Digital Discourse / Archives for CFAA

Now is Not the Time to Weaken the Nation’s Cybercrime Laws

June 20, 2013 By

Today, legislation is being introduced in the House and Senate that would weaken the Computer Fraud and Abuse Act (CFAA), a long standing law that is critical to software and digital content companies to protect their networks and the intellectual property in their products and services.  The intent of the proposal is to reign in the possibly overzealous use of this statute by U.S. prosecutors in some recent cases, including the case that led to the tragic suicide of Aaron Swartz.  While the bill is well intended and seeks to address real concerns, the proper fix is to clarify the prosecutorial guidelines, not a wholesale rewriting and weakening of the underlying statute.

U.S. companies and law enforcement agencies use the CFAA as the primary Federal anti-hacking law to protect billions of dollars of research and development that is under constant threat from hackers, organized criminal syndicates, and theft from competitors and foreign governments.  Other statutes are difficult to enforce and simply do not provide the same level of legal protection.

The weakening of the statute is especially problematic at this point because of the uptick in attacks on computer systems of U.S. corporations with the aim of stealing valuable intellectual property.  In fact, Booz Allen Hamilton recently provided a report revealing that “corporate IP is under constant assault.” Achieving substantial international consensus and coordination to fight this has become a matter of significant U.S. diplomacy.  Why at this crucial point would Congress want to cut back on the legal weapons we use to combat this plague?

Of course, there are different court interpretations of the statute. The ninth district reads it one way; the fourth district reads it another way.  Sooner or later, the different judicial outcomes will have to be sorted out by the Supreme Court, but none of the court decisions gut the statute in the way that the bill introduced today would.

The better way forward for Congress is to wait for this Supreme Court clarification and then see if further legislative revisions are necessary.  In the meantime, the Justice Department can address any concerns about prosecutorial overreach through improved guidelines.  But wholesale weakening of the Act takes U.S. cybercrime policy in the opposite direction, as it gives the green light to criminal at a time when we should be united in the stand against international computer crimes.

David LeDuc is Senior Director, Public Policy at SIIA. He focuses on e-commerce, privacy, cyber security, cloud computing, open standards, e-government and information policy. Follow the SIIA public policy team on Twitter at @SIIAPubPolicy.

Share|
Filed Under: Policy, Policy - Cybersecurity, Policy - Intellectual Property Tagged With: , ,

Update on Recent Computer Fraud and Abuse Act Cases

September 5, 2012 By

The summer of 2012 featured several cases that interpreted the scope and application of the Computer Fraud and Abuse Act (CFAA). The CFAA was passed in 1984 in response to hacking and emerging computer crime. Recent cases include:

August 21:
The U.S. District Court for the Western District of Oklahoma held that an employee who downloaded shareware from the Internet in violation of company policy may be liable under the CFAA for using the downloaded software to obtain confidential company documents. In Musket Corp. v. Star Fuel of Oklahoma LLC, the court held that anyone who is authorized to use a computer for certain purposes but goes past those limitations is considered to have “exceeded authorized access” under the CFAA.

August 2:
The U.S. District Court for the Northern District of California held that a defendant was in violation of the CFAA for knowingly and intentionally circumventing Craigslist’s security features after agreeing to Craigslist’s Terms of Use. The defendant in Craigslist v. Kerbel continued the conduct despite receiving cease and desist letters.

July 26:
The U.S. District Court for the District of South Carolina adopted a narrow interpretation of the CFAA terms “without authorization” and “exceeds authorized access” in WEC Carolina Energy Solutions LLC v. Miller. The court held that the terms only apply in a criminal context when someone obtains or alters information they weren’t authorized to obtain or alter.

June 29:
The U.S. District Court District of New Hampshire held that its defendants could not be sued under the CFAA even though they violated use restrictions. Because the defendants in Wentworth-Douglass Hosp. v. Young & Novis Prof’l Ass’n were provided access passwords by the system owner, they could not have “illegally accessed” the system.

Keith Kupferschmid is General Counsel and SVP, Intellectual Property Policy & Enforcement at SIIA.

Share|
Filed Under: Anti-Piracy, Policy, Policy - Intellectual Property Tagged With: