information about other users; instead he found holes in both programs that permitted him a special and unauthorized access route into other computers,” Judge Jon Newman wrote in the ruling. This suggested a fairly technical and relatively narrow definition of unauthorized access: Using software for the function intended by its designers is kosher, according to the Morris ruling, but finding vulnerabilities in that software and exploiting them to do something else is not. There’s a certain logic to this distinction but it raises a question central to criticism of the CFAA: Do we really want to discourage bright computer science minds from discovering and testing security vulnerabilities in the software and devices we rely on constantly?

We’d certainly like to discourage mothers from tormenting their children’s classmates, but even so, Drew did use MySpace for its intended function—that is, creating profiles, posting photos, chatting with other users. She didn’t steal anyone else’s credentials and certainly didn’t discover or exploit any vulnerabilities in the site’s code. Still, when she went to trial in 2008 prosecutors charged that her use of MySpace was unauthorized because the Terms of Service at the time—one of those long agreements that you click through and agree to without reading—stipulated that users must not provide information on their profiles that they “know is false or misleading.” In creating a profile for a fake person, with false information, Drew had violated that Terms of Service agreement with MySpace, making her access to MySpace “unauthorized” and therefore illegal under the CFAA.

Then, in August 2009, District Judge George Wu overturned Drew’s conviction. If Terms of Service violations constituted unauthorized access under the CFAA, it “would result in transforming section [the law] into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent internet users into misdemeanant criminals,” Wu wrote. Indeed, what Drew had done—violated a website’s Terms of Service agreement—was something that just about every single person online has done at one point or another (including Meier, who was 13, in violation of the MySpace Terms of Service requirement that users be at least 14.)

The Morris and Drew cases epitomize, in many ways, the central conflicting ideas about what the CFAA means: One camp broadly interprets the CFAA to include computer-based behavior that violates any rule, whether that rule has been written in English (like the Terms of Service agreement in the Drew case) or built into the technical architecture of the computer system (like the email and directory programs in the Morris case). This camp believes we should be defining computer crimes broadly and punishing violators severely to send a clear message.

The other camp believes that the crimes covered by the CFAA should be more narrowly defined and punished less harshly. It generally shares Wu’s concerns about allowing individual website operators and software vendors to dictate what is and isn’t legal to do online. Otherwise, they argue, the statute makes criminals of us all, punishes offenders disproportionately for their actions, and risks deterring people from undertaking important security research. Therefore, according to this argument, an action should only be considered illegal hacking under the CFAA if it violates the second type of rules: the technically embedded rules encoded in software. This distinction—whether the rule was written in English or in the software—is critical to the debate surrounding the law today.

The first camp has been winning. The CFAA has gotten steadily broader and more punitive since President Reagan signed it into law on Oct. 16, 1986. Congress has amended it several times in the intervening years to apply to more computers and include harsher penalties. But in recent years, the tide seemed to be turning, as a few landmark court decisions seemed to indicate that judges might be embracing narrower interpretations of CFAA. This movement gained momentum following the January 2013 suicide of Aaron Swartz, who was charged under the CFAA for downloading millions of academic articles from the JSTOR library and faced up to 35 years in prison if convicted. Following his death, a set of new CFAA reforms, nicknamed “Aaron’s Law,” were introduced in Congress to more clearly define the law and dial back the penalties. But this summer, as we neared the 30th anniversary of the law’s signing, the 9th U.S. Circuit Court of Appeals decided two CFAA cases that seemed to support broader interpretations of what constitutes illegal hacking and who is guilty of it. Meanwhile, Aaron’s Law remains stalled in committee.

The second camp—the camp in favor of narrower interpretation—received perhaps its strongest and most influential endorsement in April 2012, in a ruling issued by the 9th Circuit and authored by Chief Judge Alex Kozinski in a case brought against David Nosal, a former employee at executive search firm Korn/Ferry. After Nosal left the company, he recruited some other employees to help him start a competing search firm and persuaded them to download proprietary Korn/Ferry data to share with him, in violation of a company policy against disclosing confidential information. In violating that Korn/Ferry policy, the government charged, Nosal and his friends exceeded their authorization to use the company’s computer systems. In Florida, the 11th Circuit U.S. Court of Appeals upheld a conviction in a very similar case against a Social Security Administration employee named Roberto Rodriguez—who used his access to the SSA database for nonbusiness reasons to look up personal information about 17 people, including his ex-wife, an ex-girlfriend, a former co-worker, and several women he met at a Unitarian Universalist church study group.

But the 9th Circuit disagreed with the 11th Circuit when it came to deciding whether employees who violated their employers’ computer rules were guilty of CFAA violations. The Kozinski ruling makes for fascinating reading (it includes a lengthy discussion of the meaning of the word “so” in the context of the CFAA), but it ultimately sides with Nosal for reasons reminiscent of Wu’s in the Drew case. Interpreting the CFAA to apply only to violations of technical rules, not written ones, is a “more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets—a subject Congress has dealt with elsewhere,” Kozinski wrote.

The 2012 ruling in the Nosal case seemed at first like it might strike a definitive blow for the advocates of narrow CFAA interpretations. A few months later, across the country from the 9th Circuit, prosecutors in Massachusetts were working on the case against Aaron Swartz. Swartz, who helped develop RSS and co-founded Reddit, was initially charged in July 2011 under the CFAA for downloading millions of JSTOR academic articles using the open network at MIT. But in a superseding indictment filed in September 2012, every reference to access in excess of authorization was deleted from the charges against Swartz, likely because the Nosal ruling had so narrowly defined what constituted “exceeding authorization.” That wasn’t the only change the prosecutors made to Swartz’s indictment: They also increased the charges, from four felonies to 13, allowing for a maximum sentence of 35 years in prison and a $1 million fine. In January 2013, Swartz killed himself, drawing national attention to his case, the vagaries of the CFAA, and the significant looming potential penalties.

In June 2013, Oregon Sen. Ron Wyden and California Rep. Zoe Lofgren introduced the “Aaron’s Law” reforms to the CFAA, which included reforming the penalties and defining unauthorized access as the circumvention of technical or physical controls, conclusively ruling out interpretations of the law that viewed violations of written Terms of Service or acceptable use agreements as unauthorized access. Aaron’s Law was most recently reintroduced in April 2015 but has not been passed by Congress. (Despite the name, it’s not clear that these reforms would have protected Swartz from being charged if they were in effect at the time of his arrest. Even under a relatively narrow reading of the CFAA, Swartz could be said to have circumvented technical controls when he evaded the blocks on his computer’s IP and MAC addresses that had been put in place by JSTOR and MIT to restrict his continued downloading activity.) Aaron’s Law faced tremendous opposition from major tech companies, most notably Oracle—which, Vice reported, spent $1.5 million per quarter on average lobbying against Aaron’s Law in 2013.

Meanwhile, proponents of broad CFAA interpretations seemed to be regaining ground this summer, when a three-judge panel of the 9th Circuit issued a ruling in July about a case brought by Facebook against a company called Power Ventures and its founder, Steven Vachani.

In 2008, Vachani ran a website, Power.com, that aggregated users’ contacts from their social media accounts. To do this, users were asked for their Facebook login credentials so that Power Ventures could gather information from their Facebook accounts and also send Facebook messages on their behalf to other users.

On Dec. 1, 2008, Facebook blocked Power.com’s IP address and sent a cease-and-desist letter to Power Ventures, warning the company that it was violating Facebook’s Terms of Service. Power Ventures simply changed its IP address and continued accessing Facebook accounts, prompting Facebook to bring charges under the CFAA. The case made its way to the 9th Circuit—the court that a mere four years earlier had determined in the Nosal case that the CFAA only applied to circumvention of technical controls. But this time a three-judge panel ruled in Facebook’s favor. The cease-and-desist letter—a written notification, not a technical control—effectively served to render Power Ventures’ access to Facebook unauthorized, according to the decision by Judge Susan Graber, simply because “after receiving the cease and desist letter from Facebook, Power intentionally accessed Facebook’s computers knowing that it was not authorized to do so.”

This summer, the 9th Circuit also revisited the Nosal case, which didn’t go away after the 2012 ruling. Prosecutors decided to try a slightly different tack to go after him again, this time charging him for his involvement in using a shared password provided by a Korn/Ferry employee to access confidential information. In July, a three-judge panel from the 9th Circuit voted 2–1 in favor of the government, issuing a ruling that many viewed as a blow to those who are wary of decisions that would seem to make criminals out of millions of online users who share Netflix or New York Times passwords. Peculiarly, the majority opinion, written by Circuit Judge M. Margaret McKeown, explicitly dismisses such arguments as “hypotheticals about the dire consequences of criminalizing password sharing.” But it also makes no effort whatsoever to define or restrict the circumstances under which password-sharing is illegal.

Without these sorts of clear guidelines, many fear that the decisions about who to charge under the CFAA for commonplace activities like password sharing and Terms of Service violations will be left entirely up to prosecutors. It’s a fear that Kozinski tackled head-on in the first Nosal ruling, referencing the Lori Drew case as evidence that prosecutors are wont to take advantage of broad interpretations of the CFAA to go after particular people. “The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations,” Kozinski wrote. “But we shouldn’t have to live at the mercy of our local prosecutor.”

* * *

Former Rep. William Hughes, who introduced the initial bill so many years ago, looks at the landscape of increasingly high-profile and public cybersecurity breaches and worries that the CFAA hasn’t gone far enough. “The statute has become increasingly important and essential in protecting property,” Hughes said. “I suspect that we may have to go back and broaden the statute even more to make sure that we’re catching everything and everyone we should be.”

CFAA opponents, meanwhile, look at the confusing history of rulings and stalled reform efforts and conclude just the opposite: that the law is badly in need of narrower definitions, gentler punishments, and clearer exceptions carved out for security researchers. Four professors who conduct research on algorithmic bias filed a complaint against the CFAA this summer alleging that the restrictions imposed by the CFAA, at least according to some of its interpretations, prevent them from being able to study things such as how algorithms might discriminate against certain groups of people applying for jobs or using services like Uber and AirBnB. To study how different people are sorted, ranked or otherwise treated by algorithms, it’s helpful to be able to create a lot of fake profiles—and also to be able to scrape the data from a site, both actions that may violate the Terms of Service agreements provided by many websites.

Even the proposed reforms that aim to ensure the CFAA applies only to the circumvention of technical and physical controls would leave many open questions for courts to resolve. For instance, if you change your IP address (something both Power Ventures and Swartz did), have you circumvented a technical control, even though doing so is hardly more difficult than setting up a fake MySpace profile? After all, lots of people change their IP addresses on a regular basis for reasons ranging from privacy to convenience. Or should hacking charges only be brought against people who attempt technical maneuvers more sophisticated than those the general population is familiar with? And even if the CFAA was limited to more technologically sophisticated activities, that still wouldn’t help security researchers, many of whom are, like Morris, explicitly looking for technical vulnerabilities in their work.

Maybe the only thing most people agree on about the CFAA is that it has not noticeably helped protect anyone against cybercrimes. To some that’s a sign that it’s not punitive and broad enough to catch all the criminals it should. Others argue it’s instead due to the international nature of online threats, the difficulty of conclusively identifying a perpetrator, and the way the CFAA deters important lines of security research. Maybe the entire breaking-and-entering analogy that Hughes and his congressional colleagues relied on more than 30 years ago has become problematic. “We have embraced a particular metaphor for how we think about hacking and it might be worth thinking about whether we think that’s still the right metaphor,” said Kendra Albert. “This model is all property-based: It focuses on what kinds of access you’re allowed and whether you can go somewhere—and when I talk to computer security researchers I don’t think most of them think about websites or even networks from a property perspective.”

In the meantime, at the age of 30, the CFAA is a living testament to the considerable challenges of trying to regulate new and emerging technologies, of trying to write laws to regulate a space where, fundamentally, some of the activities we want to encourage among the good guys—finding new vulnerabilities in computer systems, testing the security of software and devices—are largely indistinguishable from the activities that we want to discourage when undertaken by the bad guys. Congress set out in the 1980s with only the vaguest notions of what computer technology would become and how we would use it a few decades later. But say what you will about the CFAA: Thirty years later, it’s rather astonishing—on so many levels—that it’s still standing at all.

*Correction, Sept. 27, 2016: This article originally misstated that Matthew Broderick’s character guessed a dead programmer’s password. The programmer was not dead. (Return.)