A recent ruling raises questions regarding the Computer Fraud and Abuse Act (CFAA) and whether it needs to be reformed. The particular case, United States v. Nosal, upheld some of the charges against a man who used another individual’s password to access his former employer’s client database.
What is the Computer Fraud and Abuse Act (CFAA)?
The Computer Fraud and Abuse Act (CFAA) is a federal anti-hacking law passed in 1986 . It has been regularly criticized for overbroad definitions of crimes, harsh penalties, and the risk it poses to legitimate security research. As the Electronic Frontier Foundation has noted, “creative prosecutors have taken advantage of this confusion to bring criminal charges that aren’t really about hacking a computer, but instead target other behavior prosecutors dislike.
For Reason’s Scott Shackford, the United States v. Nosal ruling highlights why the CFAA needs reform.
Recent media attention towards the fact that the CFAA makes it a federal crime to access a computer system without authorization is a good thing. However, according to Shackford, the CFAA’s exact wording, which criminalizes any “unauthorized access” to a computer system or database as fraud, has been in place since 1986.
Furthermore, the CFAA’s original purpose was to criminalize hacking into an account, not the voluntary exchange of a password to another person.
This overly broad interpretation of the law has prompted the ACLU to file a law suit against provisions in the statute that could be used to punish journalists and researchers trying to conduct normal and acceptable investigation techniques.
Concerns surrounding broad use of the CFAA, to prosecute individuals, like those Shackford highlights, relate to the growing issue of overcriminalization in the United States.