In the wake of social justice activist Aaron Swartz's tragic death, Internet users around the country are taking a hard look at the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking law. As we've noted, the CFAA has lots of problems. In this three-part series, we'll explain these problems in detail and why they need to be fixed. For more details about our proposal for CFAA reform, see part 1 and part 3.
As Congress discusses Aaron's Law, it will debate how the law should treat users who work their way around technical measures aimed at identification, tracking, or preventing interoperability with other programs or services. Right now, the law is written in a way that treats those folks as criminals just the same as those who bypass access barriers in order to steal information or commit other malicious acts. The current draft of Aaron's Law, posted on Reddit by Rep. Lofgren on February 1, goes part of the way to fixing this, but not all the way yet.
Of course, companies are free to use technological measures to serve their business purposes, such as efforts to try to persistently identify users. But the law shouldn't back up these tools with the sledgehammer of the CFAA's harsh criminal penalty scheme. Put another way, the law shouldn't punish a user's method of access; it should punish wrongful trespasses and any harm caused by them.
There are important reasons not to over-criminalize the simple side-stepping of technical measures. EFF has long advised researchers, innovators and activists who seek to avoid these measures for good reason, including discovering security vulnerabilities that attackers can use against us so that those flaws can be fixed. We've also seen companies use the CFAA to threaten competitors who create add-on innovation dependent on services working with each other, such as tools that add maps to apartment-hunting websites or make it possible for Internet users to view their social networking services together in a single browser. And as technical measures for tracking us online become all too common, the CFAA looms as a dangerous deterrent to prevent people from developing tools or taking steps to protect their privacy and avoid being tracked for purposes ranging from price discrimination to political intimidation. This is not just for "geeks;" ordinary people should be able to protect their privacy, exercise self-help, and use tools that let them access or send information in new ways. Here are a few examples.
1. Protecting Privacy
A person seeks to access information about a disease that he has just been diagnosed with or a religion he is interested in, but wants to protect his privacy while looking at this information. Depending on how he chooses to access the information, he faces tracking by cookies, IP logging, or MAC address logging by his ISP or router, which can reveal his activities to his ISP, the online services he uses, advertising networks and the other third parties who have access to them, and possibly even the government without a warrant.
Similarly, a person might want to send critical information about a crime to the police or his congressional representative, but is concerned about retaliation from the bad guys. The best advice for someone in that situation is to eliminate all tracking of his activities, which likely includes removing cookies, changing IP addresses and MAC addresses among others.
It should not be a crime to take steps to change your IP address, MAC address and similar identifiers for the purpose of protecting privacy or maintaining anonymity, as long as you are not engaging in identity theft.
2. Protecting Innovation
An entrepreneur creates a website that allows a user to view his social networking services in a new, innovative way, such as ordering posts by poster or topic rather than timeline, prioritizing the user's family members' posts, or combining content from the user's various social networking services on the same page. One anti-competitive social networking service disapproves of this, and so blocks the IP address of the website.
It should be legal for an interoperable service to avoid an IP block in order to offer a useful add-on service to users.
3. Protecting Security Research
A user finds that her online account with a dating website has been hijacked. In investigating what happened, she begins testing the URL structure for the dating website. She discovers that anyone can access her account, including her private information, contacts and dating history, all without putting in a new password, but simply by typing in the right URL. She determines that she could do this for many other users as well as herself. She wants to inform the company and demonstrate what she discovered so that the company can fix the big security hole she found.
It should be legal for someone to investigate the URL structure of a website to determine if there are security flaws.
4. Working Around Discrimination Systems
Last month, the Wall Street Journal reported that the office supply giant Staples was using cookies to perform price discrimination. Specifically, Staples was using cookies that stored users' ZIP codes to show consumers different products and prices on the Staples web site based on the consumers' geographic locations. The current version of Aaron's Law would protect users who delete or modify "identifiers" that are used to track them, including cookies that contained a unique ID. That may be sufficient, but since the cookies reported by the Wall Street Journal do not identify any particular user and simply store a ZIP code, more clarity might be needed to ensure it's legal to delete them.
A user should not face criminal penalties for deleting her cookies or taking other steps in order to get the same price as other consumers regardless of where she lives.
5. Malfunctioning Systems
Firewalls, servers and other network equipment can be very complicated devices, and it is common for them to malfunction and block users without any intent on the administrator's part. Authorized users often try to find a way to avoid the problems caused by the misconfigured device, especially when real technical support is sparse, and these efforts should not be criminal.
For instance, a cable modem subscriber buys a wireless router to share an Internet connection within her home. The cable modem is configured to only allow one laptop to connect to it. The family uses the "Clone MAC Address" feature of the wireless router to copy the MAC address of their laptop, thereby allowing the router to connect to the Internet. This simple workaround should not violate the law.
Criminal Law Still Reaches Actual Intrusions and Actual Harm
EFF's proposal still leaves plenty of room—and plenty of severe criminal penalties—for punishing actual computer intrusions and redressing actual harm. If Congress adopts EFF's full CFAA reform proposal, it will still be a serious crime for an outsider to steal proprietary information. It will still be a serious crime to knowingly transmit codes that cause damage to a computer, traffic in passwords or engage in extortion by using threats of intrusion. It will still be a crime to take information from other people's computers for fun or to make a political point, and it will be a serious crime if actual harm occurs as a result. (We'll be discussing more about the penalty adjustments we've proposed in Part 3 of this series.)
And remember, an array of other serious criminal laws will still exist if we amend the CFAA and these will still apply to computer-related activity. These include falsifying identification (18 U.S.C. §1028), stealing trade secrets (18 U.S.C. § 1832), copyright infringement (including if there is no monetary gain) (17 U.S.C. §506, 18 U.S.C. § 2319), extortion (18 U.S.C. § 2113(a), 18 U.S.C. § 1951, and/or 18 U.S.C. § 875), and circumventing technological measures aimed at protecting copyrighted works for financial gain (17 U.S.C. §§ 1201-1202, 1204).
The Big Picture: The Computer Fraud and Abuse Act Should Criminalize Wrongful Intrusions Into Computers
This second part of EFF's proposal is a difficult one to articulate. It requires serious thinking about how technology and law should interact and we are open to continuing the discussion about how best to get there. Aaron's law v.2 is a good start, but we think it should more clearly protect all of the scenarios above.
Computer crime law needs to target actual bad acts—breaking in, stealing information, harming computers, damaging networks. The CFAA now sweeps in a much broader swath of activity, which is why it is such a dangerous weapon in the hands of overzealous prosecutors and requires reform. In some of the cases that EFF's proposal language seeks to protect, users are plainly doing the "right" thing; in others there are shades of grey, but are best left either as a moral issue or addressed by other laws that target any harmful effects of the acts rather than the method of access.
The law needs to protect tinkerers, security researchers, innovators, and people who seek to avoid being tracked and discriminated against. The CFAA not only fails to protect these people, it allows ambitious prosecutors (and unhappy companies) to target them. Aaron's Law amendments to the CFAA must stop that. Please join EFF in calling on Congress to pass fix the CFAA by sending an email to your elected representatives now.