The Computer Fraud and Abuse Act (CFAA) has been around for more than three decades, although it has been amended over the years. It remains the most prominent US law in place to prevent cybercrime, and has been used in many and varied cases across the country.
The law is designed primarily to target hackers who access computers to steal information. However, it has been used in other situations. It’s a hugely controversial law that has come under scrutiny for being open to interpretation and carrying unfair penalties.
In this post, we explain the CFAA, what it’s used for, and problems with its implementation. We’ll also provide examples of real cases in which the law has been used to prosecute cybercriminals.
The origins of the Computer Fraud and Abuse Act
The gist of the CFAA is that it prohibits accessing a computer without authorization, or in excess of authorization. Aside from obvious situations like hacking into someone’s account, it also criminalizes certain computer-related acts, such as denial-of-service attacks and malware distribution.
The first real law put in place to address computer crime was Section 1030 of the Comprehensive Crime Control Act of 1984. This law was reportedly brought about in reaction to the movie WarGames and other hype and concern around computer-related crimes at the time. In the movie, a young man accidentally starts World War III by accessing a US military supercomputer. In its report, the House Committee deemed this “a realistic representation of the automatic dialing and access capabilities of the personal computer.”
As the first of its kind, the original law was narrow in scope, and only addressed the limited use of computers at the time, hence the need for later amendment. The US Computer Fraud and Abuse Act (CFAA) was implemented in 1986 as an amendment to the original Section 1030. Since its implementation, the CFAA has been amended several times, but it still has many issues and suffers a lot of criticism.
Problems with the CFAA
The CFAA has come under much scrutiny over the years, partly because it’s so vague, and also because of the almost unlimited penalties perpetrators face.
The major problem lies in the language used in the law, which is subject to broad interpretation. It prohibits accessing a computer “without authorization” or by “exceeding authorized access,” but it doesn’t define what “authorization” is.
Additionally, the law governs “protected computers,” which are described as “computers used in or affecting interstate or foreign commerce and computers used by the federal government and financial institutions.” Basically all computers could fall under one of these categories, with the right interpretation.
Plus, it talks about “obtaining information,” which could cover anything from loading a web page to accessing top-secret documents.
According to Tor Ekeland, a defense attorney, « It’s a poorly written statute that doesn’t effectively define the main thing it seeks to prohibit. There are ambiguities surrounding that definition that allow prosecutors wide latitude to bring charges under theories that shock computer people in the infosec community.” He goes on to compare the paranoia about hackers to hysteria about witchcraft.
Criminalizing everyday activities
Because it’s so open to interpretation, any one of us could potentially be breaking the law on a daily basis. For example, it has been debated whether or not using Facebook at work (when it’s against company policy) is a violation of the CFAA. Even lying about your age on a website that has an age restriction could be considered a punishable offense. In fact, doing anything that’s against any terms of service online could be considered a violation. This means that, under the law, you could theoretically face fines and jail time for these purported crimes.
Aside from criminalizing some everyday actions of the general public, the law makes it difficult for many people to do their jobs. For example, security researchers could risk being charged under the CFAA for testing password strength and researching security flaws.
A violation of the CFAA can be deemed a felony, carrying fines and a prison sentence of up to ten years. But say, for example, you violate a website’s terms of service and access it numerous times. This could be viewed as multiple violations of the law, each carrying a separate maximum term. While it sounds unlikely, there have been cases in which prosecutors have used this to request huge penalties against people who fall foul of the law.
One of the most prominent cases involving the CFAA was that of Aaron Swartz, a prominent computer programmer, entrepreneur, and hacktivist. He was charged in 2011 under the CFAA and other laws. His crime? Bulk-downloading journal articles from JSTOR (a scholarly database), using a computer hidden in an MIT closet. He was faced with a potential 35-year prison sentence and hefty fines. Unfortunately, he died by suicide in 2013 while trying to reach a plea deal.
This case drew much attention because of the seemingly wildly unfair potential penalty. Plus, it remains unclear exactly what he was planning to do with the almost 5 million articles he downloaded. Whatever the intent, critics of the case argue that the crime did not fit the penalty whatsoever.
As a result of his case, Aaron’s Law was proposed to amend the CFAA, specifically the section that relates to terms of service violations. However, even though the amendment has many proponents, it has been stalled several times and has not actually passed.
Other examples of cases involving the CFAA
As mentioned, this law has been used in many cases to prosecute cybercriminals. Here are just a few examples:
- The Morris Worm: The first known worm to wreak havoc on internet-connected computers was the Morris Worm, developed by a “curious” graduate student, Robert Morris. He was one of the first people to be convicted under the CFAA. He was charged with a felony, but managed to avoid a prison sentence.
- TJX hacker: Albert Gonzalez wasn’t so lucky and ended up with a 20-year prison sentence issued in 2010. His intent proved to be far more malicious, as he headed a gang of cyberthieves who stole more than 90 million debit and credit card numbers from various retailers, including TJX.
- Reuters journalist: Matthew Keys was handed a two-year prison sentence in 2016 after being convicted under the CFAA. He was accused of sharing credentials that led to another party defacing a headline on the LA Times website. This resulted in financial losses to parent company, Tribune Media. Although his sentence ended up being two years, the maximum he faced was 25 years. This lengthy maximum term highlights one of the major issues with the law.
- Fake Myspace account: Lori Drew was convicted under the CFAA after she cyberbullied one of her teenage daughter’s enemies. The bullied girl committed suicide after Drew used a fake Myspace account to contact her. This violated the company’s terms of service, which enabled prosecutors to charge her under the CFAA. While the conviction was eventually vacated, it shows how open to interpretation it is.
As you can see, this isn’t a law to be blasé about, and with prosecutors interpreting it as they wish, it could spell big trouble for anyone on the wrong side of it.
Image credit: “Blogging” licensed under CC BY 2.0