Proposed Expansion of CFAA Would Open Technology Users to Unreasonable Prosecution

 The House Judiciary’s Crime, Terrorism, and Homeland Security Subcommittee is slated to consider a measure this month that would expand the Computer Fraud and Abuse Act. While the draft legislation is intended to protect the security of American computer systems, its vague language would instead open consumers to massive criminal and civil penalties. In response to this concern, Digital Liberty signed on to a coalition letter urging Congress to reject the draft legislation and instead amend the CFAA in a modern, sensible manner.


The CFAA currently imposes criminal and civil liabilities on those accessing protected computers with or “in excess” of authorization. This vague language allows litigants to pursue judicial action when an individual simply uses a computer in a manner that the system owner does not approve of.


Unfortunately the legislation being considered by the House does not work to better define what constitutes a breach of computer security. Instead it dramatically expands the CFAA by increasing maximum penalties for violations and eliminating the distinction between hackers and honest users who are permitted to “obtain or alter the same information” but do so in a way or for a reason not approved of by the server owner.


Some may claim that the bill limits the CFAA by specifying categories of information protected from access and thus narrowing the application of the section (a)(2)’s “exceeds authorized access” crime. Yet in fact, the change would expand that statute’s application by criminalizing those activities that involve broad information categories. For example, under this proposed change, it would be a felony to lie about your age on an online dating profile if you intend to contact another person online and ask them personal questions.


The move to amend the CFAA comes after the discovery that US computer systems are frequently exploited by foreign hackers. Considering this vulnerability, it is understandable that lawmakers would move to strengthen cyber security. Yet expanding the CFAA and authorizing harsher penalties to even more online actions is not the answer. Doing so will only open more honest citizens up to lengthy lawsuits and punishments for common online actions.


The House is right to consider ways to improve America’s cyber security. However amending the CFAA in the proposed manner is clearly not the answer. Instead, Congress should consider amendments that would modernize the CFAA and implement sensible fixes that protect, rather than persecute, the average internet user while fending off malicious attacks.


Read the full text of the coalition letter here.