The nation’s premier anti-hacking law poses a threat to the civil liberties of millions of Americans who use computers and the internet and could lead to the arrest and prosecution of many users who violate the law on a regular basis, says a former federal prosecutor who wants the Computer Fraud and Abuse Act revised.
“In the Justice Department’s view, the CFAA criminalizes conduct as innocuous as using a fake name on Facebook or lying about your weight in an online dating profile. That situation is intolerable,” says Orin Kerr, George Washington University law professor and a former federal prosecutor in the Justice Department’s Computer Crime and Intellectual Property Section in the Criminal Division.
Currently, the law punishes anyone who “intentionally … exceeds authorized access, and thereby obtains information from any protected computer.”
Kerr is testifying on Tuesday before the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security, and is asking Congress to amend the law to narrow how prosecutors can interpret what it means to exceed authorized access on a computer.
When the legislation was first enacted in the 1980s, it specifically targeted computer hacking and other computer misuse, Kerr argues in a written version of the testimony (.pdf) he plans to give. But since then, Congress has broadened the statute significantly four times, expanding the law’s reach and rendering it “unconstitutionally vague.”
The law as it currently stands allows prosecutors to criminally prosecute users for violating an internet service provider’s terms of service agreement, something that would normally be a breach of contract issue handled in civil court rather than through criminal prosecution.
In 2008, federal prosecutors used this exact interpretation of the CFAA when they charged Missouri resident Lori Drew under the law in order to punish her for her role in a cyberbullying incident that led a teenage girl to commit suicide.
Prosecutors argued that Drew was guilty under the CFAA for violating MySpace’s terms-of-service agreement in setting up a fraudulent account that was used to bully the teenage girl. The government argued that violating MySpace’s terms of service was the legal equivalent of computer hacking.
Drew was convicted on misdemeanor charges, but a judge subsequently threw out the verdict on grounds that the CFAA was constitutionally vague and that upholding the verdict would set a precedent for anyone who breaches similar contracts to be criminally prosecuted.
Kerr was part of Drew’s defense team as pro-bono co-counsel.
Prosecutors also used the CFAA last year to charge a ring of online ticketbrokers who wrote a script to circumvent CAPTCHA challenges used by TicketMaster and other ticket vendors to detect and slow down computers attempting to purchase large numbers of tickets.
Prosecutors asserted that bypassing CAPTCHA constituted unauthorized access of ticket-seller servers. U.S. District Judge Katharine S. Hayden allowed the case to proceed, saying, “The Court is satisfied that the indictment sufficiently alleges the elements of unauthorized access and exceeding authorized access under the CFAA, and sufficiently alleges conduct demonstrating defendants’ knowledge and intent to gain unauthorized access.”
The defendants ultimately pleaded guilty to one count of conspiracy to commit wire fraud and hacking.
In arguing that the statute needs to be revised, Kerr is calling on Congress to follow the Senate’s lead. The Senate Judiciary Committee recently approved an amendment to a pending bill that would limit the interpretation of exceeding authorized access under the CFAA. Per the amendment, it would ‘‘not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.”
Kerr says this would still allow prosecutors to pursue cases against government employees for misusing sensitive government databases, but would not sweep in an entire class of other people for merely violating a contractual agreement with a web site or their ISP.