Enacted in 1984, the Computer Fraud and Abuse Act (CFAA) was originally intended to insulate the national information infrastructure from the threat of hackers. Since its creation, however, its application has shifted drastically from the 1980's era legislation, paving the way for the expansion of federal power. Tweet it: Tweet
Background: The Computer Fraud and Abuse Act
The CFAA was designed by the federal government to protect federally sensitive information, including that of the financial industry and information related to interstate commerce. It targets the unauthorized access of information "with reason to believe that such information so obtained could be used to the injury of the United States."
The anti-hacking legislation has resulted in around 550 federal criminal cases involving the CFAA's related computer statute, and nearly 500 civil lawsuits in private disputes in the last few years, Reuters reports. Share: Tweet
As one can imagine, the nature of the Internet has progressed significantly since the passage of the law and the CFAA has been reformed a number of times to correspond with current events. For example, the law was revised in 2002 and 2008 by the Patriot Act and the Identity Theft Enforcement and Restitution Act, respectively.
The Consequence of Inaction
While it has been through a wide array of reforms in its 29 years, none of the reforms clarify the part of the statute that makes it a crime to “access a computer without authorization or exceed authorized access.” The vagueness of this statute has arguably given prosecutors the power to charge violators with a felony, regardless of the nature of the crime. The outcome is sentencing that doesn't necessarily fit the crime.
The dangers in this expansion of power can most notably be seen in the prosecution of Internet activist and creative pioneer, Aaron Swartz, accused of downloading roughly 4 million JSTOR files illegally. Charged with eleven violations of the Computer Fraud and Abuse Act, Swartz faced up to $1 million in fines and 35 years in prison.
While 45 percent of convicted criminals end up serving sentences below the minimum guideline, the intimidation led Swartz to later commit suicide in January 2013, according to Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation.
"So while these maximum sentence press releases may not be in the realm of reality, they do serve a purpose: to scare future defendants and deter current ones from fighting their case," he explains in making his case that maximum sentences matter.
The recent indictment of Reuters social media editor, Matthew Keys, echoes the flaws in the sentencing guidelines in the CFAA. Keys faces up to 25 years in prison for allegedly conspiring with Internet hacking group Anonymous to change a news story that appeared on the L.A. Times.
In what seems like a prank, Keys, if convicted, will face 25 years in prison and fines of up to $250,000, a hefty fine in comparison to the consequence of vandalism in the physical world.
The Time Is Now to Reform the Computer Fraud and Abuse Act
The disproportionate sentencing attached to these cyber crimes has prompted the Internet community, online advocates, and even lawmakers to act. Following the death of Swartz, the Electronic Frontier Foundation (EFF) has called for sentencing reform.
"It looks like the government used the vague wording of those laws to claim that violating an online service's user agreement or terms of service is a violation of the CFAA and the wire fraud statute. Using the law in this way could criminalize many everyday activities and allow for outlandishly severe penalties."
The dangers associated with the CFAA have also been noted by Rep. Darrell Issa, chair of the House Committee on Oversight and Government Reform, who praised Swartz for his political courage and quest for information at his funeral. Whether or not Congress will act, however, is a question only time will tell.