The Computer Fraud and Abuse Act is a necessary evil.
Why? Because it is necessary to punish individuals who maliciously use computer systems to exploit, harass, and torment others (such as hijacking your computer’s built in camera, infecting your smartphone with malware, or phishing credit card information from popular retail stores). Although some mock the origin of the CFAA, saying that it was spurred by the overreacting to the 1983 movie WarGames with Mathew Broderick, the unfortunate reality is that computer crimes are on the rise.
So why is the CFAA evil?
The CFAA is just a sum of its parts, and it contains one part that is particularly sinister: section (a)(2)(C). The broad scope of this section has the potential to be abused by prosecutors by criminalizing otherwise innocuous behavior that does not cause loss or harm. 18 U.S.C. 1030 (a)(2)(C) reads:
“Whoever—intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—information from any protected computer.”
What constitutes a “protected computer” is incredibly broad, as defined in section (e)(2)(B) as any computer “which is used in or affecting interstate or foreign commerce or communication.” The federal courts have determined that under this definition, any computer with a “connection to the internet” qualifies as a protected computer.
The part of (a)(2)(C) that broadens the scope of liability the most is “exceeds authorized access,” because courts and scholars do not agree one what all this encompasses. The most broad and heavily debated meaning of “exceeds authorized access” would include using an authorized account in a way that violates the contractual user agreement. An example of this is would be a Google employee who used his access privileges at work to spy on the internet activities of underage teenagers. This particular case is a great illustration of the kind of computer abuse that deserves to be deterred and punished.
However, under the same theory of CFAA liability from contract violation, you may be prosecuted for violating any terms of services on any website. Let’s look at one such example…
Woman Faces Criminal Charges for
Doing Stupid Things on the Internet Pretending to be Teenage Boy on MySpace
In 2006, Lori Drew was a 46-year-old mother who created a MySpace account as a fake 16-year-old boy with the purpose of talking to a 13-year old girl, Megan Meier. Lori engaged with Megan online as “Josh” in an attempt to find out whether Megan was spreading lies about Lori’s daughter. Megan, who lived down the street from the Drew family, later committed suicide after “Josh” publicly posted all of their private conversations and then told Megan that “the world would be a better place without her in it.”
In the absence of a federal cyber-bullying law, prosecutors brought three misdemeanor criminal charges against Lori under the CFAA, and a jury trial found her guilty on all three. Specifically, the charges were brought under section 1030 (a)(2)(C), and the question at trial was whether violating MySpace’s terms of services agreement satisfies the element of “exceeds authorized access.” On a motion for acquittal, Judge George Wu said:
“If the answer to that question is “yes,” then seemingly, any and every conscious violation of that website’s terms of service will constitute a CFAA misdemeanor.”
Whether or not Lori deserved to be punished for her actions became a moot point. If Judge Wu did not acquit her, he feared that the result “would convert a multitude of otherwise innocent Internet users into misdemeanant criminals.” One of the hypothetical examples he gave was:
“the exasperated parent who sends out a group message to neighborhood friends entreating them to purchase his or her daughter’s girl scout cookies, which transgresses the MSTOS rule against “advertising to, or solicitation of, any Member to buy or sell any products or services through the Services.”
Under this rationale, Judge Wu acquitted Lori Drew of her CFAA charges.
Other federal judges, such as Judge Katharine Hayden in the District of New Jersey, disagree with Judge Wu. In the case of United States v. Lowson, Judge Hayden ruled that the defendants “exceeded authorized access” of Ticketmaster’s website when they purchased tickets in bulk for resale, which was a direct violation of the website’s terms of service.
The difference in the Lowson case is that the defendants had also violated “code-based restrictions” in addition to contractual restrictions of the website. However, Judge Hayden did not dismiss CFAA liability for violation of contract restrictions, and I tend to agree with her on this and other cases involving use restrictions. Some instances of breaking a terms of service agreement are blatantly illicit in nature, such as circumventing barriers that prevent a single person from purchasing all of the desirable tickets to an event for the purpose of scalping them. Or falsifying an identity for the sole purpose of extracting information from, and then harassing another individual, whether an adult or a minor. As stated in my initial conclusion, the CFAA is a necessary evil.
(a)(2)(C) v. (a)(4)
The reason why I have emphasized the potential absurdity and abuse of section (a)(2)(C) is because it is not the only part of the CFAA where “exceeds authorized access” appears.
Section 1030 (a)(4) reads:
“Whoever—knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”
Under (a)(4), it would not be possible to reach the absurd result proposed by Judge Wu of the parent who is prosecuted for violating a terms of service agreement by sending emails to solicit girl scout cookies. Why not? Because that activity is not tantamount to fraud, no matter how you try to spin it.
Did Lori Drew’s behavior rise to the level of fraud? Here is the definition of ‘fraud,’ according to Dictionary.com:
1. deceit, trickery, sharp practice, or breach of confidence,
perpetrated for profitor to gain some unfair or dishonest advantage.
2. a particular instance of such deceit or trickery: mail fraud; election frauds.
3. any deception, trickery, or humbug:
That diet book is a fraud and a waste of time.
4. a person who makes deceitful pretenses; sham; poseur.
From the above definition, I would conclude that yes, Lori Drew’s actions were deceitful, and she meant to trick a teenage girl into talking to her under the false pretenses that Lori was a teenage boy.
Was it right to charge her with three counts of a criminal misdemeanor? A jury of her peers believed so. In examining the Lori Drew case and the flaw in the CFAA, we need to remember that Judge Wu never said that Lori’s behavior was not criminal by nature. The stance he took by dismissing Lori’s indictment is that if section (a)(2)(C) could be construed so broadly as to include breaking the written arbitrary rules of a website, no matter what the intent, then the law would be void-for-vagueness because it would potentially create criminal liability for otherwise innocent activity on the Internet.
How can we make the CFAA less evil?
My proposal is simple: Remove section (a)(2)(C).
To recap, (a)(2)(C) is the section that criminalizes any activity that violates the terms and conditions of access to a website, forum, or similar computer system, regardless of intent. In contrast, (a)(4) criminalizes the same activities, but requires intent to defraud. If (a)(2)(C) is removed and (a)(4) is left intact, the issue of vagueness is eliminated while preserving the ability to punish bad actors.
See? Less evil.