The Computer Fraud and Abuse Act, or CFAA, is one of the most controversial pieces of legislation in recent years. Written in 1984, the CFAA’s purpose was to criminalize hacks into military and banking computer systems, but it has become outdated, and the scope of the law has expanded exponentially in recent years. The CFAA has been used in some high-profile tech cases, including Bradley Manning and Matthew Keys. The CFAA was used against Reddit co-founder Aaron Swartz, which led to his tragic suicide in mid-January 2013. And now, it seems like the bill is only getting stricter.
According to an updated draft of CFAA that’s been circulating the House Judiciary Committee, the bill may get a lot harsher than it was previously. A copy was obtained by The Hill, and you can check it out at the end of the article.
It seems like the bill would increase penalties for cyber crimes and create a protocol for companies to notify its users when personal data has been compromised. In addition, it would change a law that will make an attempted cyber hack as equally punishable by the courts as an actual hack.
Internet activists will undoubtably rise up against this new, updated, version of the CFAA. When Swartz committed suicide on January 11, 2013, a possible motive was that the 26-year-old was facing 35 years in prison and a $1 millon fine for hacking into MIT and publishing academic papers for free online.
No one knows which congressman is sponsoring the updated bill, since the bill is unnamed, but a House Judiciary aide told The Hill that the bill is still in the early changes and could be altered. The bill is proposing that the maximum sentence a judge can implement for computer crimes be increased, though the aide told The Hill that it is doubtful that Swartz’s sentence would have been any different. However, since the prosecution was pursuing the maximum 35-year sentence (though the prosecutor Carmen Ortiz says differently), what’s to say that they wouldn’t have pursued a harsher penalty for Swartz’s “crime”?
However, Internet activists who are trying to limit the CFAA, not make it stronger, do have allies in Congress. Rep Zoe Lofgren (D-California) has been trying to fix some key issues in the CFAA.
While cybersecurity legislation is necessary after major companies, both public and private, have been getting hacked in recent weeks — like Apple, Facebook, Twitter, the New York Times, the Washington Post, the Wall Street Journal, and even the Federal Reserve — strengthening the CFAA isn’t the right move, especially when it’s been expanded to target people for minimal crimes, like publishing academic papers so that people can learn even if they can’t pay for expensive education. David Segal, executive director of Demand Progress, a group started by Swartz, agrees. In a statement to reporters, Segal spoke in detail about his opinion regarding a stronger CFAA bill:
This proposal is a giant leap in the wrong direction and demonstrates a disturbing lack of understanding about computers, the Internet and the modern economy…Already the outdated Consumer Fraud and Abuse Act is used by overzealous lawyers to prosecute routine computer activity…If enacted this proposal could end computer security research in the United States and drive innovation and creativity overseas.
Below is a copy of the updated CFAA draft.