To date, thousands of people have sent messages to Congress demanding reform of the Computer Fraud & Abuse Act through EFF alone, not counting the ones sent through our friends at Demand Progress and elsewhere. But the citizens of the Internet will need to shout even louder if we’re going to drown out the corporate interests that have already dedicated hundreds of thousands of dollars to influence lawmakers to change the CFAA for the worst.
Take, for example, the Software & Information Industry Association (SIIA), which describes itself as “the principal trade association for the software and digital content industry.” The group’s board of directors is made up of the captains of the computing industry, including executives from Oracle, Adobe, IBM, Red Hat and Intuit, each of which pay up to $125,000 a year in dues to the SIIA. In 2012 alone, the SIIA dropped a whopping $880,000 to lobby Congress and federal agencies on digital issues.
In August 2012, before Aaron Swartz’s death, SIAA provided the federal government’s Intellectual Property Enforcement Coordinator with 19 pages of formal comments on the national policy on cyber affairs. One section is titled, “Preserving and Improving the Computer Fraud and Abuse Act.” Regarding the bi-partisan efforts led by Senators Chuck Grassley, Al Franken and Mike Lee to reform the “exceeding authorized access” part of the law so it doesn’t criminalize terms of service violations, SIIA wrote:
We, therefore, urge that the IPEC in the Joint Strategic Plan state its opposition to proposals that would limit the definition of “exceeds authorized access” in the CFAA in any way that would prevent its application to violation of contractual obligations or agreements.
Now we expect that some of the companies on SIIA’s membership roster actually are sympathetic to fixing the CFAA, especially in light of Aaron’s death. And of course, many rank-and-file employees are already independently voicing their opposition to the law. Yet, these companies’ dues funded at least three lobbyists who were working on the hill last year to oppose even modest CFAA reform.
As we’ve written before, the CFAA has been expanded and morphed since it originally passed in 1984 so that it now threatens draconian and out-of-proportion punishments for acts that cause little or no economic harm. It has also been used to threaten innovators and security researchers. Worse, since the Justice Department's expansive interpretation would criminalize website terms of service violations, the CFAA threatens to turn virtually everyone online into a criminal. The SIAA is directly opposing this last portion, the one that has broad support by actual users of websites.
After all, many sites alter their terms of service with little or no notification and these terms are written incredibly broadly to allow websites to refuse service to users for practically any reason. No user could reasonably be expected to understand or even follow the myriad of terms they implicitly agree to everyday. For example, EFF recently outlined numerous news agencies with terms of service that forbid minors from visiting their sites; even Seventeen magazine’s website until recently barred users under 18.
The Department of Justice’s computer-crimes prosecution manual even encourages U.S. Attorneys to pursue this legal theory, describing it as “relatively easy to prove.”
Thus, at least based upon its statements to IPEC in August 2012, the SIIA opposes even the most common-sense changes to the law. The organization’s main concern was civil litigation, but they also argued that the criminal provisions should remain in place (although they do leave room for compromise).
While we understand that there are concerns that the CFAA is being too broadly enforced in the criminal context we think that there are other, more effective, ways to address this issue than the present legislative proposals which would prevent actions from being brought under the CFAA that are based on a violation of a contractual obligation or agreement. At the very least these, since these concerns only appear in the criminal context, any legislative proposals to limit the CFAA should only apply to criminal cases.
The SIAA was completely wrong when it suggests that CFAA reformers aren’t concerned about how the law is used in civil proceedings. On March 12, 2013, a coalition of online businesses (including Mozilla, Reddit and Vuze) sent a letter to Congress laying out how CFAA stifles innovation. Among the examples were several cases in which corporations used alleged violations of terms of service to sue and threaten potential competitors.
The organization hasn’t announced any change in its position, though it did warn members in a newsletter that Aaron Swartz’s tragic death “likely increased support among policymakers to reform the CFAA sooner, rather than later.”
The SIIA invests roughly $220,000 per quarter to promote its legislative agenda. But the best way to counter this in a legislator’s ear is with the voice of a constituent. Take a moment to show that citizens trump corporations by sending a message to your member of Congress.
And if you work for a company on the SIIA’s roster, tell the association its time to get on board with sensible CFAA reform.