Thoughts on Zoe Lofgren's CFAA Bill: A Great First Step

Yesterday, Representative Zoe Lofgren introduced on Reddit a bill to improve the Computer Fraud and Abuse Act in the wake of Aaron Swartz's suicide during the pendency of his prosecution for violating various provisions of that law and of the Wire Fraud Act.  I've attached a redline of how her bill would change the current law.  

This is a welcome and much needed step from a great legislator.  There are obvious co-sponsors for this effort, including Darrell Issa (R-Calif) who knew Aaron, and spoke out eloquently about the potential for abuse when prosecutors use long maximum sentences to incentivize guilty pleas from individuals charged for borderline conduct under vague statutes:

I’ll make a risky statement here: Overprosecution is a tool often used to get people to plead guilty rather than risk sentencing,” Issa said. “It is a tool of question. If someone is genuinely guilty of something and you bring them up on charges, that’s fine. But throw the book at them and find all kinds of charges and cobble them together so that they’ll plea to a 'lesser included' is a technique that I think can sometimes be inappropriately used.


The bill is a good start, but with small adjustments, it could better meet the twin goals of (1) ensuring that noone goes to prison for terms of service violations and (2) preventing the next prosecution of someone like Aaron Swartz.  

The purpose of the CFAA is to prohibit when an individual accesses a computer without permission or obtains or alters information on a computer beyond that which he is authorized to access. This very basic idea has been distorted in part because of a poorly phrased definition of "exceeds authorized access".  18 USC 1030(e)(6).  That definition says:

the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;

Some Circuits have held that the word "so" means that the computer owner can use the CFAA's civil and criminal provisions to enforce all sorts of rules about when, how and why computer users access, use and distribute stored information. This phrasing is what's lead to the problem of terms of service prosecutions, as well as cases holding that disloyal employees are federal felons.  A simple and critical way to fix the problem is to delete the word "so".  Congress could also add the word "otherwise" in front of access, to make clear that if you are allowed to access your work files from your office, or download journal articles while on the MIT network, its not a crime merely to access those files when you are working from home, or to download those same articles with an automated script.  This fix would look something like this:

the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not otherwise entitled to obtain or alter, and does not include access in violation of an express or implied agreement, contractual obligation, acceptable use policy, terms of service agreement, duty of loyalty or other non-code based restriction.

This formulation doesn't interfere with trade secret protection, copyright or any other law that protects against misuse of information.  It just ensures that the mere fact that information is stored on a computer doesn't give the computer owner plenary rights to control how otherwise authorized users may interact with that data, on penalty of prison. 


Another federal bill we need is called the Secretary of State Accountability Act, which would require all 50 SOS to update their corporation databases annually to detect and prevent fraud. Then, a company that makes software according to Benford's law could review annual reports in the SOS databases. here's a link to the proposed act and a case study for it:

The exact wording is very tricky to get right. Let's say I can gain access to my company's computer because I have a username and password which I was intentionally given by the company. On that computer, there are (1) things that I am meant to have access to. Then there are (2) things that I'm not meant to have access to, but I actually have access; probably because someone in IT messed up. Then there are (3) things that I can only gain access to by hacking, even though they are on the computer where I have _some_ authorisation. Then there are (4) things that I can access by using my bosses username and password which I found on a paper stuck to his monitor.
We are currently saying that I have "authorized access to the computer", meaning access to the whole of the computer. Except such access can "exceed authorisation". Instead, we should say that I have "authorized access to some data on the computer". There would be no question of "exceeding authorisation"; I either have authorisation or not, I can't exceed it. The whole problem comes from the law using "the computer" as the unit of authorisation, while in reality my authorisation is always just for parts of that computer.

Add new comment