A Short History of U.S. Internet Legislation: The Computer Fraud & Abuse Act
For this final post on the history of U.S. Internet regulation, we need to look at one of the broadest pieces of cybersecurity policy out there – broad enough to hit just about anybody in the world. The Computer Fraud and Abuse Act (CFAA) of 1984 and its increasingly liberal interpretation have led to a state of affairs in which most U.S Internet users — you and me included — could be considered felons.
Technology is changing far faster than any government could hope to keep up. One of the many challenges of setting cybersecurity policy is that if you set requirements that are technical in nature into the law they will be outdated by the time they are passed. The law can’t be prescriptive when it comes to cybersecurity, so it ends up turning to broad generalization.
The Computer Fraud and Abuse Act is one of those laws that succumbs to broad generalization. The CFAA was written in 1984 to attempt to legally protect the computers of the federal government and certain financial institutions. Over the years the law has been amended and expanded from covering this small class of protected computers to covering every server, computer and cell phone that has the capacity to operate in an “inter-state” capacity (pretty much everything connected to the Internet). The CFAA has become a big bucket into which lawmakers have successfully been able to throw all their concerns about Internet-based security, fraud, hacking, piracy, DOS attacks, trafficking in passwords, distributing malicious code and general lawlessness on the Internet.
Most controversial in the CFAA is its vague language that allows prosecutors to treat the violation of an Internet site’s Terms of Service as a criminal act. In essence, the law deputizes anybody who sells anything on the Internet and writes a Terms of Service to guide its use. Because lawmakers can’t keep up with the innovation of networks much less network abuse, CFAA makes it simple: if you don’t you do what network providers tell you to do, you are breaking the law. And because lawmakers take cybercrime very seriously, the penalties imposed on people charged with abuses under CFAA can be quite Draconian.
Admittedly, there is a need to prosecute those who would seek to misuse Internet resources for malicious purposes, but should posting your incorrect height or weight on eHarmony or your incorrect age on your Facebook profile be interpreted as criminal CFAA violations? After all, these actions violate each site’s Terms of Service in the 2.i. No False Information and 4.1. Registration and Account Security respectively.
ServInt has called for CFAA reform before through its work with i2Coalition and opposes CFAA liability for violating a ToS. There are better ways to combat online crime than to create traps that have the potential of making all of us criminals.
If you’re looking for a more real-world example of the overreaching power of the CFAA, look no further than the story of Internet activist Aaron Swartz, who took his own life in the face of a lengthy CFAA sentence after taking possession of millions of academic journal articles from a database called JSTOR using MIT’s network and released them to the public. He did this, not for personal profit, but as an act of civil disobedience, in protest of this information — that was meant to be free to the public — being accessible only behind pay sites.
Aaron was a brief acquaintance of mine while we were both on the front lines fighting against PIPA and SOPA becoming law. There were a whole series of groups trying their best to coordinate efforts, including the group Aaron helped found, Demand Progress, and the one I helped found, Save Hosting Coalition. Our job was to magnify the collective message to be greater than what any one group could do. Aaron worked tirelessly to “keep score” – figuring out which legislator was leaning which way on the vote. A lot has been said about Aaron this year, but I want to take the time to say as well that it was an honor to work with him on that important project.
I bring Aaron up because in many ways he has become the face of CFAA reform. That’s because many believe if Aaron’s trial had gone to final verdict the case would have rested on CFAA’s provision criminalizing the violation a ToS. But a Terms of Service is a contract, not a law. A breach of contract is a civil matter, and should not be criminalized, let alone subject to up to $1 million in fines and 35 years in prison.
The CFAA is badly in need of updating — but then again so are most of these laws I have talked about throughout this series. The Internet is still in its infancy, and it has tremendous potential for both good and ill. What is yet to come is what we make of it, which is why ServInt and I fight for positive Internet legislation through our efforts with i2Coalition. It’s why we, as a responsible Internet company, don’t just complain about Internet consumer issues we don’t like — we lobby our government and express our grievances, and we take the time to educate and build relationships with lawmakers in hopes that doing so will drive us toward smarter Internet policies, and away from bad ones. The one thing I can assure you is that the best — and worst — Internet laws are yet to be written and passed. The important thing is to stay educated, stay engaged, and work with providers who are fighting for you.
Photo by DonkeyHotey