(ISC)2 preaches that the Computer Fraud and Abuse Act (Wikipedia verion here) is landmark legislation for the prosecution of “computer crime”. It was originally crafted in 1986 to allow the feds to protect national security interests and Robert “the Morris Worm” Morris was its first victim. Over the years since, the CFAA has been amended and expanded as follows.
- 1994, it was amended to allow private parties to file civil lawsuits if a violation resulted in loss or damage. This allowed several corporations to sue employees and former employees suspected of stealing information for competitive purposes.
- In 1996, Congress further broadened its scope to pertain to any computer involved in interstate commerce.
- In 2001, in response to the 9/11 terrorist attacks, the USA Patriot Act amended the CFAA to allow search and seizure of records from ISPs.
- In 2008, the Identity Theft Enforcement and Restitution Act amended the CFAA to allow companies to file cases even if their losses are less than $5,000.
Some worry that the CFAA has been interpreted with too much leeway and thus could be used to criminally charge employees for violating their companies’ use policies and any individuals for violating terms of service set by an ISP or a website. CNET reported that a left-right coalition including the Center for Democracy & Technology, the Competitive Enterprise Institute, the American Civil Liberties Union, Americans for Tax Reform, the Electronic Frontier Foundation, and FreedomWorks engaged the Senate formally in September. An excerpt from their letter states:
Our primary concern – that this will lead to overbroad application of the law – is far from hypothetical. Three federal circuit courts have agreed that an employee who exceeds an employer’s network acceptable use policies can be prosecuted under the CFAA. At least one federal prosecutor has brought criminal charges against a user of a social network who signed up under a pseudonym in violation of terms of service.
These activities should not be “computer crimes,” any more than they are crimes in the physical world. If, for example, an employee photocopies an employer’s document to give to a friend without that employer’s permission, there is no federal crime (though there may be, for example, a contractual violation). However, if an employee emails that document, there may be a CFAA violation. If a person assumes a fictitious identity at a party, there is no federal crime. Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation. This is a gross misuse of the law. The CFAA should focus on malicious hacking and identity theft and not on criminalizing any behavior that happens to take place online in violation of terms of service or an acceptable use policy.
NPR reports that the group is currently testifying before a House Judiciary subcommittee this week.