Stanford CIS

Draft Bill to "Fix" CFAA Won't

By Jennifer Granick on

The House Judiciary Committee is considering a bill (.pdf) to amend the Computer Fraud and Abuse Act, 18 USC 1030.  I've redlined the current statute (.doc) to show how the law would look should this bill pass, and inserted comments where relevant.

I've heard that the bill is intended to fix what's come to be known as "The Lori Drew Problem": criminalizing terms of service violations.  By my analysis, it does the opposite.  The text could clear the way for such prosecutions while introducing new legal uncertainties, expanding the scope of the CFAA and greatly increasing penalties, without resolving the underlying problem, which is that the phrase "exceeds authorized access" -- as well as the new phrase "in excess of authorization" in the bill -- are subject to conflicting interpretations.

The bill also dramatically increases penalties while introducing new ambiguous language that muddies rather that clarifies the reach of this expansive law in other areas as well.  For the reasons set forth in the comments to my attached redline, this legislation needs to be scrapped.

This legislative push comes just a few days following the Ninth Circuit's opinion in United States v. Nosal.  There, the Court sitting en banc reversed the panel decision and held that violations of an employer's computer use restrictions are not penalized under the statute, because "exceeds authorized access" doesn't mean merely violating a policy, it means obtaining data you are not allowed to see.  While a very welcome decision, this creates a Circuit split with the Fifth, Seventh and Eleventh Circuits.  We don't yet know whether the government will petition for, or the Supreme Court will grant cert in Nosal. What we do know is that if Congress wants to resolve the ambiguity, the current bill will only make matters worse.

Photo Credit: Ken Lund