October 23, 2018

Administration Policy On Enforcing the CFAA Should Change

Almost exactly one year ago, Senator Wyden of Oregon and Rep. Lofgren of California introduced “Aaron’s Law” in response to the death of Internet activist and co founder of reddit Aaron Swartz. He committed suicide in January of 2013 at age 26, while under indictment for violating the Computer Fraud and Abuse Act (CFAA) for downloading research materials from an academic website. The publicity in the aftermath of the suicide highlighted many of the problems with the CFAA which has been on the books since 1984, and has grown from a narrowly circumscribed law against computer hacking into a law that under the federal government’s understanding turns breaching a terms of service computer agreement into a felony. Yet despite this harsh criticism Congress has not amended the CFAA reportedly because of opposition by certain technology company or companies. Accordingly, it is time for the Obama Department of Justice to declare that it will no longer seek to prosecute individuals for simply violating a terms of service agreement.

The CFAA was first enacted in 1984 and was quite narrow in scope. The original intent was to prosecute individuals who broke into a computer system and stole valuable data or maliciously caused damage. Since then, however, Congress has amended the CFAA numerous times and not only significantly broadened its scope, but also added a private cause of action. The current version of the CFAA contains seven major provisions that create liability for different types of computer misuse or harm. In addition, the penalties for violating the CFAA have been significantly increased. Misdemeanors have become felonies, two-year felonies have become five-year felonies and so on.

What has been the subject of intense scrutiny since Swartz’s death is the CFAA’s broadest provision, 18 U.S.C. § 1030(a)(2)(c), which makes it a crime to “exceed authorized access, and thereby obtain … information from any protected computer.” The Justice Department has taken the position that “exceeds authorized access” includes violating terms of service policies that are included with nearly all software and Internet services today. As Judge Kosinski of the Ninth Circuit has noted, “minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer use policies, although employees are seldom disciplined for occasional use of work computers for personal computers. Nevertheless, under the [government’s] broad interpretation of the CFAA, such minor dalliances would become federal crimes.” United States v. Nosal, 676 F.3d 854, 859 (9th Cir. 2012).

Most people would probably admit that they never read those  pages of fine print and simply “clicked here” when installing new software in their computer or accessing a new website. However, despite this social norm, the Department of Justice continues to take the position that a user’s breach of terms of service may be a violation of section 1030(a)(2) of the CFAA. For example, in a highly publicized case, the government charged a MySpace user with a crime for having breached MySpace’s Terms of Service.  However, in United States v. Drew, 259 F.R.D. 449, 28 ILR 215 (C.D. Cal. 2009), the U.S. District Court for the Central District of California acquitted the defendant of her misdemeanor conviction for violating section 1030(a)(2), finding that a conviction based solely on a defendant’s intentional violation of a website’s terms of service would violate the void-for-vagueness doctrine. That doctrine requires a penal statute to define the criminal offense with sufficient definiteness that ordinary people can understand what conduct is prohibited and in a manner that does not encourage arbitrary and discriminatory enforcement.  Since breaches of contract are not ordinarily the subject of criminal prosecution, an individual would not be on notice that a breach could be a crime.

In Swartz’s instance, the government charged that he had obtained illegal access to the JSTOR database with the intent to “liberate” the academic journals stored there and to allow everyone to have access to the journals in the database. JSTOR is an organization that sells universities, libraries, and publishers access to a database of over 1,000 academic journals. Before being caught, he succeeded in downloading a major portion of JSTOR’s database.

Since it is the government’s stated position that that breaching the terms of service may constitute a crime under the CFAA, what is it that prevents the federal government from charging a violation almost anytime? The simple answer is that the government does not have the resources to pursue minor cases. But do most Americans really want to leave it for the government to decide what constitutes a “minor case.” Americans want a “government of laws, not men.” After the indictment of Aaron Swartz and the more recent spying by the NSA, giving the government the benefit of the doubt no longer seems to be quite so appealing.

So what should be done? Congress should revise the CFAA so that an individual who breaches a terms of service agreement is not subject to criminal prosecution, or at a minimum should not be subject to felony penalties as required by the current version of the CFAA. Congress should make clear that the CFAA is intended to address true computer hacking and not individuals who simply breach a term of service that they may or may not have read. Only people who actually break into computers by circumventing technical restrictions should be criminally prosecuted. Congress should also recognize that simply increasing the penalty provisions of the CFAA is unlikely to deter computer crime but is more likely to result in unjust harsh treatment of individual defendants. While it seems clear to many people that a fresh legal approach to computer crime is necessary, it is almost impossible to believe that Congress will actually act. Putting aside certain technology industry resistance to amending the CFAA, the odds of getting the greatest do-nothing Congress in history to act seems farfetched, especially since over a year has passed since Swartz’s death. If nothing happened in its immediate aftermath, it is not going to happen now.

So what can be done? Attorney General Holder should announce a change of administration policy so that breaches of terms of service agreements by themselves will no longer be considered criminal. This understanding would be consistent with holdings in the Fourth and Ninth Circuits that the CFAA does not reach the mere misuse of employer information or violations of company use policies. See WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199 (4th Cir. 2012); United States v. Nosal, 676 F.3d 854 (9th Cir. 2012). As noted by the en banc Nosal court, the government approach “would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime.” Nosal, 676 F.3d at 859. Moreover, this approach would be consistent with the common law rule of lenity that provides that ambiguous criminal laws should be construed in favor of the defendant.

President Obama has recently shown that where Congress refuses to act or simply does not act he is willing to do so when he believes that it is the right thing to do. Here there is no doubt that the Computer Fraud and Abuse Act is overbroad in a way that turns ordinary Americans into felons. Congress has not surprisingly abdicated its responsibility by not amending the CFAA in the year since the introduction of Aaron’s law. President Obama should not abdicate his responsibility by letting more time pass before making clear that the Department of Justice will not prosecute individuals whose only “crime” is to breach a terms of service agreement.

Speak Your Mind