CFAA reform is badly needed

Technology lawyers understand that our world is now interconnected. Americans today spend nearly as much time using other people's computers as they do their own. We are accessing third-party computers while we are cloud computing, logging into our Gmail accounts, conducting legal research, accessing online social networks, buying plane tickets, or even just watching movies on Netflix. And with the proliferation of the "Internet of Things" - a world in which everyday household objects are connected to the Internet - our time spent connected to other people's computers is only going to increase.

In this interconnected world, interoperability and inter-functionality - think Kayak, Orbitz or Google Travel gathering up airline prices - are critical to innovation. The ability for security researchers to access other people's computers to ensure that our networks and tools are secure is also increasingly important. This was demonstrated recently when a researcher showed us, in a scary example, how to remotely deploy a car's airbags - revealing a deep insecurity in our Internet-connected cars. The ability to access third-party computers also implicates user privacy, as people are increasingly using add-on software to control disruptive ads or add encryption and other protections to their activities online.

As a result, clients ranging from entrepreneurs and innovators to computer security professionals are operating in a world where they need to be able to access other people's computers - sometimes in ways the network owner might not agree with or anticipate. Unfortunately for such clients, the law hasn't kept up with this new, interconnected reality.

One big problem is the Computer Fraud and Abuse Act - the federal "anti-hacking" statute - and parallel state laws. The CFAA makes it illegal to intentionally access a computer connected to the Internet without authorization or in excess of authorization. But the CFAA does not tell us what "without authorization" actually means, and overzealous prosecutors have used the law to bring criminal charges against people who are merely doing things on a computer network that the owner doesn't like. It could even reach violating a clickwrap or end-user license agreement. The law has led to much confusion and doubt among security researchers, entrepreneurs, and innovators, and it has deterred such individuals from going public with important computer security findings for fear of criminal prosecution.

This isn't a new problem. The CFAA was enacted in 1986 and has been vague and overbroad since the start. The threat posed by the law has increased along with the growth in our reliance on computer networks, and as Congress has continued to ratchet up the statute's penalties. In fact, many well-known innovators - from Steve Jobs and Steve Wozniak to Bill Gates and Mark Zuckerberg - have told stories of actions in their youth that today could have the potential for prosecution under the CFAA. Tragically, prosecutors did use the CFAA's harsh penalties against Aaron Swartz, a good friend of the Electronic Frontier Foundation who, facing up to 35 years in prison, ultimately took his own life.

Since Aaron's death, EFF and other digital rights groups have been pushing hard for CFAA reform. Three key changes must happen:

First, the law must be clear that it is not a crime to violate terms of service or take simple actions to protect online privacy.

Second, the law's disproportionately harsh penalty scheme must be modified to ensure that the penalties fit the crime. First time offenses are currently punishable by up to five years in prison (10 years for repeat offenses), plus fines, with no possibility for a mere misdemeanor. Meanwhile, other violations are punishable by up to 10 years, 20 years, or even life in prison. Such excessive penalties were a key factor in the government's case against Aaron.

Third, the law must clearly protect tinkerers, security researchers, innovators, and people who seek to avoid being tracked online. The law should target only those who are actually committing bad acts - i.e., breaking into computer networks in order to steal information, harm computers, or damage networks. The CFAA currently sweeps much broader, giving overzealous prosecutors a dangerous weapon.

After Aaron's death, a bipartisan group including Reps. Zoe Lofgren and Jim Sensenbrenner and Sen. Ron Wyden joined together to propose Aaron's Law, which addresses two of these problems. Their proposal would (i) codify 9th and 4th Circuit case law holding that violations of terms of service or other contracts can't trigger criminal charges and (ii) reduce CFAA penalties to ensure that minor violations only trigger minor penalties, not the sort of ridiculous ratcheting up that Aaron faced. Aaron's Law was first introduced in 2013 and has been introduced again this year.

But others in Congress are headed in the opposite direction, heedless of the interconnected reality in which we live. Sens. Lindsay Graham and Sheldon Whitehouse have proposed the International Cybercrime Prevention Act of 2015, which includes several provisions that would exacerbate - not alleviate - the CFAA's harshness, overbreadth and confusion. It would codify CFAA violations for "exceeding authorized access" based on mere violations of terms of service, eliminating the protections won in the 9th and 4th Circuits. It also fails to fix the CFAA's vague and undefined language, and it authorizes government-approved hacking, or "countermeasures," to stop CFAA violations - a practice that would undermine the security and privacy of innocent computer users. Most concerning, it raises - rather than lowers - the statute's already harsh penalties.

What's worse is that Whitehouse and Graham are trying to tack parts of their proposal onto the current Cybersecurity Information Sharing Act of 2015, a bill slated for consideration this fall. CISA has its own problems and should not pass. Adding the Whitehouse/Graham proposal will only make it worse.

The interconnectivity of our computers is key to the vibrancy of not only the Internet economy, but also, increasingly, the economy as a whole. Yet the law is still written as if connected computer networks were the exception rather than the rule. If we don't find a way to create more space for people to protect our security and privacy, innovate, and grow our experiences online, we'll all be the poorer for it. And for the unfortunate few who find themselves facing criminal prosecution, the law is grossly disproportionate and unfair. It's time we reform the CFAA - starting with rejecting Whitehouse and Graham's sneaky backroom attempt to make it worse.

Cindy Cohn is the executive director of the Electronic Frontier Foundation and Jamie Williams is a Frank Stanton Legal Fellow at EFF.