House Judiciary Committee’s Draft Computer Crime Bill Rehashes Old Proposals, Makes them Worse
The House Judiciary committee is reportedly circulating a discussion draft that would amend the Computer Fraud and Abuse Act (CFAA) in precisely the wrong direction.
In the wake of the tragic death of activist Aaron Swartz, US Internet freedom advocates have devoted much time and energy to pushing sensible reforms to narrow the scope of the CFAA, under which Swartz was being aggressively prosecuted at the time of his death. This draft flies in the face of those efforts, as it would dramatically enhance the already heavy penalties for violations of what Internet scholar Tim Wu recently called “the Worst Law in Technology,” while appearing to expressly overturn existing case law to say that violating terms of service or other agreements can indeed be prosecuted as a felony.
Orin Kerr at the Volokh Conspiracy points out that much of the proposal is a rehash of 2011 Administration recommendations to expand the law and criticizes the breadth of the draft’s treatment of what it means to “exceed authorize access” to a computer. Mike Masnick at Techdirt, another vocal critic of the law and how it has been prosecuted, put up a post on Monday that walks through the draft’s problems, and noted conservative security policy expert Paul Rosenzweig has blogged critically about the draft at Lawfare, noting that it “seems to answer most of what the Department of Justice wants with very little for the Internet online community in return.”
One dangerous addition to the proposal since similar language was last introduced by Senator Patrick Leahy last summer is the stark reversal of language first introduced by Senators Grassley, Franken, and Lee to greatly limit the law’s application to terms-of-service and other contractual violations. In place of that language, the current House draft says that a person can exceed authorized access in violation of the statute “even if the accesser may be entitled to obtain or alter the same information in the computer for other purposes.” This is in direct conflict with current case law on ToS violations and the CFAA, and is especially shocking in light of the longstanding bipartisan effort to get ToS violations out of the statute once and for all.
As CDT wrote in its analysis of the initial White House proposal in 2011, it does not make sense to consider expanding and enhancing penalties under the CFAA without first sensibly narrowing its scope, lest every American on the Internet risk felony charges for even minor ToS violations. Indeed, given the heavy penalties already possible under existing law, there are plenty of reasons to question whether penalty-enhancement is necessary at all.
Representative Lofgren’s office has been working with a coalition of groups including CDT, EFF, ACLU, and the Reddit community to develop just such a proposal to narrow the scope of the CFAA. We are hopeful that her work and that of the Internet advocacy community will convince the Committee to stop and rethink its approach, since the bill it is floating is exactly the opposite of the computer crime bill that we need right now.
Update: Our friends at EFF have posted their take on the draft.