This paper examines the Computer Fraud and Abuse Act (CFAA), passed by Congress in 1984 to protect federal computers and information systems from unauthorized access and damage. The essay argues that despite its legitimate initial purpose, the law has been increasingly misused by prosecutors to target minor violations of terms-of-service agreements and conduct causing no material harm. The paper traces the statute's expansion over time, analyzes its inadequacies—particularly vague definitions and disproportionate penalties—and reviews a case study of Aaron Swartz to illustrate its dangers. The paper concludes that substantial reform or replacement of the CFAA is necessary to ensure justice and that the rule of law, rather than judicial discretion, governs prosecutions.
Technology has changed faster than the laws designed to protect the public. Protecting information, particularly sensitive government information, posed unique regulatory challenges. With this in mind, Congress passed the Computer Fraud and Abuse Act in 1984. The CFAA "outlaws conduct that victimizes computer systems. It is a cyber-security law. It protects federal computers, bank computers, and computers connected to the Internet. It shields them from trespassing, threats, damage, espionage, and from being corruptly used as instruments of fraud" (Doyle, 2014, pp. 1–2). The CFAA's provisions ban unauthorized access to data; the damaging of or use of threats to damage data; or trafficking in passwords and other sensitive data from a wide range of computers containing protected information (Doyle, 2014, pp. 1–2).
The law was passed during the pre-Internet era "as a narrow statute enacted for the reasonable goal of combating malicious hackers: people who break into computer systems and steal valuable data (like credit-card numbers) or do real economic damage" (Wu, 2013). However, because of the vague wording of the law, it has been increasingly deployed by prosecutors in a much wider range of cases in a manner that makes many legal scholars profoundly uncomfortable (Wu, 2013). "Over the years, Congress expanded the statute five times, adding private rights of action and making misdemeanors into felonies. Both private litigants and the Justice Department began to use the law against not only hackers but also otherwise legitimate users who violate the 'terms of service' policies that come with nearly every piece of software and service we use on computers today" (Wu, 2013). Thus, the original intention and spirit of the law have been violated, and unnecessary amounts of time and energy are being diverted to prosecute relatively minor offenses.
When the law was first passed, there was concern that legitimate whistleblowers within government departments might be prosecuted. Congress was not entirely unaware of the potential for misuse of the Act. Thus the law does not "criminalize acts in which the offending employee merely 'exceeds authorized access to computers in his own department'" (Doyle, 2014, p. 4). The law is limited in scope to those who are not entitled to access government computers or who engage in interdepartmental trespass. However, other concerns have arisen regarding outside unauthorized use that may technically violate terms-of-service agreements—which are often written in such a lengthy and confusing manner that users cannot truly agree to them when clicking a button.
A prominent example illustrates this problem. Aaron Swartz was threatened with thirty-five years in prison because of violating terms of service by downloading too many academic articles as an authorized guest on the MIT network (Wu, 2013). Swartz, terrified by the prospect of prosecution, committed suicide as a result. This tragic case demonstrates how the law can be weaponized against individuals engaged in conduct that causes no material harm and arguably serves the public interest.
The law has been heavily criticized by a number of groups, including civil libertarian organizations. The notion of "without authorization" is not clearly defined. While the statute does define "exceeds authorized access," there is concern that "the meaning of that phrase has been subject to considerable dispute" in the courts and is not consistently enforced ("The Computer Fraud and Abuse Act Reform," 2014). This ambiguity creates uncertainty for both users and law enforcement about what conduct is actually prohibited.
The law has also been criticized for excessively harsh penalties. "Compounding this problem is the CFAA's disproportionately harsh penalty scheme. Even first-time offenses for accessing a protected computer without sufficient 'authorization' can be punishable by up to five years in prison each (ten years for repeat offenses), plus fines. Violations of other parts of the CFAA are punishable by up to ten years, 20 years, and even life in prison" even if their offenses cause no material consequences to anyone ("The Computer Fraud and Abuse Act Reform," 2014).
Despite these harsh, life-altering penalties, "the law is so open-ended and broad as to be unconstitutionally vague. Over the years, the punishments for breaking the law have grown increasingly severe—it can now put people in prison for decades for actions that cause no real economic or physical harm. It is, in short, a nightmare for a country that calls itself free" (Wu, 2013). For example, when Matthew Keys, a social-media editor at Reuters, helped hackers with an online prank to change a news headline, "the damage was trivial" but Keys was "threatened with two hundred and fifty thousand dollars in damages and up to twenty-five years in prison" under the tenants of the Act (Wu, 2013). The Act was originally intended to prevent piracy, but these offenses no longer constitute the majority of prosecutions under its provisions.
Its scope is also growing broader in troubling ways. "Dating sites typically mandate that you tell the truth, making lying about your age and weight technically a crime. Or consider employer restrictions on computers that ban personal usage, like checking ESPN or online shopping. The Justice Department's interpretation makes the American desk-worker a felon" (Wu, 2013). This expansion transforms everyday conduct into criminal activity.
"Law's appropriateness in original limited context"
The only defense of the egregious prosecutions of relatively minor offenses under the Act is that such prosecutorial abuses are relatively rare. However, under a government of laws, even infrequent injustices remain unjust. Moreover, there is evidence that such prosecutions are mounting, as corporations become increasingly nervous about protecting their interests in the new digital landscape. New Yorker writer and Columbia professor Timothy Wu notes the lack of legal impetus in Congress to change the law and thus states that "the Justice Department should announce a change in its criminal-enforcement policy. It should no longer consider terms-of-service violations to be criminal" (Wu, 2013).
There is some hope in the sense that there is growing evidence that discontent with the wording of the law has caused many judges to refuse to enforce it under the common law principle of the rule of lenity (Wu, 2013). "This states that ambiguous criminal laws should be construed in favor of a defendant" and the less harsh alternative should be selected (Wu, 2013). At least thirteen federal judges have already refused to enforce the law, rejecting the Justice Department's broad use of the Act (Wu, 2013).
You’re 86% through this paper. Sign up to read the remaining 1 section.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.