For a while now I’ve been saying that Congress ought to revise the Computer Fraud and Abuse Act (CFAA), the vaguely worded, overly broad computer crime statute that has been in the news due to its role in the indictment of high-profile defendants like Reuters deputy social media editor Matthew Keys, hacker Andrew “Weev” Auernheimer, and Internet activist Aaron Swartz. Well, the House Judiciary Committee is indeed circulating a bill that would reform the CFAA. The trouble is that it fails to address any of the CFAA’s major flaws, and, in fact, just puts more power into the hands of overzealous prosecutors. Be careful what you wish for, I guess.
The CFAA was passed in 1984, and it still reads like an alarmist response to the movie WarGames. It provides big penalties for those who tamper with or unauthorizedly access so-called “protected computers,” which are defined, in part, as computers that engage in interstate or foreign commerce or communications. Back in 1984, relatively few computers fit that definition. Today, every device with an Internet connection qualifies as a protected computer.
The times have changed, but the law hasn’t kept up with the times, and as a consequence the CFAA now reaches far beyond its original scope. A bill designed for hackers who targeted government or financial systems is now being used against people who commit much less serious offenses. Matthew Keys, for instance, is facing up to 25 years in prison for allegedly facilitating the brief defacement of one story on the website of the Los Angeles Times.* This is disproportionate.
The bill being considered by the House Judiciary Committee would make the CFAA more draconian. It stiffens penalties across the board—accessing a protected computer without authorization and subsequently causing damage, for example, would now be punishable by up to 10 years in prison, as opposed to the current five. It would make “trafficking in passwords” used to access any protected computer an offense punishable by up to 10 years in prison—which, theoretically, could mean that sharing your login information for Netflix or The New York Times could land you in jail. And it allows prosecutors to punish failed attempts at computer crime as harshly as successful attempts.
There’s one change that I do like. The bill would create a new subsection that deals with aggravated damage to “critical infrastructure computers,” defined as computers that manage or control the power grid, transit systems, the stock market, oil pipelines, and so on. Tampering with these sorts of systems could be punished by up to 30 years in prison. I like this new section because it is specific. These are the sorts of “protected computers” the CFAA ought to be dealing with; tightening the general definition of “protected computer” along those lines would go a long way toward fixing the CFAA and making it more relevant for the modern age.
But this new bill mostly doesn’t do that. It keeps things vague. I’m not too upset about this bill, which is, after all, only a draft resolution, and which will inevitably be revised and amended numerous times before it makes it to the floor—if it ever makes it to the floor. I’m just confused. As Techdirt’s Mike Masnick put it, the draft resolution is so harsh, “it almost feels like the Judiciary Committee is doing it on purpose as a dig at online activists who have fought back against things like SOPA, CISPA and the CFAA.”
I guess that’s possible, and I suspect this is largely a response to groups like Anonymous. The bill would redefine computer crimes as a form of racketeering, which seems like something specifically designed to make it easier to prosecute groups like Anonymous.
But it’s just as likely that Congress is just acting by reflex here. We overcharge for all sorts of nonviolent offenses in this country, and prison sentences are routinely overlong. A legislator has never lost an election by being too tough on crime. It’s not that the government shouldn’t concern itself with computer-abetted offenses. But the punishment should fit the crime, and the CFAA too often ensures that it doesn’t.
Correction, April 1, 2013: This post originally said that Matthew Keys facilitated the defacement of a story on the Los Angeles Times website. It has been corrected to say that Keys is alleged to have facilitated the defacement. (Return.)