Today, legislation is being introduced in the House and Senate that would weaken the Computer Fraud and Abuse Act (CFAA), a long standing law that is critical to software and digital content companies to protect their networks and the intellectual property in their products and services. The intent of the proposal is to reign in the possibly overzealous use of this statute by U.S. prosecutors in some recent cases, including the case that led to the tragic suicide of Aaron Swartz. While the bill is well intended and seeks to address real concerns, the proper fix is to clarify the prosecutorial guidelines, not a wholesale rewriting and weakening of the underlying statute.
U.S. companies and law enforcement agencies use the CFAA as the primary Federal anti-hacking law to protect billions of dollars of research and development that is under constant threat from hackers, organized criminal syndicates, and theft from competitors and foreign governments. Other statutes are difficult to enforce and simply do not provide the same level of legal protection.
The weakening of the statute is especially problematic at this point because of the uptick in attacks on computer systems of U.S. corporations with the aim of stealing valuable intellectual property. In fact, Booz Allen Hamilton recently provided a report revealing that “corporate IP is under constant assault.” Achieving substantial international consensus and coordination to fight this has become a matter of significant U.S. diplomacy. Why at this crucial point would Congress want to cut back on the legal weapons we use to combat this plague?
Of course, there are different court interpretations of the statute. The ninth district reads it one way; the fourth district reads it another way. Sooner or later, the different judicial outcomes will have to be sorted out by the Supreme Court, but none of the court decisions gut the statute in the way that the bill introduced today would.
The better way forward for Congress is to wait for this Supreme Court clarification and then see if further legislative revisions are necessary. In the meantime, the Justice Department can address any concerns about prosecutorial overreach through improved guidelines. But wholesale weakening of the Act takes U.S. cybercrime policy in the opposite direction, as it gives the green light to criminal at a time when we should be united in the stand against international computer crimes.