Law professor and cybercrime expert Orin Kerr published a proposal to amend the Computer Fraud and Abuse Act (CFAA) to address the overcriminalization that he has been at the forefront of identifying and combatting. His current proposal, which very simply but comprehensively addresses a number of problems with the CFAA, is here.
Historically, the CFAA partitioned the world of computer criminals into two camps, outsiders who “access without authorization” and wayward insiders who abuse their position of trust to “exceed authorized access” and obtain information they were not entitled to.
When the CFAA was passed in 1986, Congress did not consider a category of computer user that barely existed then, people who use websites and other services offered to the general public over the Internet. Yet, the CFAA has been used to punish our interactions with these services – including hiding our personal or device identification and downloading published information that the server owner should have, but failed to, secure.
Certainly, the companies that offer online services to the public have preferences for how people will use their product, but these preferences are not and should not necessarily be federal law. Changing the CFAA to make sure this doesn’t happen takes no legitimate tools away from the Department of Justice. Indeed, we still have copyright law, trade secret law, and privacy law to punish misuse of data, and wayward employees are subject to civil liability and being fired.
The question is, how to draw the line. Briefly, Kerr’s proposal (1) deletes the problematic “exceeds authorized access” language completely, (2) deletes some repetitive subsections, (3) deletes the civil cause of action, which the Department of Justice has blamed for the broadening case law interpreting the statute, (4) makes the trigger for felony conduct higher, and (5) proposes that “accesses without authorization” mean:
to circumvent technological access barriers to a computer or data without the express or implied permission of the owner or operator of the computer
Orin's suggestions are really important. He streamlines the statute, reduces the changes that minor conduct will be the basis for a felony prosecution and deletes the language in the statute that has been most abused.
However, by focusing purely on whether the service operator implements technological access barriers, the proposal risks a similar problem to the one that the current statute has, giving server owners plenary authority to criminalize the way members of the public interact with information made available online, but through “technological access barriers” rather than merely terms of service and employee agreements.
There are many situations where otherwise law abiding people arguably seek to evade technological access barriers, but which should not be crimes. Readers who click on a link to read an article, encounter a paywall, and then search for a different link to the same content should not be violating the CFAA. What about rate limitations like the one Aaron encountered? JSTOR permitted anyone on the MIT network to download a certain number of articles, after which, the service would block the user's IP address. What if the user then switches devices, or changes her IP in order to access more articles? The outrage over Aaron's prosecution shows that the public does not agree that that should be a federal felony. The New York Times currently operates the same way. Anyone may read 5 free articles per month, after which the site blocks their access and asks them to subscribe. If the user deletes their browser cookies instead, do they violate the CFAA? What about coffee shop patrons who may connect for an hour, but no longer. If the visitor changes her MAC address to continue to get free wifi, has she violated the CFAA? Of course, people may seek to hide their IP address or MAC address for privacy reasons, yet those changes result in circumvention. Efforts to protect personal privacy should not raise CFAA liability. Yet, it appears that under Orin’s proposal, all of these things are – or likely are – CFAA violations.
Perhaps raising the felony bar resolves some of these problems, but only if the statute is also amended to ensure that the government cannot aggravate the sentence by stacking convictions from the same course of conduct, as it did in United States v. Cioni. In sum, I fine Orin’s proposal necessary but not sufficient. There should be an exception to CFAA liability when a service is offered for free to the public, but implements technological controls on either automation, download rate or access time. Certainly evading these limits could be a civil violation, or the service may find a way to ban the offender completely, but it should not be a federal crime.
This is why I favor the language suggested by the EFF. Their proposal builds on Orin Kerr’s good work, but further clarifies the definition of "without authorization" “to make sure the CFAA doesn't penalize people who have permission to access data but use light technical workarounds to access that data in an innovative way.” That definition is:
to circumvent technological access barriers to a computer, file, or data without the express or implied permission of the owner or operator of the computer to access the computer, file, or data, but does not include circumventing a technological measure that does not effectively control access to a computer, file, or data
That “effectively control access” language is pulled from the anti-circumvention provisions of the DMCA, 17 U.S.C. 1201. There are a lot of problems with section 1201, but “effectively control access” has been interpreted to mean that if the user otherwise has unfettered access to protected information via one route, technological controls on a particular manner of access are not given the force of law. Lexmark Int’l, Inc. v. Static Control Components, Inc., 387 F.3d 522 (6th Cir. 2004). The defendant in Lexmark manufactured third-party print cartridges for use with Lexmark printers. The generic cartridges were coded to circumvent a verification process Lexmark implemented to prevent such third party goods, and to ensure that their printers only ran with Lexmark-manufactured cartridges. The court found that purchase of a Lexmark printer allows the user “access” to the programs loaded in the printer memory “with or without the benefit of the authentication sequence, and the data from the program may be translated into readable source code after which copies may be freely distributed.” Therefore, the court held that the printer code lock out did not "control access":
Just as one would not say that a lock on the back door of a house controls access’ to a house whose front door does not contain a
lock and just as one would not say that a lock on any door of a house ‘controls access’ to the house after its purchaser receives the
key to the lock, it does not make sense to say that this provision of the DMCA applies to otherwise-readily-accessible copyrighted
works. Id. at 547
Thus, for otherwise unprotected information, if the computer server and information are made freely accessible to the user, digital attempts to control or condition the public’s manner or use of that information will not carry the force of CFAA punishment behind them.
I hope to hear what Orin and others have to say about these ideas and the EFF’s proposal. I’m also interested to see how the Lofgren bill proceeds through Congress in the next few weeks.