Skip to Content

Government Surveillance

Hacking Law Must Be Revised to Prevent Its ‘Gross Misuse’

Today, the Center for Democracy & Technology joined a group of individuals and organizations from across the philosophical spectrum in signing a letter to Senators Patrick Leahy (D-VT) and Chuck Grassley (R-IA) on recommended reforms to the Computer Fraud and Abuse Act (CFAA).

The Senate Judiciary Committee, of which Senators Leahy and Grassley are Chairman and Ranking Member, respectively, is planning to hold a hearing on “Cybercrime: Updating the Computer Fraud and Abuse Act to Protect Cyberspace and Combat Emerging Threats.” So far, only government witnesses have been named to the panel, and they will likely submit testimony that support the Administration’s proposals to increase CFAA penalties.

The letter–which was also signed by the American Civil Liberties Union, Americans for Tax Reform’s Digital Liberty, Competitive Enterprise Institute, Electronic Frontier Foundation, Charles H. Kennedy, FreedomWorks Foundation, Orin S. Kerr, Paul Rosenzweig, and TechFreedom–recognizes the importance of the CFAA in fighting crime, but recommends updating its “overbroad and vague” language before any consideration of increasing the penalties for violations of the law.

Revisions to the CFAA are necessary because, while the law imposes civil and criminal liability for accessing a computer without or in excess of authorization, it does not clearly define “authorization.” This vagueness has led to an overbroad application of the CFAA and has exposed employees to criminal liability for breaching employers’ network terms of service, and social network users to criminal liability for violating terms of service of their social network. The letter notes:

Three federal circuit courts have agreed that an employee who exceeds an employer’s network acceptable use policies can be prosecuted under the CFAA. At least one federal prosecutor has brought criminal charges against a user of a social network who signed up under a pseudonym in violation of terms of service.

Instead of focusing solely on malicious hacking and identity theft, the CFAA has been used to turn acts into “computer crimes” that would not be considered criminal in the physical world, “[t]his is a gross misue of the law,” the letter says.  The letter cites examples, and calls for the Committee to address these issues.