Reforming the Computer Fraud and Abuse Act this Congress?

By Renee Dopplick, ACM Director of Public Policy
March 21, 2013

During last Wednesday’s hearing on “Investigating and Prosecuting 21st Century Cyber Threats,” the House Judiciary Subcommittee on Crime, Terrorism, Homeland Security and Investigations explored whether Congress should change what constitutes a cybercrime under the Computer Fraud and Abuse Act (CFAA). Overall, lawmakers expressed concern about potentially weakening the CFAA’s criminal provisions but recognized that the CFAA might need amending to address emergent trends in cybercrimes.

House Judiciary Committee Chairman Bob Goodlatte (R-VA) attended the hearing and succinctly summarized the challenge faced by lawmakers in context of the evolving cyber landscape. He stated, “Our challenge is to create a legal structure that protects the invaluable government and private information that hackers seek to exploit while allowing the freedom of thought and expression that made this country great.”

Subcommittee Chair Jim Sensenbrenner (R-WI) expressed concern with weakening the criminal provisions for computer crimes because cyber theft of intellectual property, particularly by foreign governments, poses a serious threat to the American economy. He noted that the CFAA has been amended eight times since its enactment in 1986 to keep pace with the evolution of computer crimes. He stated “it may be time for Congress to augment and approve the CFAA and other criminal statutes to enable law enforcement to combat international criminal enterprises.”

Subcommittee Ranking Member Robert Scott (D-VA3) referred to the CFAA as “a law whose breath of scope and sometimes questionable application has already generated concern by citizens and narrowing by the courts.” He entered into the record a letter signed by roughly twenty internet companies and advocacy groups expressing concern with the scope of the CFAA. Rep. Scott did not mention Rep. Zoe Lofgren’s (D-CA) not-yet-introduced bill to amend the CFAA to exclude terms of service violations. Although supportive of considering possible reforms, he stated, “While it’s the job of Congress to evaluate and update our laws in response to changing circumstances, we have to be careful that any changes we make will actually improve the law and not just ratchet up penalties in an exercise of sound-bite politics.”

CFAA legal expert and GWU law professor Orin Kerr told the Subcommittee that additional legislative reforms to the CFAA are needed to provide greater legal certainty and clarification of what conduct falls within the scope of federal criminal law. He observed that the CFAA “will only become more important over time” because of the increased use of computers by the American public. He asserted that the CFAA should apply only to hackers, as commonly understood to be individuals who circumvent technological access barriers. Kerr encouraged Congress to consider eliminating the phrase “exceeds authorized access” as a triggering threshold in the statute and to define clearly the remaining threshold of “access without authorization.”

Kerr cautioned against using the CFAA to address a broader scope of cyber conduct because the broader approach “inevitably ends up covering a great deal of innocent activity.” He stated the CFAA should not apply to those who happen to commit another crime that involved a computer or who happen to violate written terms of service. He concluded by recommending Lawrence Lessig’s lecture on “Aaron’s Laws – Law and Justice in the Digital Age,” available on YouTube.

Business Software Alliance President and CEO Robert Holleyman asked the Subcommittee to consider federal policies to improve our ability to deter criminal behavior through appropriate punishment for serious cybercrimes, to strengthen law enforcement tools and resources, and to promote the real-time sharing of cyber threat information. In pursuing improved deterrence and prosecutions, he warned against being “overzealous in prosecuting people for innocent mistakes or minor infractions.”

U.S. Attorney Jenny Durkan told the Subcommittee that Congress needs to clarify what constitutes “exceeds authorized access” under the CFAA yet, in doing so, needs to ensure that law enforcement will still have the necessary tools to investigate and prosecute insiders whose thefts of trade secrets, intellectual property, and sensitive data pose significant risks to national security, economic interests, and individual privacy. She noted that cyber criminals have “shifted from targeting credit cards and other personal data to the intellectual capital of large corporations,” with the threat coming from both outside hackers and insiders. She noted the role of the U.S. Department of Justice’s Computer Crime and Intellectual Properties Section, its Computer Hacking and Intellectual Property (CHIP) Units, and its National Security Division to aggressively address these threats.

Harvard University law professor James A. Baker, in his testimony before the same Subcommittee in 2011 on the outlook for cybersecurity, also shared the concern that we shouldn’t weaken the CFAA. He spoke in support of strengthening the CFAA. He stated, “Unnecessarily restricting the scope of the CFAA on the basis of one or two cases will needlessly tie the hands of prosecutors to the advantage of those who use computers to undertake fraudulent activities and abuse their otherwise authorized access to computers to harm others.”

Overall, the stage is set for legislative proposals to reform the CFAA for the ninth time. Given Attorney General Eric Holder’s remarks before the Senate Judiciary Committee earlier this month about wanting to ensure that prosecutors use enforcement tools in “appropriate ways” and to seek jail time only where “absolutely needed” for CFAA-related crimes, there could be less pressure for Congress to amend the CFAA to exclude explicitly terms of service violations, a reform proposed by Senators Chuck Grassley (R-IA) and Al Franken (D–MN) during the last Congress. Senator Patrick Leahy (D-Vt.), who supported the Grassley-Franken proposal last year, asked Holder at this month’s hearing whether the Department of Justice could review its prosecution guidelines for CFAA cases and “consider revising those guidelines to prohibit prosecutions based solely upon conduct involving a violation of terms of use agreement.”