Header graphic for print
Trading Secrets A Law Blog on Trade Secrets, Non-Competes, and Computer Fraud

Significant Amendments Proposed to the Computer Fraud and Abuse Act to Limit Its Use to Traditional Hacking Scenarios

Posted in Computer Fraud and Abuse Act, Data Theft, Legislation

By Robert Milligan and Grace Chuchla

Earlier this year, we blogged on federal legislative efforts to amend the Computer Fraud and Abuse Act (“CFAA”) following the death of computer activist Aaron Swartz.  These efforts were spearheaded by Representative Zoe Lofgren (D-CA), who released her discussion draft of proposed amendments to the CFAA on January 15, 2013 on Reddit.  Lofgren’s January draft sought to modify the definition of “exceeds authorized access” so that those who only violate, for example, a computer use policy or internet terms of service cannot be held liable under the CFAA.

On Thursday, June 20, Representative Lofgren and Senator Ron Wyden (D-OR) formally introduced companion bills in both the House and Senate seeking to amend the CFAA.  According to Senator Wyden’s website, these amendments seek to eliminate “vagueness” and “redundant provisions” from the CFAA and “establish that a mere breach of terms of service, employment agreements, or contracts are not automatic violations of the CFAA.”  Additionally, with the nickname “Aaron’s Law,” they also seek to limit what some see as the CFAA’s tendency to allow for overzealous prosecution that they claim characterized Aaron Swartz’s case.

As before, both bills seek to clarify the meaning of  “exceeds authorized access” by striking it and replacing it with the phrase “access without authorization,” which is defined to mean

a) “to obtain information on a protected computer”;

b) “that the accesser lacks authorization to obtain”; and

c) “by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.” 

Both bills also propose amendments to the definition of punishable offenses under the CFAA by inserting a requirement that offenses committed for commercial advantage or private financial gain must also involve information that has a market value over $5,000.  

Lofgren and Wyden said in their opinion piece for Wired that, “Aaron’s Law is not just about Aaron Swartz, but rather about refocusing the law away from common computer and Internet activity and toward damaging hacks.”

Opinions are split on how successful these proposed amendments will be.  On the one hand, previous efforts to amend the CFAA in April 2013 failed after  there was significant opposition from both the left and the right.  Those proposed amendments to the CFAA, however, are not similar to what is currently in front of Congress.  The Justice Department has previously been against amendments to the CFAA that would significantly narrow the Act’s scope. It recently obtained the conviction of David Nosal under the CFAA in San Francisco, California (the conviction has been appealed to the Ninth Circuit). Additionally, Richard Downing, Deputy Section Chief for Computer Crime and Intellectual Property, told the House in 2011 that removing key parts of the CFAA “could make it difficult or impossible to deter and punish serious threats from malicious insiders.”

BSA Software Alliance has come out against the proposed legislation, arguing that it would force companies to build additional security mechanisms into their networks and systems to adequately protect them from unauthorized parties. “Everyone agrees that lying about your age on Facebook shouldn’t be a felony, but Aaron’s Law is a flawed solution to that problem,” Tim Molino, BSA’s director of government relations, reportedly said in a statement. “Tying liability to theft that involves ‘knowingly circumventing technological or physical measures’ is out of step with the technology innovations driving today’s economy. It would compel many companies to erect new technical protection measures throughout their networks and support systems, reversing a trend that has contributed the growth of cloud computing, software as a service, and on-demand support.” 

Additionally, with the highly publicized omnipresent cybersecurity threat and recent high profile employee data theft cases, there may not be significant momentum to drastically change the CFAA, particularly with the Obama Adminstration focused on addressing the cybersecurity threat. Echoing those sentiments, Molino reportedly said the bill is “especially troubling at a time when hacking and intellectual property theft are rampant — weakening cybercrime laws would be like handing out keys to the castle.”

On the other hand, however, advocacy groups have come out in vocal support of Lofgren’s and Wyden’s bills.  The Center for Democracy and Technology and Demand Progress have both issues recent statements applauding Aaron’s Law for “prevent[ing] the government from using the Computer Fraud and Abuse Act (CFAA) to prosecute mere terms-of-service violations as computer crimes, and prevent prosecutors from bringing multiple redundant charges based on a single crime.” Further, the Electronic Frontier Foundation has also been a vocal supporter of the proposed amendments, stating that, “(t)he CFAA was originally intended to cover the hacking of defense department and bank computers, but it’s been expanded so that it now covers virtually every computer on the Internet while meting out disproportionate penalties for virtual crimes. We’ve written extensively about the need for CFAA reform and Aaron’s Law is a great first step.” Additionally, with the recent NSA and Snowden kerfuffle, there may be public support for limitations on the CFAA, including limiting its use for pure hacking scenarios.

How this will play out is anyone’s guess.  What started with a circuit split after the Ninth Circuit’s decision in U.S. v. Nosal has grown into a hot-button topic for everyone from civil rights activists to technology lobbying organizations to employers looking to protect their data.  Stay tuned for updates as the saga unfolds.