United States, the Computer Fraud and Abuse Act (CFAA)

United States, the Computer Fraud and Abuse Act (CFAA)
Photo by Ferdinand Stöhr / Unsplash

The Computer Fraud and Abuse Act (CFAA) is the federal anti-hacking law in the United States. It was brought into the spotlight after the tragic death of programmer and Internet activist Aaron Swartz, leading to calls for its reform. The law makes it illegal to intentionally access a computer without authorization or in excess of authorization, but it does not clearly define what "without authorization" means. The statute does attempt to define "exceeds authorized access," but the interpretation of that phrase has been subject to considerable dispute.

The CFAA is primarily a criminal law intended to reduce instances of malicious hacking. However, a 1994 amendment to the bill allows for civil actions to be brought under the statute. This has led to creative prosecutors bringing criminal charges that aren't really about hacking a computer, but instead target other behavior prosecutors dislike. For example, in cases like United States v. Drew and United States v. Nosal, the government claimed that violating a private agreement or corporate policy amounts to a CFAA violation.

One of the major issues with the CFAA is its disproportionately harsh penalty scheme. Even first-time offenses for accessing a protected computer without sufficient "authorization" can be punishable by up to five years in prison each (ten years for repeat offenses), plus fines. Violations of other parts of the CFAA are punishable by up to ten years, 20 years, and even life in prison. The excessive penalties were a key factor in the government's case against Aaron Swartz, where eleven out of thirteen alleged crimes were CFAA offenses, some of which were "unauthorized" access claims.

The Electronic Frontier Foundation (EFF) is championing reforms to the CFAA. These suggestions expand on Zoe Lofgren's draft bill known as Aaron's Law. The proposed reforms aim to ensure that the punishment fits the crime, protect tinkerers, security researchers, innovators, and privacy seekers, and clarify that there should be no prison time for violating terms of service.

The CFAA has been criticized for hampering security research, stifling innovation, and not allowing for anonymity and privacy. The EFF has made initial suggestions for improving Aaron's Law and has proposed additional suggestions for improving the penalty scheme.

Source: EFF