While it is unlikely that anyone would face federal charges for borrowing or sharing a Netflix password, recent court rulings of the CFAA, the federal anti-hacking law, imply that seemingly simple actions could make someone a felon.
Do you stream Netflix on your own account or are you borrowing a password from a friend? How closely did you read your favorite social media sites’ Terms of Service? Are you sure you aren’t violating them?
Last Wednesday, September 14, the Charles Koch Institute, along with the Electronic Frontier Foundation (EFF), brought together panelists from EFF, the Center for Democracy & Technology (CDT), and Red Branch Consulting to discuss the Computer Fraud and Abuse Act (CFAA) and its implications for increased overcriminalization.
The evening began with a quick introduction from Charles Koch Institute senior research fellow and moderator for the night, Vikrant Reddy. Using examples such as helping deer on the side of the road and catching oysters at the wrong time of year, Reddy explained that overcriminalization occurs when the federal government classifies a broad range of ordinary activities as federal crimes. Over the course of the night’s discussion, the panelists described how overcriminalization relates to the CFAA, a criminal and civil law, because of the vague language it uses to describe authorization. When open to such broad interpretation, many everyday activities could become federal crimes.
Jamie Williams, Frank Stanton Legal Fellow at EFF, described the conditions under which the CFAA was formed. Partially inspired by the 1983 techno-thriller War Games, Congress became concerned about how hacking could potentially endanger U.S. national security. As a result, Congress enacted the CFAA in 1986, during the early stages of the internet.
At its core, the CFAA prohibits individuals from accessing computers without authorization. However, Williams noted, Congress used vague wording because lawmakers were uncertain about the impact the internet would have on society.
Critical court cases have exposed the issues and flaws with the CFAA’s vague wording. The most recent case, United States v. Nosal (2011), further highlights the need for clarity. Speaking on the questions of password sharing and authorization that the Nosal case raised, Gabe Rottman, deputy director of the Freedom, Security, & Technology project at CDT, argued that “there’s no limiting principle” when it comes to the CFAA, meaning average citizens can unknowingly become felons.
Offering an in-depth legal perspective, Paul Rosenzweig, principal at Red Branch Consulting, stated that the odd construction of the CFAA “leaves the definition of authorization empty of statutory meaning,” causing the scope of intent to fall to private citizen actors as opposed to a federal power.
Furthermore, Rosenzweig argued for the need to clearly define intent, stating, “Criminal law is intended to be definite … it is intended to give people a reasonable understanding of what is prohibited. Here, you can’t know what is criminal.”
Put simply, the CFAA has two large flaws. First, its vague wording makes it difficult to interpret whether a person has permission or “authorization” to access a computer. Second, it does not include a definition of intent, opening up the possibility that people could accidentally become criminals.
Rottman also warned that the CFAA could create a chilling effect for researchers working to improve information and protect against hacks, since their methods could potentially violate what the CFAA views as authorization.
Intent, as well as authorization, were both key terms that dominated the evening’s conversation, leading Reddy to ask the panelists how the CFAA impacts mens rea. Rosenzweig explained that ignoring mens rea, or the idea that a criminal act means willfully or intentionally doing something wrong, could lead to overcriminalization. In order to prevent this, the CFAA needs to clearly define criminal action as something that is done with the express the intent of accessing a computer in order to steal information or cause harm.
The conversation then moved to the penalties of the CFAA. As Williams explained, “The penalties are why it’s so crazy. … A first time violation can be one to five years, the second, 10 to 20 years.” In terms of accidental crimes, the mandatory minimums the CFAA sets could only contribute to the problems faced in the criminal justice system.
Williams said that although some progress has been made in the courts, the CFAA still produces inconsistent results: “We need Congress to step in and modify the law to fit where we are today … it needs to be adaptive to changes in technology.”
As technologies change and grow, more issues regarding criminal justice are likely to arise. In order to understand these issues and work toward solutions, the Charles Koch Foundation supports research related to criminal justice and policing reform, as well as technology and innovation.