THE COMPUTER FRAUD and Abuse Act, the law that’s been at the heart of almost every controversial hacking case of the past decade, is in the news again this month.
Prosecutors recently used the law to convict journalist Matthew Keys on felony hacking charges, drawing rounds of condemnation on the web. Edward Snowden, for one,derided the harsh penalty Keys now faces—a maximum possible sentence of 25 years.
But charging Keys with felonies for his role in a crime that critics say should have been considered a misdemeanor—the minor defacement of a Los Angeles Times article—is not an anomaly for the feds. It’s just one among a growing list of contentious cases that critics say illustrate how prosecutors have been overstepping in their use of the CFAA.
The government first used the federal anti-hacking statutein 1989, three years after its enactment, to indict Robert Morris, Jr., son of the then-chief scientist at the NSA’s National Computer Security Center. Morris Jr., a graduate student at Cornell University at the time, was charged with creating and unleashing the now-infamous Morris worm. The Morris offspring ultimately fared better than most who have been convicted under the law; he was sentenced to three years probation and 400 hours of community service. He’s now a tenured professor at MIT.
Since his conviction, the CFAA has been used to prosecute hundreds of other high- and low-level hackers, often to much controversy.
The law, in its simplest form, prohibits unauthorized access—or exceeding authorized access—to protected computers and networks. That seems straightforward enough, but because the law was so broadly written, creative prosecutors have stretched the interpretation of unauthorized access far beyond what lawmakers likely intended. For example, it was used to criminally prosecute Andrew Auernheimer for accessing unprotected data that was freely available on an AT&T website.
Another disturbing and growing trend is how prosecutors use the law to criminally charge employees and ex-employees for exceeding authorized access. In 1994, the CFAA was amended to allow civil actions to be brought under the statute. This opened a path for corporations to sue workers who steal company secrets in violation of their authorized access. But instead of using this civil recourse, companies have, in several cases, worked with the government to criminally charge employees who violate work contracts.
“It’s a poorly written statute that doesn’t effectively define the main thing it seeks to prohibit,” says Tor Ekeland, a New York-based defense attorney who has worked on a number of controversial CFAA cases. “There are ambiguities surrounding that definition that allow prosecutors wide latitude to bring charges under theories that shock computer people in the infosec community. Combine that with the fact that there is this general paranoia about hackers—it’s a sort of hysteria that’s on par with the hysteria about witchcraft.”
Civil liberty and legal advocacy groups have called on lawmakers to reform the CFAA to prevent zealous prosecutors from punishing conduct that many feel doesn’t truly constitute a computer crime. Calls for reform grew particularly loud in 2013 after internet activist Aaron Swartz committed suicide following his indictment on charges related to downloading academic papers.