The Computer Fraud and Abuse Act (CFAA) is a well-meaning law that is hopelessly overbroad. It starts from an unobjectionable premise—there ought to be a law that makes it a crime to hack into someone else’s computer without their permission—but it has gone off the rails.
The policy prescriptions to fix it offered by the trio of Senators Chuck Grassley (R–IA), Al Franken (D–MN), and Mike Lee (R–UT) are far superior to the competing effort being advanced by Senator Patrick Leahy (D–VT), chairman of the Senate Judiciary Committee.
The problem begins with the language of the CFAA (18 U.S.C. § 1030), which makes it a crime to access a computer “without” or “in excess” of “authorization.” In some ways, both of these make sense, especially if you substitute the word permission for the legal term “authorization.” If I haven’t given you permission to use my computer at all, or if I have given it to you only for a limited purpose, and you go rooting around in my cyber-files, that’s something that clearly ought to be punished.
But how do we determine what the limits of your “authorization” are? Since the term is not defined in the law, the courts have looked to contractual agreements that govern the use of a computer or Internet system. These agreements are known as the “Terms of Service” or “ToS.” They are those long, detailed legal terms that everyone clicks on to “accept” before they sign up for, say, a Facebook account.
But, as a diverse group of concerned groups recently pointed out, this means that private corporations can in effect establish what conduct violates federal criminal law when they draft such policies.
And those polices are often very broad. For example, many companies limit your use of the Internet for personal purposes. Spending excessive time checking your fantasy football team roster is probably a bad idea, but it shouldn’t be a federal crime. We told the story of another abuse in the Heritage book One Nation Under Arrest about how Lori Drew was prosecuted for violating the MySpace rules against using a pseudonym—again, a really bad idea, but not a federal offense.
Senators Grassley, Franken, and Lee take a better approach. They simply say that the CFAA can’t be used to prosecute contractual violations. Violations of a contact should be left to contract law and the civil arena, not federal criminal court.
Senator Leahy’s amendment is more complicated. As Professor Orin Kerr points out, it sets a monetary threshold, allowing prosecution if the act “involves” more than $5,000. But it doesn’t say what “involve” means. Worse, the amendment allows the prosecution of ToS violations involving certain categories of information (trade secrets, for example), but those categories are hopelessly overbroad and, in effect, swallow the entire fix.
When the issue comes up for consideration later this week, the better solution would be to let the civil law deal with civil matters and not rely on federal criminal law for contract disputes.