As the year draws to a close, EFF is looking back at the major trends influencing digital rights on 2011 and discussing where we are in the fight for free expression, innovation, fair use, and privacy.
EFF has long been concerned about the Computer Fraud and Abuse Act (CFAA), a federal law that allows people to be sued civilly and charged criminally with a host of anti-hacking offenses. 2011 has been a landmark year for prosecutions under the statute, with the feds pursuing aggressive, high-profile cases against members of Anonymous and LulzSec, as well as open access advocate Aaron Swartz.
Among other things, the CFAA makes it illegal to "intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] . . . information from any protected computer." Courts have struggled to figure out exactly what this hopelessly vague provision means. Over the past few years, private companies and the government have argued for a broad interpretation that would make it illegal to access computers in violation of private agreements like employment policies or website terms of use—the long, one-sided documents that users often "agree" to without ever having read. This is a bad idea because it would give companies great coercive power to criminalize behavior they don't like, harming the interests of consumers and innovation.
Some companies tried to push the law far beyond its limits again in 2011. In Sony v. Hotz, a case that eventually settled, Sony claimed that users violate the CFAA when they access their own video game consoles in ways Sony doesn't like. And in Lee v. PMSI, Inc., a company struck back against a former employee who filed suit for wrongful termination, unsuccessfully arguing that she violated the CFAA by spending too much time surfing the Internet at work in violation of company policy.
But the long-running debate over the scope of the CFAA took a troubling twist when a three-judge panel of the Ninth Circuit decided in United States v. Nosal that employees break the law when they use their work computers for purposes that violate a company's computer use policy—a decision with potentially serious implications for Internet users who violate terms of use. The court recently reheard the case en banc and is considering whether to change the result.
As these cases unfolded in the courts, the Obama Administration pushed to expand the scope of the CFAA and enhance penalties, which is a dangerous move when it's so unclear what the law criminalizes. Thankfully, Senators Grassley, Franken and Lee introduced a proposal to clarify that it's generally not a crime to violate website terms of service or acceptable use policies. Though we think the amendment could be even better, it's a step in the right direction and we hope the Senate passes it in 2012.