Draft Bill to "Fix" CFAA Won't

The House Judiciary Committee is considering a bill (.pdf) to amend the Computer Fraud and Abuse Act, 18 USC 1030.  I've redlined the current statute (.doc) to show how the law would look should this bill pass, and inserted comments where relevant. 

I've heard that the bill is intended to fix what's come to be known as "The Lori Drew Problem": criminalizing terms of service violations.  By my analysis, it does the opposite.  The text could clear the way for such prosecutions while introducing new legal uncertainties, expanding the scope of the CFAA and greatly increasing penalties, without resolving the underlying problem, which is that the phrase "exceeds authorized access" -- as well as the new phrase "in excess of authorization" in the bill -- are subject to conflicting interpretations.  

The bill also dramatically increases penalties while introducing new ambiguous language that muddies rather that clarifies the reach of this expansive law in other areas as well.  For the reasons set forth in the comments to my attached redline, this legislation needs to be scrapped.  

This legislative push comes just a few days following the Ninth Circuit's opinion in United States v. Nosal.  There, the Court sitting en banc reversed the panel decision and held that violations of an employer's computer use restrictions are not penalized under the statute, because "exceeds authorized access" doesn't mean merely violating a policy, it means obtaining data you are not allowed to see.  While a very welcome decision, this creates a Circuit split with the Fifth, Seventh and Eleventh Circuits.  We don't yet know whether the government will petition for, or the Supreme Court will grant cert in Nosal. What we do know is that if Congress wants to resolve the ambiguity, the current bill will only make matters worse. 

Photo Credit: Ken Lund


The sad thing is that there's a pretty nice bright line standard they could adopt concerning unauthorized access. They should just make the rule that if you lie to the computer and without that lie, you would not be granted access, you are guilty.
And yes, that does catch buffer overflows and the like. I mean, you're effectively telling the computer things like your name is -1 characters long or what have you, which is a lie of sorts and it certainly is what gets you access. Or you're smuggling in shellcode/SQL/whatever in place of your username or password or something else. So long as deliberately corrupted garbage data is considered a "lie" for these purposes, I think it's a pretty good test.

Add new comment