Knocking the Rust off of the Anti-Hack Act

In the wake of a number of high-profile computer invasions, Congress is looking to fight back against malicious hackers. The Senate Judiciary Committee recently announced hearings identifying its preferred legislative vehicle in that race: the Computer Fraud and Abuse Act (CFAA). Chairman Patrick Leahy (D-VT) and the Obama Administration have both made proposals recently that aim to boost the performance of the CFAA -- tougher penalties, mandatory minimum sentences, and other add-ons -- in order to deter computer criminals. While these proposals tinker around the edges of the CFAA, however, they ignore a basic problem in the engine that drives the law.

The CFAA is an important tool in the fight against cybercrime, but its current language is both overbroad and vague. It can be read to encompass not only the black-hat hackers and identity thieves the law was intended to cover, but also those who have not engaged in any activity that can or should be considered a "computer crime."

How did the CFAA's engine develop this flaw? The CFAA imposes civil and criminal liability for accessing a protected computer "without" or "in excess of" authorization, but fails to define "authorization." This makes the definition of the precise activities that are punishable unavoidably vague. In civil CFAA cases, companies angry at their employees for misusing documents have used the CFAA as a cause of action to get damages in court by arguing that their behavior has violated network acceptable use policies and is therefore not "authorized."

Then, on the criminal side, courts began to adopt the same line of reasoning used in the civil cases. Thus companies' network terms of use, which lay out contractual constraints on users' use of those networks, now have begun to define what constitutes criminal behavior on those networks. The consequence is that private corporations can in effect establish what conduct violates federal criminal law when they draft such policies.

The concern is far from hypothetical. Three federal circuit courts have agreed that an employee who exceeds an employer's network acceptable use policies can be prosecuted under the CFAA. At least one federal prosecutor has brought criminal charges against a user of a social network who signed up under a pseudonym in violation of the social network's terms of service.

Such a rule, if more widely used, would allow prosecutors to pursue people for behaviors online that are obviously permissible offline. Taking a trip and pretending to be a high-flying executive at the nightclub? What happens in Vegas stays in Vegas. Pretending to be that same fictitious executive on Facebook? You could get hauled into federal court on criminal charges. Copying your buttocks on the office photocopier? Perhaps a lecture from your boss is in your future. Sending that picture by email? The law says that big fines and prison time could be coming your way.

The point is not that the majority of prosecutors would bring such charges, but that any law that would even allow them the discretion to do so is clearly flawed. Today a collection of Internet policy experts from across the philosophical spectrum sent a letter to the Senate Judiciary Committee suggesting that any action to reform the CFAA should also take the opportunity to correct this vagueness and overbreadth. Before any revision starts adding bells and whistles to this particular legislative vehicle, it should take a look at repairing the problems under the hood.