I am a signatory to a letter to Rep. Robert Goodlatte and other legislators critiquing draft legislation reportedly slated for consideration this month that would amend the Computer Fraud and Abuse Act (CFAA) by increasing penalties and expanding the scope of conduct punishable under the statute. The letter points out that the draft under discussion is a significant expansion of the CFAA at a time when
public opinion is demanding the law be narrowed. This language would, among other things:
- Obliterate the sensible line between criminal attackers and legitimate users who are authorized “to obtain or alter the same information” but do so in a manner or with a motive disfavored by the server owner or expressed in unilateral terms of service (TOS) or contractual agreements;
- Substantially increase maximum penalties for many violations to 20 years or more, giving prosecutors a heavy hammer to hang over individuals charged with borderline offenses, and ensuring even minor violations with little or no economic harm (which ought to be misdemeanors at most) will be punished as felonies; and
- Make all CFAA violations a RICO predicate.
As Paul Rozenzweig and Orin Kerr have pointed out, the draft language just recycles old DOJ proposals, which actually make the CFAA's overbreadth problem worse. Of most concern, while the bill might appear to limit the application of CFAA section (a)(2)’s “exceeds authorized access” crime by specifying categories of information protected from such access, the change actually expands the statute’s reach by criminalizing activities “involving” broad categories information. As a result, the bill would make it a felony to lie about your age on an online dating profile if you intend to contact someone online and ask them personal questions. It would make it a felony for anyone to violate the TOS on a government website. It would also make it a felony to violate TOS in the course of committing a very minor state misdemeanor.
You can find the full draft of the letter here.