The undersigned individuals and organizations wrote last month in support of making changes to the Computer Fraud and Abuse Act to ensure that it is both strong and properly focused. We mentioned that while the CFAA is an important tool in the fight against cybercrime, its current language is both overbroad and vague. It can be read to encompass not only the hackers and identity thieves the law was intended to cover, but also actors who have not engaged in any activity that can or should be considered a “computer crime.” We write again today to express our appreciation for recent action taken by the Committee on the Judiciary to address our concerns.
Last week, at a markup of Chairman Leahy’s Personal Data Privacy and Security Act of 2011 (S. 1151), Senator Grassley, with the co-sponsorship of Senators Franken and Lee, introduced an amendment that would fix a large part of the overbreadth problem in the CFAA. In particular, the amendment would remove the possibility that the statute could be interpreted to allow felony prosecutions of “access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.” The amendment passed with bipartisan support, including that of Chairman Leahy himself.