Today, the House Judiciary Committee's Subcommittee on Crime, Terrorism, Homeland Security and Investigations held a hearing to discuss "Investigating and Prosecuting 21st Century Cyber Threats". Of course, the Computer Fraud and Abuse Act took center stage.
I know this interests many of you because of the Aaron Swartz case. So
here's the video of the entire hearing, including the testimony of Orin Kerr, which begins at around the 52:11 mark. His written testimony is here [PDF]. He's been trying to get reforms of the CFAA for many years. And EFF has materials on what you can do, should you choose to, here.
Other witnesses were
Department of Justice - (her written testimony is here [PDF]);
Federal Bureau of Investigation - (written testimony here [PDF]); and
BSA, The Software Alliance - (written testimony here [PDF]).
In Kerr's written testimony, he writes: "The CFAA is essentially a computer trespass statute. It prohibits trespassing on to a computer much like a trespass statute punishes trespassing onto physical land." That's exactly the problem. Let's think about physical land.
The law is that you can't have a picnic on my lawn without my permission, even if you clean up everything perfectly afterward and there's no resulting damage. But isn't there a big difference between having a picnic on my lawn, annoying as that might be to me, and coming on to my property to break in to my house and steal my possessions? In physical space, the law in fact does make that distinction. In cyberspace, it doesn't currently do a good job of that. No one would consider it possible that having a picnic on someone's lawn would land you in jail for 35 years as a convicted felon.
As Kerr explains just how broad the CFAA is, he notes that parts of the law apply to everyday computer use by every one of us:
The CFAA contains a number of different crimes, but the best way to understand the statute is to focus on its broadest section, 18 U.S.C. § 1030(a)(2)(C). This provision punishes whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” We can break this federal crime into its three elements as follows: And that's the problem. Courts don't agree on what the vague statute means. Prosecutors get to define the terms to fit the situation, as they view it. And that means, subject to review by the courts, if they want to get you, you're going to get got. And if they bully you into a plea bargain whereby you plead guilty to something you don't think you are guilty of, it's worse. Well, maybe not worse on the total arc. Aaron Swartz believed he wasn't guilty, so he wouldn't plead guilty to felonies, and now he's dead.
(1) Intentionally accesses a computer without authorization or exceeds authorized access
Critically, elements (2) and (3) will be satisfied in most instances of routine computer usage. Element (2), the requirement that a person “obtains information,” is satisfied by merely observing information. See, e.g., United States v. Tolliver, 2009 WL 2342639 (E.D. Pa. 2009) (citing S. Rep. No. 99-432 at 2484 (1986)). The statute does not require that the information be valuable or private. Any information of any kind is enough. Routine and entirely innocent conduct such as visiting a website, clicking on a hyperlink, or opening an e-mail generally will suffice.
(2) Obtains information
(3) From a protected computer
Element (3) is easily satisfied because almost everything with a microchip counts as a protected computer. The device doesn’t need to be what most people think of as a “computer,” and it doesn’t need to be connected to the Internet....
Given that many everyday items include electronic data processors, the definition might plausibly include everything from many children’s toys to some of today’s toasters and coffeemakers.
The statutory requirement that the computer must be a “protected” computer does not provide an additional limit. In 2008, Congress amended the definition of “protected” computer to include any computer “used in or affecting interstate or foreign commerce or communication.” 18 U.S.C. § 1030(e)(2)(B). In federal law, regulation that “affects interstate or foreign commerce” is a term of art: It means that the regulation shall extend as far as the Commerce Clause allows. See Russell v. United States, 471 U.S. 858, 849 (1985). Under the aggregation principle of Gonzales v. Raich, 545 U.S. 1 (2005), this appears to include all computers, period. As a result, every computer is a “protected” computer.
Because elements (2) and (3) are so extraordinarily broad, liability for federal crimes under 18 U.S.C. § 1030(a)(2)(C) hinges largely on the first element: What does it mean to access a computer without authorization or to exceed authorized access? Unfortunately, courts have not settled on clear answers to these questions. The terms “access” and “without authorization” are not defined by the CFAA. The phrase “exceeds authorized access” is a defined term, but the definition is largely circular. That phrase is defined in 18 U.S.C. § 1030(e)(6):
the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.
Under this definition, conduct exceeds authorization if it exceeds entitlement. But this merely restates the problem: What determines entitlement? Unfortunately, the statute doesn’t say. Because these key phrases are either undefined or defined poorly, judicial interpretations of “access without authorization” and “exceeds authorization” are surprisingly murky.
Kerr urges Congress to act:
I urge Congress to expressly adopt the Nosal rule. The CFAA should only apply to those who circumvent technological access barriers. The law should apply only to those who break in to computers – to use the common term, it should apply only to “hackers.” In my view, this is the best reading of existing law. Further, Congress should expressly codify it to make clear the appropriate scope of the CFAA. Here's the Nosal ruling, which blocked the prosecutor's definition of where the CFAA applied (in the Ninth Circuit).
Two things I'd like to state about Kerr's wording:
- Breaking in and breaking in to do damage or steal are not the same in physical space, although both are against the law. And penalties are not the same. It should be the same in cyberspace. In times past, young men tinkered with their cars and learned that way. Nowadays, they play with computers, and "breaking in" sometimes happens in that context, sometimes inadvertently. So there should be a distinction between that kind of thing and some criminal group breaking in to steal people's private information. Because if you put every computer tinkerer in jail, you will make it impossible for young people to really understand computers, and then when Chinese and Russian, et al bad guys show up, no one in the US will know what to do about it to block. They clearly don't know now, judging by results. So keep research needs in mind. I truly believe more thought needs to be given to this bad effect that the CFAA has caused. Research is dangerous, and that needs to change. The US needs its brainiac coders.
- Hacker is a word being misused. The correct term, if we are going to try to fix laws to be less vague, is cracker. Hacking is a term that traditionally means things done to improve some code, to make it do something you need it to do and finding a cool, better way. Cracking is when you do it with a malevolent purpose. One of the problems with the law currently is that it uses the term for both, and that vagueness in definitions leads to punishing the wrong people or punishing the right people excessively for minor incidents. As long as you are fixing the CFAA, why not *really* fix it so that those potentially covered by the law at least know precisely -- and in advance -- where the line is that they can't cross? For example, define your terms so precisely that people really do know, not only those the law is directed at but prosecutors as well, what the line is, so people aren't accused of hacking, or more accurately cracking, if they figure out a url extension. That low-hanging fruit is easy to prosecute, and it may be too tempting for prosecutors to go after, just because it adds to success numbers.
[ Update: Here's the latest news regarding the Aaron Swartz prosecution. It's disturbing. His lawyers are now accusing prosecutor Steven Heymann of misconduct for withholding exculpatory evidence and more. And Swartz is being honored with this year's James Madison Freedom of Information Award.]
To be sure, there are some situations in which people do very bad things that happen to involve a violation of a written access restriction. If an individual commits a crime and happens to violate Terms of Service along the way, then the individual should be prosecuted for the crime committed. But the CFAA should not be a catch-all statute that always gives the federal government another ground on which to charge a wrongdoer who violated some other crime that happened to involve a computer.
Here's what the DOJ's representative, US Attorney Jenny S. Durkan, had to say in her written testimony [PDF] about the CFAA:
The problem with a broader approach is that it inevitably ends up covering a great deal of innocent activity. Consider a few examples:
A. A political blog announces a new rule that readers only are allowed to visit the blog if they plan to vote Republican in the next Presidential election. A reader who plans to vote for the Democratic nominee visits the blog in violation of the rule.
If violating an express condition on computer usage is a crime, then all three of the individuals in these scenarios above have committed a federal offense.
B. A law student who is forbidden by law school policy to access the law school network during class intentionally violates the rule by checking his e-mail during a particularly boring lecture.
C. You receive an e-mail from a friend that a new website, www.dontvisitme.com, has some incredible pictures posted that you must see. But there’s a catch: The Terms of Service of the website clearly and unambiguously say that no one is allowed to visit the website. You want to see the pictures anyway and visit the website from your home Internet connection.
I do not see any serious argument why such conduct should be criminal. Computer owners and operators are free to place contractual restrictions on the use of their computers.
If they believe that users have entered into a binding contract with them, and the users have violated the contract, the owners and operators can sue in state court under a breach of contract theory. But breaching a contract should not be a federal crime.
The fact that persons have violated an express term on computer usage simply says nothing about whether their conduct is harmful and culpable enough to justify criminal punishment.
A final reason to focus attention on CFAA reform is that the statute will only become more important over time. Every year, the American public uses computers for more hours and for more tasks. The recent public uproar over the tragic death of Internet activist Aaron Swartz has brought new attention to the scope of the CFAA. Swartz was facing felony charges under the CFAA, and many believe that those charges show that the CFAA is overly broad and overly punitive. See, e.g., Lessig on 'Aaron's Laws - Law and Justice in a Digital Age', available at http://www.youtube.com/watch?v=9HAw1i4gOU4. But whether inspired by recent events or simply by the need to address the scope of a statute that has become ever more important in our Internet age, Congress should take this opportunity to revisit the CFAA to make sure that it both provides appropriate tools for law enforcement but does not end up prohibiting innocent activity.
As the threat increases and evolves, so must our legal tools to combat the threat. In May 2011, as part of the Administration’s Cybersecurity Proposal, the Department proposed some needed, moderate updates to the computer crime laws.1 These proposals were also explored in testimony before this committee in November, 2012.2 We continue to believe that many of these proposals would enhance our ability to combat cyber threats, including: That case-by-case part is the problem, if you think about it. They can throw the book at you if they feel like it, and there's no advance warning. And does this mean they'd have been able to take Aaron Swartz's bank account and all his computers and domains too?
- A proposal to update the Racketeering Influenced and Corrupt Organizations Act (“RICO”) to make the Computer Fraud and Abuse Act (“CFAA”) offenses subject to
RICO. The CFAA is the primary statute used to prosecute hacking crimes. Computer technology has become a key tool of organized crime. Indeed, criminal organizations are operating today around the world to: hack into public and private computer systems, including systems key to national security and defense; hijack computers for the purpose of stealing identity and financial information; extort lawful businesses with threats to disrupt computers; and commit a range of other cybercrimes. Many of these criminal organizations are similarly tied to traditional Asian and Eastern European organized crime organizations.
A proposal to clarify and update the forfeiture provision of the CFAA. This proposal would allow for civil forfeiture and clarify the rules governing criminal forfeiture under the statute.
A proposal to update the CFAA’s sentencing provisions. The goal of these changes is to eliminate overly complex, confusing provisions; simplify the sentencing scheme; and enhance penalties in certain areas where the statutory maximums no longer reflect the severity of these crimes. For example, 18 U.S.C. § 1030(a)(4) prohibits unauthorized access to a computer in the course of committing a fraud, such as where a hacker breaks into a database and steals 100,000 credit card numbers, but the maximum sentence is five years in prison. Because criminals can obtain many millions of dollars through fraud, other federal fraud crimes -- such as section 1343 (Wire Fraud) -- have maximum penalties of 20 years in prison. This disparity makes little sense.
These changes will empower federal judges to appropriately punish offenders who commit extremely serious crimes, ones that result in widespread damage, or both. Judges would still, of course, make sentencing decisions on a case-by-case basis.
1 See http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/law-enforcement-provisions-related-to- computer-security.pdf.
2 See http://judiciary.house.gov/hearings/pdf/Downing%2011152011.pdf
Oh, they don't mean people like *him*, you may say. No? They defined what he downloaded as being worth millions, which is preposterous. He wasn't leading some Romanian criminal gang, after all.
If I trespass on your lawn for a picnic, you don't get to confiscate my house and throw me into jail for life. Why should computer space be any different?
Do you see why vagueness in a law plus broad prosecutorial discretion can be dangerous?
Here's what the FBI written testimony reads like:
We see four malicious primary actors in the cyber world: foreign intelligence services, terrorist groups, organized crime enterprises, and hacktivists....
In physical space, are protests for political or socially motivated goals punished in the same way as they are in cyberspace? If not, why not? Has anyone taken the time to figure out how people can protest online without criminal sanctions? Maybe it's time to figure that out, now that everyone lives online. Where do you go, and how do you hold up a protest sign outside a company headquarters online, as you can in physical space? Is it not legally possible anywhere online? I'd like that spelled out in the law too, actually, so people know where the proper line is. Part of any proper legal systems is letting people have advance warning as to what is not allowed, so they can avoid it. And if the answer is nowhere online is protest allowed, what have you done to Americans' rights to protest? It's the American way, it always has been, but at the moment, the law doesn't seem to allow for it at all. If you post some protest message on a website, is that the same under the law as stealing someone's credit card info? Should it be?
Hacktivist groups such as Anonymous and LulzSec are pioneering their own forms of digital anarchy by illegally accessing computers or networks for a variety of reasons including politically or socially motivated goals.