The Computer Fraud and Abuse Act (CFAA) of 1986 is a U.S. legislation that was originally designed to combat the growing concerns of computer hacking. The law imposes criminal penalties on individuals who intentionally access a protected computer without proper authorization or exceed their authorization. Over the years, the CFAA has been amended multiple times, expanding its scope and impact.
Initially, the CFAA was intended to protect computer systems operated by the U.S. government and certain financial institutions. However, changes to the law have continuously broadened its application. In 1994, Congress amended the CFAA to include civil penalties alongside criminal penalties. This allowed private corporations to sue current and former employees suspected of revealing trade secrets or proprietary information.
Another significant expansion came in 1996 when the definition of protected computers was amended to include any computer used in interstate or foreign commerce or communication. This change meant that the law’s reach extended to almost any computer, including smartphones and tablets.
The events of 9/11 prompted further adjustments to the CFAA with the passage of the U.S. Patriot Act. This amendment extended the reach of the Federal Bureau of Investigation (FBI) and permitted the search and seizure of internet service provider (ISP) records. It also expanded the list of protected computers to include those in foreign countries that affected interstate or foreign commerce or communication in the U.S.
In 2008, the Identity Theft Enforcement and Restitution Act brought additional changes to the CFAA. The act increased penalties and broadened the definition of protected computers to include any computer that is used in or affecting interstate or foreign commerce or communication. The inclusion of the phrase “or affecting” allowed the law to cover local computing activity connected to interstate commerce or communication.
However, the steady expansion of the CFAA has raised concerns and led to debates over its interpretation and scope. Critics argue that the legislation has been interpreted so broadly that it can be used to criminalize individuals for violating a company’s acceptable use policy or terms of service. This has the potential to turn many people into misdemeanor criminals.
The CFAA faced significant scrutiny when a defendant, Lori Drew, was charged in 2008 for violating MySpace’s terms of service by creating an account with a false identity. This account was then used to bully a teenager who later died by suicide. Although the defendant was initially found guilty, a federal judge later overturned the conviction, stating that it went beyond the legal authority of the CFAA. This case highlighted the potential misuse of the law to prosecute individuals for violating terms of service.
In response to concerns about the CFAA’s scope, several bills have been introduced to reform the legislation. The Personal Data Privacy and Security Act of 2011 sought to address some of the issues raised in the Lori Drew case. However, the bill did not progress in the Senate. The Aaron’s Law Act of 2013 also aimed to implement reforms but ultimately stalled in committee.
One of the most notable cases associated with the CFAA is that of Aaron Swartz, an internet activist and programmer who took his own life in 2013. Swartz was indicted on multiple counts of felony hacking and wire fraud for violating the CFAA by downloading academic journal articles. His case generated widespread outrage and renewed calls for reforming the CFAA.
Despite the push for reform, progress has been slow, with lobbying efforts and concerns over cybercrime hindering significant changes. To provide guidance on the CFAA’s application, the Department of Justice (DOJ) released recommendations for prosecutors, clarifying how to interpret key clauses of the law.
In June 2021, the Supreme Court weighed in on the CFAA in the case Van Buren v. United States. The court’s decision narrowed the CFAA’s broad scope by clarifying the interpretation of the clause “exceeds authorized access.” The defendant, Nathan Van Buren, had used his valid credentials to access a law enforcement database in exchange for money. The Supreme Court ruled that because he had legitimate access to the data, he had not violated the CFAA.
This decision has significant implications, as it prevents employers from using the CFAA to pursue employees who violate company policies but have authorized access to the computer systems. It also limits the options available to employers taking action against employees who disclose confidential information or trade secrets.
While the CFAA remains in place, debates over its scope and the need for reform continue. The recent Supreme Court decision and the DOJ’s recommendations provide some clarity, but there is still a long way to go in addressing the concerns surrounding the legislation.