The Computer Fraud and Abuse Act (CFAA) threatens to put smart people in jail for doing good work. The investigative journalist, the software developer, the legal scholar—all fear this broken law and its chilling effect on their research. The law gives too much power to prosecutors, and classifies research and investigation as a crime like malicious privacy and data hacking. It’s not. And it’s time CFAA is either refined or thrown out completely.
We stand with academics and journalists who are suing to put reasonable limits on the CFAA. Add your name if you agree it’s time to fix this broken law.
The Long Version
The Computer Fraud and Abuse Act (CFAA) is legislation that was created in the 1980s after lawmakers saw the movie “War Games” (you can’t make this stuff up if you tried) and became worried that a teenager might trigger a nuclear launch.
The law that governs computer and Internet crime was written three years before the creation of the World Wide Web by people who were terrified of technology. The result is an overly broad law that, almost by accident, makes a federal crime out of innocent behavior.
We appreciate that the government has a responsibility to protect us from actual crime, and we acknowledge that the CFAA has been used effectively to keep bad people from doing bad things. But the law is vague, unspecific, and, as a result, has a chilling effect. The ACLU is currently suing the Justice Department on behalf of academic researchers and journalists who say the CFAA prevents them from doing vital work.
One of those researchers is Christian Sandvig. He’s an expert on algorithms, and is particularly interested to see if the algorithms that define our experiences online have racial bias. For example, someone discovered that the wildly popular Pokémon Go, a map-based game that directs players around the real world, was largely ignoring neighborhoods that have more residents who are people of color. What causes that? To find out, a researcher would have to deploy a set of tools—bots, perhaps—and create fake accounts to audit and test the application. Under the CFAA, those actions could be considered a federal crime. Punishments under the CFAA vary, but are universally harsh—from 5 years in prison all the way up to life, depending on the offense. That’s a pretty big deterrent for a scholar to study potential bias in services like AirBNB and Uber.
If it seems absurd that a federal prosecutor would throw someone in prison for investigating the possible bias of Pokémon Go, consider past prosecutions under the CFAA. In probably the best known example of prosecutorial abuse, the Justice Department threatened Reddit co-creator and activist Aaron Swartz with a 35-year prison sentence and $1 million in fines for the relatively harmless offense of downloading academic journal articles. Because he acted on the belief that information should be free, Aaron Swartz faced a lifetime behind bars. The consequences were tragic.
Whether or not the government would bring a case, the fact that it could discourages academics from doing important research.
Journalists, likewise, often have to exceed authorization to access to the truth. That’s almost the definition of investigative journalism. It’s also the CFAA’s definition of hacking.
This law, despite its best intentions, is preventing the pursuit of knowledge that is in the public interest. And because so much of the digital world is based in the United States, the CFAA is a threat to all of us, globally.
People who work with technology, who live on the Internet, who write code and need to understand how things work—we instinctively know that this law is bad. It needs to be fixed.
Exploration should not be a crime. The pursuit of knowledge in the public interest should not be a crime.
We support Christian Sandvig, Kyratso Karahalios, Alan Mislove, Christopher Wilson, First Look Media and the American Civil Liberties Union, and we demand the courts find in favor of reason, not misinformed paranoia.