ABA Journal


National Pulse

Hacker’s Hell: Many want to narrow the Computer Fraud and Abuse Act

May 1, 2013, 08:40 am CDT


I’m not so sure that “email addresses are like phone numbers”. Oftentimes, in order to establish an online account with a business, one has to provide not only one’s email address but a number of other personal items of identification (address, d.o.b., credit card number, etc). So the ability to access a business’s client information and retrieve email addresses carries with it an ability to access other forms of identification. Having said this, I agree with one of the underlying premises of this article—namely, that US Attorneys have too much power under the current CFAA to prosecute computer “crimes”. The sanctions mentioned in this article for violations (even what seem to be minor violations) of the CFAA are staggering. One wonders whether prosecutorial resources couldn’t be put to better use attempting to stem violent crimes and their perpetrators. Sure, if fraud was either the intent or the outcome of a CFAA violation, then it should be investigated and pursued. Too often, however, it seems that federal prosecutors go on witch hunts to identify and nail computer hackers when no real harm has occurred. Such cases may, technically, be a violation of federal law. But, too, there is such a thing as “prosecutorial discretion”. US Attorneys use their discretion to not prosecute many more serious crimes (federal firearms violations come readily to mind). Is it merely because prosecuting computer crimes is so much “sexier” that it gets the attention it does? This doesn’t seem to me to be a valid reason for prosecuting one set of crimes over another, especially if the computer crime in question has resulted in no harm.

By David on 2013 04 30, 12:35 pm CDT

The issue with Aaron Swartz is not the act so much as it was the overzealous prosecution.  Carmen Ortiz misplaced her ethical duty to the defendant and the people.  To threaten a citizen with a term of prison that the U.S. Attorney and her office knew would not be imposed was unethical.  Moreover, Carmen Ortiz’s prosecution of this case underscores the lack of knowledge a U.S. Attorney has in this area of the law.

By A. Frank on 2013 04 30, 12:39 pm CDT

Questions re: terms of service violations under the CFAA - If my terms of service say “by accessing this web page, you agree not to include this site on any search engine,” for example, would Google be in criminal violation of the CFAA if they indexed my site?

By Charles on 2013 04 30, 2:10 pm CDT

the trouble with 1030a2 is that it is violated by millions of unwitting innocent people every day, and thereby give prosecutors the discretion to put a few they choose in prison.

legislators’ zeal to criminalize something related to every newsworthy bad event has laid the foundation for a police state—everything from regulatory offenses to acts innocent in themselves but in a few cases are related to a real crime—where a cop and a prosecutor can decide that somebody deserves prison, do a little snooping, indict, and then there’s no defense because they did in fact violate a criminal statute that millions of others do but are not prosecuted

By fred on 2013 04 30, 2:34 pm CDT

Given the apparent surfeit of prosecutorial resources that the government seems to have, why don’t they use some of those resources to prosecute the jerks who constantly robocall me, offering to reduce my credit card interest rates?

By emjaycee on 2013 05 01, 7:50 am CDT

The lack of balance in this article disappointed me. Any practitioner of criminal law could tell you that there is often a large gap between the maximum possible sentence proscribed by the legislature and the sentence that a court will actually impose. A quick study of any set of sentencing guidelines shows this. Thus, saying that it is prosecutorial abuse to charge the defendant with violation of the various laws that he broke is not a well-reasoned argument.

  Mr. Downey decided that he did not like the policies of PayPal, so he shut their business down. In a brick and mortar world, we would not view him as a hero. The distributed denial of service attack that he launched was the same tool used against Estonia and Georgia and is used by extortionists to get money from businesses. It was the subject of recent news about the attack on Spamhaus.

  Mr. Swartz decided that he did not like the constitutional judgment that there is value in giving a financial incentive to “authors and inventors” “to promote the progress of science and the useful arts.” (U.S. Constitution, Article I, Section 8,clause 8). He felt that “information should be free.” He did more than take copyrighted works (and J-Stor was a licensee, not the copyright holder). He attempted to remove forever the copyright protection by making them available digitally to the world.

Making information free is not necessarily a positive good. If the Internet had been available in the 1950s, how would we view a KKK member who hacked the membership database of the Alabama branch of the NAACP and posted it online? (NAACP v. Alabama, 360 U.S. 240 (1959)).

    There is no doubt that Mr. Swartz’ suicide is an unfortunate event. However, it is likely that the same mental imbalance that drove him to “free” information and to take steps to defeat the efforts stop him played a role in his decision to end his life.

  Mr. Nosal took confidential business information from his employer to use in his new, competing business. This is a common scenario in today’s business world, where thumb drives are easily concealed and can store massive amounts of data. I do not dispute that changes are needed to the Computer Fraud and Abuse Act. Businesses need protection against disloyal employees and the CFAA is not well drafted to cover them.

By Mike on 2013 05 03, 7:34 pm CDT

I have mixed feeling about all of this.  To be sure, the part of the law criminalizing private TOS agreements is a bit inappropriate.  We should be weary of laws that criminalize beaches of private agreements.  However I have no sympathy for Downey.  Sure, Downey, like everyone else has a right to disagree with PayPal’s stance on a particular issue, but doesn’t PayPal have a right to its opinion as well?  What if the roles were reversed?  ...say PayPal chose to terminate allowing donations to a controversial cause whose views Downey does not share?  Suppose a hacker sympathetic to that group did the same thing Downey did?

By SME on 2013 05 03, 8:25 pm CDT

Ha ha… “beaches” is supposed to be “breaches” .  Sorry!

By SME on 2013 05 03, 8:27 pm CDT

The CFAA may be overbroad and abused but you certainly cannot tell that from this article. 

Downey and Swartz are examples of the types of criminals that the act was designed to punish.  Their acts were deliberate, malicious and destructive and the prosecutors involved were perfectly correct in pursuing them.

By W.R.T. on 2013 05 25, 9:24 pm CDT

Add a Comment

We welcome your comments, but please adhere to our comment policy.

Commenting is not available in this channel entry.