CFAA: Where the computer security law is broken

Educators and activists representing a swath of organizations and institutions — from the Electronic Frontier Foundation to George Washington University — took to Reddit Tuesday in an Ask Me Anything interview, seeking to educate the public about the controversial CFAA (Computer Fraud and Abuse Act) and to push for reform.

“We are here to discuss the [CFAA] which we are striving to reform, and under which Aaron Swartz, Andrew Auernheimer (weev), and others have been prosecuted and which potentially makes felons out of millions of Americans by criminalizing website terms of service violations,” the participants explained.

Spawned in 1984, the CFAA was intended to reduce cracking of computer systems and to address federal computer-related offenses. Critics of the law have long decried it as excessively overreaching. Following Swartz’s suicide earlier this year, lawmakers pledged to fix the law. However, the draft legislation that since emerged would expand it by raising the penalties for some hacking-related crimes and expanding activities covered by the statute.

The participants in yesterday’s Reddit AMA laid out their case as to why the CFAA needs reform in the opposite direction: “We hail from across the political spectrum and we have somewhat divergent opinions about what the ideal CFAA would look like. But we all agree that the CFAA allows law enforcement to engage in frivolous prosecutions and/or to seek penalties that are severely disproportionate to alleged offenses — and that this stifles innovation and speech and must be fixed.”

The reform proponents fielded dozens of questions about the law, its flaws, what sort of reforms they advocated, and how the public could get involved. The following are excerpts from the discussion on Reddit.

On what CFAA is and why it needs reform Orin Kerr, professor of law at George Washington University:

The CFAA was enacted … to punish computer hacking. But Congress has broadened the law every few years, and today it extends far beyond hacking. The law now criminalizes computer use that “exceeds authorized access” to any computer.

The problem is that a lot of routine computer use can exceed “authorized access.” Courts are still struggling to interpret this language. But the Justice Department believes that it applies incredibly broadly to include “terms of use” violations and breaches of workplace computer-use policies.

Breaching an agreement or ignoring your boss might be bad. But should it be a federal crime just because it involves a computer? If interpreted this way, the law gives computer owners the power to criminalize any computer use they don’t like. Imagine the Republican Party setting up a public website and announcing that no Democrats can visit. Every Democrat who checked out the site could be a criminal for exceeding authorized access.

On what changes proponents of CFAA reform would like to see Mark Jaycox, policy analyst and legislative assistant for EFF:

We want to reform a vague, overly expansive law that was originally intended to only deal with malicious computer trespass of a very small subset of computers. The law has been used in an aggressive manner by the DOJ, which believes that violating a terms of service should be punishable under the CFAA.

We’re trying to:

• Make sure the CFAA doesn’t criminalize simple terms of service violations
• Make sure that security, researchers, engineers, and innovators can create add-ons, new products, and new services without the threat of a criminal prosecution
• Decrease some of the penalties in the law so that low-level offenses aren’t punished by an overbearing heavy-handed regime

On how the CFAA would affect civil forfeiture provisions Ryan Radia, associate director of technology studies at Competitive Enterprise Institute (CEI):

The proposed civil forfeiture provisions are indeed troubling. Currently, “[a]ny property, real or personal, which constitutes or is derived from proceeds traceable to a violation of [the CFAA]” is subject to civil forfeiture. But the CFAA discussion draft would expand this to include “[a]ny property … used, or intended to be used, to commit or facilitate the commission of [a CFAA violation].” This means your computer could be seized if you access a website in violation of its ToS, even if the government doesn’t even charge (let alone convict) you of any crime.

On the best way to sway Congress to reform CFAA Mark Jaycox, EFF:

You can tweet your representative, email them, and call them. Right now it’s about raising a lot of noise so that Senators and Representatives know that users want them to make common-sense changes to the CFAA.

Josh Levy, Internet campaign director at Free Press:

Really the best, most effective way to get Congress’ attention is to call their offices. Just 40-50 calls a day into an office is way more effective than 10x that number in emails.

On what people else people can to do push for CFAA reform David Segal, executive director of Demand Progress:

If you’re in school, look at your university’s policies. If you want to affect state or federal legislation, the most powerful thing is to organize a bunch of constituents to visit your lawmaker or go to a town hall meeting to force them to recognize that there’s a constituency that cares about these issues. The SOPA effort made that pretty apparent to lots of people, but it’s imperative to have a sustained, organized defense of the Internet and free speech issues — memories fade fast.

Mark Jaycox, EFF:

If you work for a company, you can also try to start the conversation about supporting CFAA reform. We recently put up a blog post encouraging engineers to do this. And if you run or have founded a startup or other small business, we have a letter for you to sign on expressing your company’s support for reforming the CFAA.

On how to convince the public (and politicians) that CFAA reform is necessary Orin Kerr, George Washington University:

I think people get that it’s a problem if their own routine conduct is a federal crime. Everyone visits websites; everyone violates terms of service. My sense is that even politicians realize something is very wrong if their own routine Internet use is somehow declared a federal crime.

On corporate involvement in CFAA Taren Stinebrickner-Kauffman, executive director and founder of SumOfUs:

One of the interesting things about bad U.S. laws is that they’re generally written and lobbied for by multinational corporations — corporations that everyone in the world has a relationship with and power over. … Some of the biggest opposition to CFAA reform is coming from corporations — like Oracle and Microsoft. And almost no other big tech companies are in favor of the changes, even though they should be. So, you should write/call/lobby the tech companies you feel you have a relationship with (Facebook, Google, Oracle, Microsoft… really any of them) and push them to take a public stance in favor of Aaron’s Law.

On how to sustain “free-Internet” activism David Segal, Demand Progress:

I think that we need huge moments like SOPA to galvanize activists and scare politicians and make them recognize that Internet/free speech advocates are an important constituency. In practice though it’s going to be hard to do that more than pretty rarely: SOPA antagonized basically everybody except for Hollywood/RIAA/etc, including the platforms. Most issues — even those that are bad for Internet users — don’t manage to do all of that. So whenever we have the chance to mobilize the platforms we should do it, because it won’t come around too frequently. And when it does happen it scares the hell out of politicians and creates myriad new activists who will be willing to stand with us on issues like CISPA, etc.

In general I don’t know how to do engage in successful long-term activism except to ask people to stay vigilant. The other side wins when they succeed at wearing us down, when we fail to spring into action because of fatigue.

This article, “CFAA: Where the computer security law is broken ,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.