Civil Liberties Groups, Others Gear Up to Campaign for CFAA Revisions Next Congress
Congressional efforts to revise the Computer Fraud and Abuse Act, the 30-year-old anti-hacking statute, ran aground this year even as civil liberties lawyers and others are raising the alarm over expanded CFAA use to "overcriminalize" routine behaviors like password sharing -- even a Netflix password, some said -- and chill security research. Electronic Frontier Foundation Legislative Counsel Ernesto Falcon told us Wednesday that with little legislative time left this year, EFF and others are looking to "reinvigorate" the issue as possibly part of a larger criminal justice package next year. "We want to make sure that CFAA doesn’t disappear because it’s a niche issue," he said. He said he has been talking with members of both the House and Senate Judiciary Committees and is "planting seeds" to try to push changes starting in January.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Gabe Rottman, deputy director for the Center for Democracy and Technology's Freedom, Security and Technology Project, said the pending Aaron's Law Act (HR-1918 and S-1030) is a "great start," but not everything. He said S-2931, co-sponsored by Sens. Sheldon Whitehouse, D-R.I., and Lindsey Graham, R-S.C., aimed at preventing botnet use for cybercrime, would make CFAA worse. "The tendency has been to expand CFAA not to constrain it," he said. "When Aaron Swartz was in the news, there was traction behind CFAA reform."
Last year, Rep. Zoe Lofgren, D-Calif., and Sen. Ron Wyden, D-Ore., introduced the Aaron's Law Act (see 1504220027), which was named after Swartz, a computer programmer who helped develop the RSS format and social news site Reddit. He committed suicide in 2013 after he was charged with 13 felony counts of hacking and wire fraud for allegedly downloading, without authorization, millions of academic articles from digital library JSTOR via the Massachusetts Institute of Technology's network (see 1601120036).
The House Judiciary Committee doesn't have plans to move Aaron's Law, but an aide emailed Thursday that it's been in discussions on changing laws to defend against cyberattacks, including changes to the CFAA and data breach notification laws. The aide said the committee has been soliciting feedback from the panel's members, several businesses, organizations and outside interest groups to reach a bipartisan agreement on how to revise CFAA. The Senate Judiciary Committee didn't comment. A Lofgren spokesman said Aaron's Law has been a priority of hers.
"One of the problems that [CFAA] presents is risk of arbitrary enforcement where prosecutors can pick and choose who they think are the truly bad actors," said American Civil Liberties Union staff attorney Esha Bhandari in an interview Wednesday. "By casting a wide net, the CFAA criminalizes a wide range of normal behaviors that people engage in every day and subject everyone to that risk." ACLU filed a lawsuit in June on behalf of academics, journalists and researchers against DOJ, challenging the law's constitutionality. Bhandari said ACLU's suit talks about First Amendment-protected activity such as researchers wanting to publish information about things they see on websites. She said the commonality of all CFAA cases is that businesses are using their terms of service to "sort of define the contours of the federal criminal law."
EFF staff attorney Jamie Williams said a July decision by a three-judge panel in the 9th U.S. Circuit Court of Appeals in U.S. v. Nosal also sparked public interest. "The week after Nosal, the internet was on fire," she said. "I think people, constituents, are paying more attention than they were before and I think that might be good." In that criminal case, which dates to 2014, David Nosal, who left executive search firm Korn Ferry to start a company, had his computer access credentials revoked by the firm. A firm employee gave colleagues who were defecting with Nosal a password so they could download information from Korn Ferry's database on Nosal's behalf.
In the 2-1 decision, Judge Margaret McKeown wrote for the majority that Nosal acted "without authorization" in violating the CFAA, (in Pacer). Judge Stephen Reinhardt dissented, saying Nosal didn't violate CFAA. EFF's Williams said during a Wednesday evening Koch Institute-sponsored panel that CFAA doesn't actually define what authorization means or who it must come from, but the 9th Circuit decided it must come from the computer owner, not the account holder or employee.
In another 9th Circuit civil case involving Facebook and a social media aggregator called Power Ventures, a three-judge panel said a computer user can authorize a third party to use his or her username and password, even if it violated company policy (see 1512070061). But the panel decided (in Pacer) 3-0 on July 12 that it's a CFAA violation if the third party was notified that the computer owner revoked its authorization. About a month ago, EFF, the ACLU and ACLU of Northern California asked the 9th Circuit to review the two cases en banc to "fix the mess" from the decisions, said EFF in a blog post.