decoration decoration

When you want to know more...
For layout only
Site Map
About Groklaw
Legal Research
ApplevSamsung p.2
Cast: Lawyers
Comes v. MS
Gordon v MS
IV v. Google
Legal Docs
MS Litigations
News Picks
Novell v. MS
Novell-MS Deal
OOXML Appeals
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v Novell
Sean Daly
Software Patents
Switch to Linux
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.

Contact PJ

Click here to email PJ. You won't find me on Facebook Donate Paypal

User Functions



Don't have an account yet? Sign up as a New User

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

No new stories

COMMENTS last 48 hrs
No new comments


hosted by ibiblio

On servers donated to ibiblio by AMD.

House Judiciary Hearing on Investigating and Prosecuting Cyber Threats: CFAA - ~pj Updated
Wednesday, March 13 2013 @ 02:01 PM EDT

Today, the House Judiciary Committee's Subcommittee on Crime, Terrorism, Homeland Security and Investigations held a hearing to discuss "Investigating and Prosecuting 21st Century Cyber Threats". Of course, the Computer Fraud and Abuse Act took center stage.

I know this interests many of you because of the Aaron Swartz case. So here's the video of the entire hearing, including the testimony of Orin Kerr, which begins at around the 52:11 mark. His written testimony is here [PDF]. He's been trying to get reforms of the CFAA for many years. And EFF has materials on what you can do, should you choose to, here.

Other witnesses were Jenny Durkan, Department of Justice - (her written testimony is here [PDF]); John Boles, Federal Bureau of Investigation - (written testimony here [PDF]); and Robert Holleyman, BSA, The Software Alliance - (written testimony here [PDF]).

In Kerr's written testimony, he writes: "The CFAA is essentially a computer trespass statute. It prohibits trespassing on to a computer much like a trespass statute punishes trespassing onto physical land." That's exactly the problem. Let's think about physical land.

The law is that you can't have a picnic on my lawn without my permission, even if you clean up everything perfectly afterward and there's no resulting damage. But isn't there a big difference between having a picnic on my lawn, annoying as that might be to me, and coming on to my property to break in to my house and steal my possessions? In physical space, the law in fact does make that distinction. In cyberspace, it doesn't currently do a good job of that. No one would consider it possible that having a picnic on someone's lawn would land you in jail for 35 years as a convicted felon.

As Kerr explains just how broad the CFAA is, he notes that parts of the law apply to everyday computer use by every one of us:

The CFAA contains a number of different crimes, but the best way to understand the statute is to focus on its broadest section, 18 U.S.C. § 1030(a)(2)(C). This provision punishes whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” We can break this federal crime into its three elements as follows:
(1) Intentionally accesses a computer without authorization or exceeds authorized access

(2) Obtains information

(3) From a protected computer

Critically, elements (2) and (3) will be satisfied in most instances of routine computer usage. Element (2), the requirement that a person “obtains information,” is satisfied by merely observing information. See, e.g., United States v. Tolliver, 2009 WL 2342639 (E.D. Pa. 2009) (citing S. Rep. No. 99-432 at 2484 (1986)). The statute does not require that the information be valuable or private. Any information of any kind is enough. Routine and entirely innocent conduct such as visiting a website, clicking on a hyperlink, or opening an e-mail generally will suffice.

Element (3) is easily satisfied because almost everything with a microchip counts as a protected computer. The device doesn’t need to be what most people think of as a “computer,” and it doesn’t need to be connected to the Internet....

Given that many everyday items include electronic data processors, the definition might plausibly include everything from many children’s toys to some of today’s toasters and coffeemakers.

The statutory requirement that the computer must be a “protected” computer does not provide an additional limit. In 2008, Congress amended the definition of “protected” computer to include any computer “used in or affecting interstate or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2)(B). In federal law, regulation that “affects interstate or foreign commerce” is a term of art: It means that the regulation shall extend as far as the Commerce Clause allows. See Russell v. United States, 471 U.S. 858, 849 (1985). Under the aggregation principle of Gonzales v. Raich, 545 U.S. 1 (2005), this appears to include all computers, period. As a result, every computer is a “protected” computer.

Because elements (2) and (3) are so extraordinarily broad, liability for federal crimes under 18 U.S.C. § 1030(a)(2)(C) hinges largely on the first element: What does it mean to access a computer without authorization or to exceed authorized access? Unfortunately, courts have not settled on clear answers to these questions. The terms “access” and “without authorization” are not defined by the CFAA. The phrase “exceeds authorized access” is a defined term, but the definition is largely circular. That phrase is defined in 18 U.S.C. § 1030(e)(6):

the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.
Under this definition, conduct exceeds authorization if it exceeds entitlement. But this merely restates the problem: What determines entitlement? Unfortunately, the statute doesn’t say. Because these key phrases are either undefined or defined poorly, judicial interpretations of “access without authorization” and “exceeds authorization” are surprisingly murky.
And that's the problem. Courts don't agree on what the vague statute means. Prosecutors get to define the terms to fit the situation, as they view it. And that means, subject to review by the courts, if they want to get you, you're going to get got. And if they bully you into a plea bargain whereby you plead guilty to something you don't think you are guilty of, it's worse. Well, maybe not worse on the total arc. Aaron Swartz believed he wasn't guilty, so he wouldn't plead guilty to felonies, and now he's dead.

Kerr urges Congress to act:

I urge Congress to expressly adopt the Nosal rule. The CFAA should only apply to those who circumvent technological access barriers. The law should apply only to those who break in to computers – to use the common term, it should apply only to “hackers.” In my view, this is the best reading of existing law. Further, Congress should expressly codify it to make clear the appropriate scope of the CFAA.
Here's the Nosal ruling, which blocked the prosecutor's definition of where the CFAA applied (in the Ninth Circuit).

Two things I'd like to state about Kerr's wording:

  • Breaking in and breaking in to do damage or steal are not the same in physical space, although both are against the law. And penalties are not the same. It should be the same in cyberspace. In times past, young men tinkered with their cars and learned that way. Nowadays, they play with computers, and "breaking in" sometimes happens in that context, sometimes inadvertently. So there should be a distinction between that kind of thing and some criminal group breaking in to steal people's private information. Because if you put every computer tinkerer in jail, you will make it impossible for young people to really understand computers, and then when Chinese and Russian, et al bad guys show up, no one in the US will know what to do about it to block. They clearly don't know now, judging by results. So keep research needs in mind. I truly believe more thought needs to be given to this bad effect that the CFAA has caused. Research is dangerous, and that needs to change. The US needs its brainiac coders.

  • Hacker is a word being misused. The correct term, if we are going to try to fix laws to be less vague, is cracker. Hacking is a term that traditionally means things done to improve some code, to make it do something you need it to do and finding a cool, better way. Cracking is when you do it with a malevolent purpose. One of the problems with the law currently is that it uses the term for both, and that vagueness in definitions leads to punishing the wrong people or punishing the right people excessively for minor incidents. As long as you are fixing the CFAA, why not *really* fix it so that those potentially covered by the law at least know precisely -- and in advance -- where the line is that they can't cross? For example, define your terms so precisely that people really do know, not only those the law is directed at but prosecutors as well, what the line is, so people aren't accused of hacking, or more accurately cracking, if they figure out a url extension. That low-hanging fruit is easy to prosecute, and it may be too tempting for prosecutors to go after, just because it adds to success numbers.

[ Update: Here's the latest news regarding the Aaron Swartz prosecution. It's disturbing. His lawyers are now accusing prosecutor Steven Heymann of misconduct for withholding exculpatory evidence and more. And Swartz is being honored with this year's James Madison Freedom of Information Award.]

But what if we don't prosecute terms of use violations? What then? The real question should be, what if we do? We then allow private entities to define federal criminal law. Kerr:

To be sure, there are some situations in which people do very bad things that happen to involve a violation of a written access restriction. If an individual commits a crime and happens to violate Terms of Service along the way, then the individual should be prosecuted for the crime committed. But the CFAA should not be a catch-all statute that always gives the federal government another ground on which to charge a wrongdoer who violated some other crime that happened to involve a computer.

The problem with a broader approach is that it inevitably ends up covering a great deal of innocent activity. Consider a few examples:

A. A political blog announces a new rule that readers only are allowed to visit the blog if they plan to vote Republican in the next Presidential election. A reader who plans to vote for the Democratic nominee visits the blog in violation of the rule.

B. A law student who is forbidden by law school policy to access the law school network during class intentionally violates the rule by checking his e-mail during a particularly boring lecture.

C. You receive an e-mail from a friend that a new website,, has some incredible pictures posted that you must see. But there’s a catch: The Terms of Service of the website clearly and unambiguously say that no one is allowed to visit the website. You want to see the pictures anyway and visit the website from your home Internet connection.

If violating an express condition on computer usage is a crime, then all three of the individuals in these scenarios above have committed a federal offense. Such a law would be intolerable because Terms of Service are essentially arbitrary. Anyone can set up a website and announce whatever Terms of Use they like.

Perhaps the Terms of Use will declare that only people who have been to Alaska can visit the website; or only people named “Frank” can visit. Under the Justice Department’s interpretation of the statute, all of these Terms of Use can be criminally enforced.

It is true that the statute requires that the exceeding of authorized access be “intentional,” but this is a very modest requirement because the element itself is so easily satisfied. Presumably, any user who knows that the Terms of Use exist, and who intends to do the conduct that violated the Term of Use, will have “intentionally” exceeded authorized access.

I do not see any serious argument why such conduct should be criminal. Computer owners and operators are free to place contractual restrictions on the use of their computers.

If they believe that users have entered into a binding contract with them, and the users have violated the contract, the owners and operators can sue in state court under a breach of contract theory. But breaching a contract should not be a federal crime.

The fact that persons have violated an express term on computer usage simply says nothing about whether their conduct is harmful and culpable enough to justify criminal punishment.

There may be cases in which harmful conduct happens to violate Terms of Use, and if so, those individuals should be punished under criminal statutes specifically prohibiting that harmful conduct. But the act of violating Terms of Service alone should not be criminalized....

A final reason to focus attention on CFAA reform is that the statute will only become more important over time. Every year, the American public uses computers for more hours and for more tasks. The recent public uproar over the tragic death of Internet activist Aaron Swartz has brought new attention to the scope of the CFAA. Swartz was facing felony charges under the CFAA, and many believe that those charges show that the CFAA is overly broad and overly punitive. See, e.g., Lessig on 'Aaron's Laws - Law and Justice in a Digital Age', available at But whether inspired by recent events or simply by the need to address the scope of a statute that has become ever more important in our Internet age, Congress should take this opportunity to revisit the CFAA to make sure that it both provides appropriate tools for law enforcement but does not end up prohibiting innocent activity.

Here's what the DOJ's representative, US Attorney Jenny S. Durkan, had to say in her written testimony [PDF] about the CFAA:
As the threat increases and evolves, so must our legal tools to combat the threat. In May 2011, as part of the Administration’s Cybersecurity Proposal, the Department proposed some needed, moderate updates to the computer crime laws.1 These proposals were also explored in testimony before this committee in November, 2012.2 We continue to believe that many of these proposals would enhance our ability to combat cyber threats, including:
  • A proposal to update the Racketeering Influenced and Corrupt Organizations Act (“RICO”) to make the Computer Fraud and Abuse Act (“CFAA”) offenses subject to RICO. The CFAA is the primary statute used to prosecute hacking crimes. Computer technology has become a key tool of organized crime. Indeed, criminal organizations are operating today around the world to: hack into public and private computer systems, including systems key to national security and defense; hijack computers for the purpose of stealing identity and financial information; extort lawful businesses with threats to disrupt computers; and commit a range of other cybercrimes. Many of these criminal organizations are similarly tied to traditional Asian and Eastern European organized crime organizations.

  • A proposal to clarify and update the forfeiture provision of the CFAA. This proposal would allow for civil forfeiture and clarify the rules governing criminal forfeiture under the statute.

  • A proposal to update the CFAA’s sentencing provisions. The goal of these changes is to eliminate overly complex, confusing provisions; simplify the sentencing scheme; and enhance penalties in certain areas where the statutory maximums no longer reflect the severity of these crimes. For example, 18 U.S.C. § 1030(a)(4) prohibits unauthorized access to a computer in the course of committing a fraud, such as where a hacker breaks into a database and steals 100,000 credit card numbers, but the maximum sentence is five years in prison. Because criminals can obtain many millions of dollars through fraud, other federal fraud crimes -- such as section 1343 (Wire Fraud) -- have maximum penalties of 20 years in prison. This disparity makes little sense. These changes will empower federal judges to appropriately punish offenders who commit extremely serious crimes, ones that result in widespread damage, or both. Judges would still, of course, make sentencing decisions on a case-by-case basis.

    1 See computer-security.pdf.

    2 See

That case-by-case part is the problem, if you think about it. They can throw the book at you if they feel like it, and there's no advance warning. And does this mean they'd have been able to take Aaron Swartz's bank account and all his computers and domains too?

Oh, they don't mean people like *him*, you may say. No? They defined what he downloaded as being worth millions, which is preposterous. He wasn't leading some Romanian criminal gang, after all. If I trespass on your lawn for a picnic, you don't get to confiscate my house and throw me into jail for life. Why should computer space be any different?

Do you see why vagueness in a law plus broad prosecutorial discretion can be dangerous?

Here's what the FBI written testimony reads like:

We see four malicious primary actors in the cyber world: foreign intelligence services, terrorist groups, organized crime enterprises, and hacktivists....

Hacktivist groups such as Anonymous and LulzSec are pioneering their own forms of digital anarchy by illegally accessing computers or networks for a variety of reasons including politically or socially motivated goals.

In physical space, are protests for political or socially motivated goals punished in the same way as they are in cyberspace? If not, why not? Has anyone taken the time to figure out how people can protest online without criminal sanctions? Maybe it's time to figure that out, now that everyone lives online. Where do you go, and how do you hold up a protest sign outside a company headquarters online, as you can in physical space? Is it not legally possible anywhere online? I'd like that spelled out in the law too, actually, so people know where the proper line is. Part of any proper legal systems is letting people have advance warning as to what is not allowed, so they can avoid it. And if the answer is nowhere online is protest allowed, what have you done to Americans' rights to protest? It's the American way, it always has been, but at the moment, the law doesn't seem to allow for it at all. If you post some protest message on a website, is that the same under the law as stealing someone's credit card info? Should it be?


House Judiciary Hearing on Investigating and Prosecuting Cyber Threats: CFAA - ~pj Updated | 65 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Corrections Thread
Authored by: swmech on Wednesday, March 13 2013 @ 02:50 PM EDT
Please summarize in the Title box error->correction or

"A little gentleness goes only a short way. Ladle it out generously, and often,
when you can." (Walter Slovotsky)

[ Reply to This | # ]

Off Topic Threads
Authored by: swmech on Wednesday, March 13 2013 @ 02:56 PM EDT
Any on-topic posts under this heading will result in PJ
sending Ankylosaurus over to thwack you with his tail.

"A little gentleness goes only a short way. Ladle it out generously, and often,
when you can." (Walter Slovotsky)

[ Reply to This | # ]

News Picks Threads
Authored by: swmech on Wednesday, March 13 2013 @ 03:03 PM EDT
Please type the title of the News Picks article in the Title
box of your comment, and include the link to the article in
HTML Formatted mode for the convenience of the readers after
the article has scrolled off the News Picks sidebar.

"A little gentleness goes only a short way. Ladle it out generously, and often,
when you can." (Walter Slovotsky)

[ Reply to This | # ]

Comes transcripts here
Authored by: swmech on Wednesday, March 13 2013 @ 03:07 PM EDT
Please post your transcriptions of Comes exhibits here with full HTML markup but posted in Plain Old Text mode so PJ can copy and paste it.

See the Comes Tracking Page to find and claim PDF files that still need to be transcribed.

"A little gentleness goes only a short way. Ladle it out generously, and often, when you can." (Walter Slovotsky)

[ Reply to This | # ]

House Judiciary Hearing on Investigating and Prosecuting Cyber Threats: CFAA Vido.
Authored by: Anonymous on Wednesday, March 13 2013 @ 03:28 PM EDT
Note: The hearing doesn't start until the 16 minute mark on the linked video.

[ Reply to This | # ]

Thanks for the link to EFF
Authored by: artp on Wednesday, March 13 2013 @ 03:33 PM EDT

I really liked the fact that I could add text to the message being sent to my representative and both senators.

This is part of what I added.

A boilerplate letter follows concerning the CFAA. Let me tell you that since I first started computing in 1974, I would have been liable under the CFAA thousands of times, and my employers would have been greatly handicapped if I had not been able to break encryption, reverse engineer protocols, devise alternate methods of operation, and generally make a shambles of a lot of poorly designed software and hardware in order to MAKE IT WORK! Much of this was not authorized by my employer, and could not have been in many cases because they weren't tech-savvy enough to know what to ask for.

This law makes a very poor assumption that is also very dangerous: that tech companies know what they are doing. In some cases they do. In many others, the pressure to ship and collect money overrides the need of engineers to make it work right. This law enshrines poor design and bad management decisions and criminalizes any attempt to route around them.

I have seen a lot of bad decisions made in laws concerning tech. If you would like some help from a practitioner in the field, I am willing to provide whatever perspective I can. I have worked for Iowa-based companies and Fortune 100 companies. I have been employed as a Data Center Manager, a consultant, a system administrator in large scale systems, a project manager and a computing FDA Validation Manager. I was invited to be on a 9 person worldwide team within [*company*] to set operational standards for the UNIX (Internet technology) operating system. I brought the first production use of UNIX online in [*company*] worldwide.

Vitae available on request.

My contact information followed.

If we don't offer them help to figure out the tech, then we will continue to get bad laws. I have no idea if any of them will take me up on it, or how much weight my viewpoint might carry against other resources they might consult, but what have I got to lose?

Userfriendly on WGA server outage:
When you're chained to an oar you don't think you should go down when the galley sinks ?

[ Reply to This | # ]

Authored by: Anonymous on Wednesday, March 13 2013 @ 03:55 PM EDT
Hacking is altering the hardware or software of a device to enable it to perform
a function it could not do before the change. Hacking often involves a hacksaw
and a soldering iron. From Make: Magazine - "If you can't open it, you
don't own it"

Hacking is taking control of a device that you own to perform your purposes.
There is nothing sinister about hacking, unless you are Sony, or Apple.

-- Alma

[ Reply to This | # ]

House Judiciary Hearing on Investigating and Prosecuting Cyber Threats: CFAA
Authored by: Anonymous on Wednesday, March 13 2013 @ 04:30 PM EDT
Something that I have never seen in any laws are examples of
how the law should be applied. Perhaps that would focus the
intent of the law instead of letting half-baked procesutors
make up a bunch of half-baked charges that may or may not
make sense to the reasonable man.

[ Reply to This | # ]

The law is that you can't have a picnic on my lawn without my permission
Authored by: Anonymous on Wednesday, March 13 2013 @ 05:21 PM EDT
"The law is that you can't have a picnic on my lawn without my
permission" Not quite that simple, which makes it an interesting case.
Can't depends on the jurisdiction. In some US states, if I haven't posted the
lawn with no trespassing signs, haven't fenced it, and haven't improved it, you
may be able to have a picnic there. In a right to roam jurisdiction in Europe
you may have a right to have a picnic on my lawn.

If your lawn is unfenced, unposted, wide open (and it isn't clear how much is
your lawn and how much is in a public right of way), then there is a situation
very similar to your visiting a public website (and, say, traversing it by
typing in the names of likely pages or directories the url bar of a web
browser). If your lawn is fenced and posted, that's a lot like an exposed ssh
service with an issue message behind it that warns unauthorized users - and
access to that issue message by brute forcing usernames and passwords.

The analogy of picnic on the lawn or kicking in your door and having a picnic in
your living room sounds with what constitutes unauthorized access sounds like a
potentially fruitful one.

[ Reply to This | # ]

Clean slate -- dirty hands
Authored by: BJ on Wednesday, March 13 2013 @ 06:14 PM EDT

Hi, I'm Fred K.
Opening up my neighbor's vacuum cleaner landed me in jail.
We both didn't realize it contained a processor.
This sucks.


[ Reply to This | # ]

  • OMG! - Authored by: Anonymous on Wednesday, March 13 2013 @ 08:00 PM EDT
  • Clean slate -- dirty hands - Authored by: PJ on Wednesday, March 13 2013 @ 08:30 PM EDT
House Judiciary Hearing on Investigating and Prosecuting Cyber Threats: CFAA - ~pj Updated
Authored by: Anonymous on Thursday, March 14 2013 @ 02:15 PM EDT
I don't believe that 'without authorization' or 'exceeds
authorization' are unclear at all. Using just a slight bit
of common sense anyone over the age of five should be able
to figure it out. They mean going someplace you're not
invited or free to go, taking or using something that is not
yours without the permission of the owner.

Using your property analogy you seem to be saying that if I
leave the door to my house unlocked, then anybody is free to
come and go as the please. Or worse, if I happen to burn the
popcorn and open the door to air out the inside, then I'm
actually inviting the public to come into my house.

Just because you find an open door, or an unlocked one, does
not mean you have permission to be there. Even in places
like a mall or grocery store, there are public areas as well
as private ones. You're free to shop, but not to go in the
managers office, even if his door is unlocked.

As far as the difference between just looking and taking, if
someone were to enter my home, unknowingly, they would have
access to things like bank statements, credit card
statements and possibly my drivers license and social
security number. Even if I caught them, I'd have no way of
knowing if they copied that information for later

The same is true for accessing a computer, true there are
tools that can tell you if and when somebody has accessed
the data, but now you're putting the burden on the owner to
not only have a door, close the door, lock the door, but to
have continuous surveillance on every square inch of the
property in case someone 'unauthorized' breaks in, so you
can prove they looked at confidential information.

That's the reverse of how it should work. It's my data, if I
want you to see it or make a copy of it, I will put it in a
public location where all are free to access it. If I want
to keep it private I will put it behind a door, a locked
door, in most cases. Anyone savvy enough to use tools to get
around, over, under or through the door (or locks) is also
intelligent enough to know that it's wrong, and that they
are not 'authorized' to be there. If they were authorized,
they would not need the tools to get there.

Just like I should not be required to put up razor wire,
watch towers and guard dogs to let people know that they are
not free to enter my home, I should not need to invest
several thousand to several million to put a bunker around
my data.

[ Reply to This | # ]

"Because if you put every computer tinkerer in jail,"
Authored by: 351-4V on Friday, March 15 2013 @ 10:03 AM EDT
You'll have a large number of skilled computer technicians to perform your

These laws have been intentionally written to allow and enable exactly
this kind of prosecutorial misconduct. They target a person known to be skilled
in the art of computer hacking, charge them with as many "crimes" as they
possibly can and then offer the accused a plea deal whereby the accused must
"cooperate" in the future by performing services at the request of the

The people that are engaging in the misconduct don't for a second
care about any long repercussions of their actions. All they care about is
having a body capable of performing the dirty deeds that they have in mind

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )