In 1986, back in the days of briefcase-sized cellphones and book-sized Walkman Personal Stereos, Congress passed the Computer Fraud and Abuse Act to protect privacy and infrastructure in a new technological age. The legislation was intended to target computer crimes—like unauthorized access to networks, theft of computer software, and internet fraud. But 30 years later, it’s woefully out of date and written in a way that leaves a lot of room for interpretation, creating confusion about what’s legal and what’s not. And that confusion itself leaves us more vulnerable.
On Sept. 29, Future Tense—a partnership of Slate, New America, and Arizona State University—and New America’s Open Technology Institute “celebrated” the 30th anniversary of the CFAA by convening experts in Washington, D.C. During the lunchtime conversation, the speakers discussed the challenges our courts face when trying to interpret the law. As it stands, the law follows a trespass model—just as it’s illegal to break into someone else’s home, it is illegal to gain unauthorized access to someone else’s computer. But as courts throughout the country have learned, this metaphor can only go so far when you’re dealing with crimes that exceed unauthorized access and theft and extend to internet fraud. As a result, the law fails to clearly and consistently dictate what is and is not a crime. And if the law can be interpreted so broadly that we’re all walking around with a crime on us, who is to say when to prosecute?
If you’re like most people, you probably first heard about the CFAA when it was used to prosecute Aaron Swartz, an American computer programmer and activist, for using MIT’s computer network to download millions of academic articles from the not-for-profit digital library JSTOR. Justin Peters, Slate correspondent and author of The Idealist: Aaron Swartz and the Rise of Free Culture on the Internet, said that Swartz’s case might not best exemplify the problems with the CFAA. But his 2012 suicide drew attention to the fact that the law has not kept up with the ways internet culture has changed since 1986.
For example: Password sharing is incredibly common. But doing so often goes against the terms of service that so many of us blithely click on without reading. As it stands, there is confusion over whether violations of these agreements should be charged under the law—it’s entirely up to prosecutors.
According to Orin Kerr, Fred C. Stevenson research professor of law at George Washington University, the law often runs into trouble when it comes to cases about access and access without authorization. Kerr noted that circuit court rulings currently conflict over what it means to “exceed authorized access.” In some courts, judges are taking narrow interpretations of the law, while other court decisions are so broad they seemingly make it a federal crime to use someone else’s password, even with permission.
Robyn Greene, policy counsel and government affairs lead at New America's Open Technology Institute, said that because the Supreme Court has not resolved the questions raised by the CFAA, lower courts are left with a great deal of legal uncertainty. This is especially troubling because it threatens people who are trying to detect vulnerabilities in our computer networks not to cause harm, but to improve security.
This issue is of particular interest to Josephine Wolff, a New America fellow and assistant professor of public policy at the Rochester Institute of Technology. Wolff, who spends her days teaching cybersecurity law and policy to security majors, pointed out that the early stages of looking for vulnerability in code looks almost identical to the beginning stages of a crime. Wolff suggests possible solutions might include making security researchers a designated protected group or developing a disclosure process for researchers to report vulnerabilities without risk of prosecution. “The stronger [the CFAA] is, the more security research you deter, the more unsafe the computing environment is for everybody,” Wolff said.