The Computer Fraud and Abuse Act was passed in 1986, three years before the creation of the World Wide Web and Taylor Swift. It has become a key tool in the government’s prosecution of computer-based crime. It has also become a bludgeon that is known as the most hated law on the Internet. That’s because, its critics say, the CFAA stifles free expression, innovation and the pursuit of knowledge.
The ACLU is suing the government on behalf of a group of academic researchers, journalists and computer scientists who are trying to test for discrimination online. Their work requires them to violate the terms and services of certain websites—creating false accounts, for example—in ways that may be illegal under the CFAA. “The law has long protected such socially useful misrepresentation in the offline world,” the ACLU points out in their official complaint. “In the online world, however, conducting the same kind of audit testing generally violates websites’ terms of service, which often prohibit providing false information, creating multiple user profiles, or using automated methods of recording the information displayed for different users.”
University of Michigan professor Christian Sandvig, one of the plaintiffs in the case, is looking at the ways algorithms may discriminate. We use programs and services every day that make decisions for us, and it’s in the public interest to know if those decisions are racially biased. Just one example: The wildly (annoyingly) popular Pokemon Go appears to discourage gamers from visiting neighborhoods where most of the residents are people of color. Doesn’t that seem worth looking into?
The CFAA isn’t just a problem for researchers. The law makes it illegal for anyone to access a computer “without authorization” or in a way that “exceeds authorized access,” which can be interpreted in myriad ways. The Justice Department has decided that violating terms of service—those motes of legalese we all jump over to use an app or get into just about any website—is a felony. And the CFAA is broad enough that judges have upheld that interpretation. This is a problem for academics, journalists and curious developers, alike.
“It’s actually not unusual for 30-year-old laws to remain in force without revision,” explains Nate Cardozo of the Electronic Frontier Foundation. “That’s not actually the problem here. The problem is that the CFAA sucked in 1986.”
Prosecutors have a lot of discretion in how the CFAA is applied and they can abuse that power. Reddit co-founder Aaron Swartz faced $1 million in fines and 35 years in prison for the “crime” of downloading journal articles. He didn’t hack anything. He allegedly violated the terms of service for a guest account at MIT. He took his own life while under indictment.
With so many high-profile hacks—from Target to Sony to the IRS—taking place, it’s difficult to imagine Congress reining in the CFAA. And so it falls to do-gooder outfits like the ACLU and EFF, and to the courts, to try and carve back a little freedom. It’s important that they do. Besides the risk we all face of unwittingly committing felonies, journalists and academics simply have to break terms of service in order to uncover information that is in the public interest to know. It’s their job, it makes us smarter and safer, and that’s worth suing over.
(War Games movie poster by James White)