This paper examines the Computer Fraud and Abuse Act (CFAA), originally passed by Congress in 1984 to combat malicious hackers targeting government and financial computer systems. The paper traces how the law's vague language and successive expansions have allowed prosecutors to apply it far beyond its intended scope, criminalizing minor terms-of-service violations and threatening ordinary computer users with severe prison sentences. Drawing on legal scholarship and notable cases, the paper evaluates both the law's original rationale and its contemporary inadequacies, and concludes with proposed reforms including revised Justice Department enforcement policy and judicial application of the rule of lenity.
Technology has changed faster than the laws that exist to protect the public. Protecting information — particularly sensitive government information — was thought to be challenging and to pose additional dilemmas in terms of its regulation. With this in mind, Congress passed the Computer Fraud and Abuse Act in 1984. The CFAA "outlaws conduct that victimizes computer systems. It is a cybersecurity law. It protects federal computers, bank computers, and computers connected to the Internet. It shields them from trespassing, threats, damage, espionage, and from being corruptly used as instruments of fraud" (Doyle 2014: 1–2). The CFAA's provisions ban the trespassing of data, the damaging of or use of threats to damage data, and the trafficking of passwords and other sensitive data across a wide range of computers containing protected information (Doyle 2014: 1–2).
The law was passed during the pre-Internet era "as a narrow statute enacted for the reasonable goal of combating malicious hackers: people who break into computer systems and steal valuable data (like credit-card numbers) or do real economic damage" (Wu 2013). However, because of the vague wording of the law, it has been increasingly deployed by prosecutors in a much wider range of cases in a manner that makes many legal scholars profoundly uncomfortable (Wu 2013). "Over the years, Congress expanded the statute five times, adding private rights of action and making misdemeanors into felonies. Both private litigants and the Justice Department began to use the law against not only hackers but also otherwise legitimate users who violate the terms-of-service policies that come with nearly every piece of software and service we use on computers today" (Wu 2013). Thus, the original intention and spirit of the law have been violated, and needless amounts of time and energy are being diverted to prosecute relatively minor offenses.
When the law was first passed, there was concern that legitimate whistleblowers within government departments might be prosecuted, so Congress was not entirely unaware of the potential for misuse of the Act. The law does not "criminalize acts in which the offending employee merely 'exceeds authorized access to computers in his own department'" (Doyle 2014: 4). The law is limited in scope to those who are not entitled to access government computers or who engage in interdepartmental trespass.
However, other concerns have arisen regarding outside unauthorized use that may technically violate terms-of-service agreements — agreements which are arguably written in such a lengthy and confusing manner that they are impossible for a user to truly agree to when clicking a button. For example, Aaron Swartz was threatened with thirty-five years in prison for violating terms of service by downloading too many academic articles as an authorized guest on the MIT network (Wu 2013). Swartz, terrified in the face of the upcoming prosecution, died by suicide as a result.
The law has been heavily criticized by a number of groups, including civil libertarian organizations. The notion of "without authorization" is not clearly defined, and while the statute does define "exceeds authorized access," there is concern that "the meaning of that phrase has been subject to considerable dispute" in the courts and is not consistently enforced ("The Computer Fraud and Abuse Act Reform," 2014). The law has also been criticized for excessively harsh penalties. "Compounding this problem is the CFAA's disproportionately harsh penalty scheme. Even first-time offenses for accessing a protected computer without sufficient 'authorization' can be punishable by up to five years in prison each (ten years for repeat offenses), plus fines. Violations of other parts of the CFAA are punishable by up to ten years, twenty years, and even life in prison" — even if those offenses cause no material consequences to anyone ("The Computer Fraud and Abuse Act Reform," 2014).
Despite these harsh, life-altering penalties, "the law is so open-ended and broad as to be unconstitutionally vague. Over the years, the punishments for breaking the law have grown increasingly severe — it can now put people in prison for decades for actions that cause no real economic or physical harm. It is, in short, a nightmare for a country that calls itself free" (Wu 2013). For example, when Matthew Keys, a social-media editor at Reuters, helped hackers with an online prank to change a news headline, "the damage was trivial" but Keys was "threatened with two hundred and fifty thousand dollars in damages and up to twenty-five years in prison" under the terms of the Act (Wu 2013).
The Act was originally intended to prevent serious computer crimes, but such offenses no longer make up the majority of cases prosecuted under its provisions. Its scope is also growing broader: "Dating sites…usually mandate that you tell the truth, making lying about your age and weight technically a crime. Or consider employer restrictions on computers that ban personal usage, like checking ESPN or online shopping. The Justice Department's interpretation makes the American desk-worker a felon" (Wu 2013).
In its original form and era, the law was not nearly as open to abuse. Few people used computers for purposes beyond word processing, and only serious, malicious hackers were likely to break into systems to steal data. However, given the ubiquity of computers in daily life — and the ubiquity of confusing terms-of-service agreements that users must accept — virtually any computer used in commerce could now technically fall under the provisions of the CFAA.
"Law's narrow, reasonable purpose in pre-Internet era"
"Reform options and Justice Department policy changes"
There is some hope in the sense that growing discontent with the wording of the law has caused many judges to refuse to enforce it under the common law principle of the rule of lenity (Wu 2013). This principle states that ambiguous criminal laws should be construed in favor of a defendant, and the less harsh alternative should be selected (Wu 2013). At least thirteen federal judges have already refused to enforce the law, rejecting the Justice Department's broad use of the Act (Wu 2013).
You’re 78% through this paper. Sign up to read the remaining 2 sections.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.