If Congress Won't Fix The CFAA, President Obama Should Order The DOJ To Stand Down

from the get-with-the-program dept

Tim Wu has an excellent article in the New Yorker, talking about the Computer Fraud and Abuse Act (CFAA), and specifically about how it was used against Aaron Swartz, declaring it the worst law in technology. Much of it covers similar ground to what we’ve covered before, but it also makes some really good points towards the end about how the Obama administration really needs to pull back on its reliance on the law in so many cases. First, he notes that simply relying on “prosecutorial discretion” is not enough, since we’ve seen that doesn’t work:

The broadest provision, 18 U.S.C. §1030(a)(2)(c), makes it a crime to “exceed authorized access, and thereby obtain… information from any protected computer.” To the Justice Department, “exceeding authorized access” includes violating terms of service, and “any protected computer” includes just about any Web site or computer. The resulting breadth of criminality is staggering. As Professor Kerr writes, it “potentially regulates every use of every computer in the United States and even many millions of computers abroad.” You don’t have to be a raving libertarian to think that might be a problem. Dating sites, to borrow an example from Judge Alex Kozinski, usually mandate that you tell the truth, making lying about your age and weight technically a crime. Or consider employer restrictions on computers that ban personal usage, like checking ESPN or online shopping. The Justice Department’s interpretation makes the American desk-worker a felon.

When judges or academics say that it is wrong to interpret a law in such a way that everyone is a felon, the Justice Department has usually replied by saying, roughly, that federal prosecutors don’t bother with minor cases—they only go after the really bad guys. That has always been a lame excuse—repulsive to anyone who takes seriously the idea of a “a government of laws, not men.” After Aaron Swartz’s suicide, the era of trusting prosecutors with unlimited power in this area should officially be over.

He notes (as we have) that it doesn’t look like Congress is really taking the matter that seriously yet. But he also notes that we don’t have to wait for Congress. The DOJ should make it a stated policy not to interpret the law in such a ridiculous manner.

There is a much more immediate and effective remedy: the Justice Department should announce a change in its criminal-enforcement policy. It should no longer consider terms-of-service violations to be criminal. It can join more than a dozen federal judges and scholars, like Kerr, who adopt a reasonable and more limited interpretation. The Obama Administration’s policy will have no effect on civil litigation, so firms like Oracle will retain their civil remedies. President Obama’s DREAM Act enforcement policy, under which the Administration does not deport certain illegal immigrants despite Congress’s inability to make the act a law, should be the model. Where Congress is unlikely to solve a problem, the Administration should take care of business itself.

All the Administration needs to do is to rely on the ancient common-law principle called the “rule of lenity.” This states that ambiguous criminal laws should be construed in favor of a defendant. As the Supreme Court puts it, “When choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” So far, at least thirteen federal judges have rejected the Justice Department’s interpretation of the Computer Fraud and Abuse Act. If that’s not a sign that the law is unclear and should be interpreted with lenity, I don’t know what is.

Failing that — and we’ve rarely seen a law enforcement agency take a weapon out of its own arsenal by choice — Wu suggests that it’s President Obama’s responsibility to speak up and tell the DOJ to change its policies. He notes, “with just one speech, the President can set things right.”

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “If Congress Won't Fix The CFAA, President Obama Should Order The DOJ To Stand Down”

Subscribe: RSS Leave a comment
MonkeyFracasJr (profile) says:

Re: Re: Re:

Adding the phrase “on the internet” to the end of a statement does not create a whole new universe requiring a special set of laws to be RE-created. Fraud is fraud the use of a computer does not change that. The only thing that changed is how it was done. Using everyone’s favorite analogy the automobile: If you unlawfully break in to a house it doesn’t matter if you use a crow bar or a car bumper, the illegal act is breaking in and not what tool you used to do it with.

Anonymous Coward says:

Re: Re:

It’s not that internet users don’t want laws but that we don’t want bad laws for the sake of laws. Or for the sake of making a politician’s career look good. Or for the sake of fighting for control with other governments or bodies within the same government. Or one-sided agenda focused laws for large lobbying corporations.

out_of_the_blue says:

Already done! DOJ went ONLY after a guy who violated physical security,

and falsified a sub-net address. That’s NOT every desk-worker.

Here Mike is expecting an administration that’s thrown out the entire “due process” — all of English law back to before Magna Carta — and claims the right to kill anyone anywhere anytime, YET Mike seems to expect that admin to step back and say “Whoa! We’ve gone too far prosecuting this guy who took these actions to liberate data!”

Take a loopy tour of Techdirt.com! You always end up same place!
Where Mike daily proves the value of an economics degree.

John Fenderson (profile) says:

Re: Already done! DOJ went ONLY after a guy who violated physical security,

and falsified a sub-net address

What does that even mean? He did no such thing, in any case. I suspect you’re talking about him changing the MAC address — which has nothing to do with network addresses, let alone subnet address. If so, then “falsify” is an interesting and inflammatory word to use. What is a “falsified” MAC address?

As far as violating physical security goes — where did he do that? He didn’t pick any locks. He did trespass, but why is such a trivial misdemeanor of interest to the DOJ?

Anonymous Monkey (profile) says:

Re: Already done! DOJ went ONLY after a guy who violated physical security,

and falsified a sub-net address

WHAT are you talking about?!? His MAC address ?
That’s a machine address that should be unique to a network/sub-net. Changing MACs helps in troubleshooting as NO 2(or more) computers can have the same MAC(just like an IP address). I’ve had to do it on occasion at home because of computer disconnects, network freezes, and the like.

Anonymous Coward says:

Yes, the Executive/DOJ should pick and choose which laws it personally believes are A’ok and enforce only them. It’s not like Congress should receive any deference as required by the Constitution. Perhaps I am being a bit formal, but it is up to the Article III courts to make such decisions. Case cite: Marbury v. Madison.

Eponymous Coward says:


Here’s an idea if anyone wants to run with it:

Create a parody site of this situation where by going to the webpage you’re forced to agree to a TOS that is impossible to adhere to. Some brief examples would be have it explicitly stated in the TOS to not agree to it or even read it in it’s entirety, to not view the page following after it’s agreed to (which may just spell out how insane this whole thing is if you did read it), do not close the webpage after agreeing to it ever, do not link to this page nor like it on any social site, give control of your computer over to those who oporate said page, and any other crazy assertion that’s impossible to follow thus making any visitor an automatic felon. A feln generator of sorts…

Anonymous Coward says:

‘with just one speech, the President can set things right’

and you honestly expect Obama to do the right thing here? dont be so ridiculous! he wont risk taking anything away from any Law Enforcement Agency that reduces the hold he has over the American people. and as for Congress doing anything first? not a hope in hell! we have seen the sort of stupid statements and questions Senators have come out with this week (Gohmert, for example), and the idiotic bills that have been mentioned! they haven’t got a friggin’ clue, nor do they care!!

ECA (profile) says:


makes it a crime to ?exceed authorized access, and thereby obtain? information from any protected computer.?

your kids get on your computer..YOUR COMPUTER..
you told them they could use it..
They THEN, get it infected..

Is it the kids problem?
The ISP, the SITES, the Advertisers??

You are given access at work to a computer..ITS NOT SECURE, and it gets infected..WHO is at fault?

This seems to be an IDIOT CLAUSE, to protect IDIOTS from not protecting themselves and the systems..

Someone LEAVES the computer Access logged in..someone ELSE uses the computer…with that persons Access..WHO IS TO BLAME?

Im sorry..these are BASIC security issues that have to be discerned and CONTROLLED BY THE ADMIN/CREATOR/…

Anonymous Coward says:

In 2007 I recall searching for some kind of applicable law when EA put the problematic Securom on their game discs with absolutely no mention of it anywhere. I wondered how it was lawful for them to install anything on someone’s computer without their knowledge or consent, that collected information without the users’ knowledge or consent, and was not uninstalled along with the program it wrapped (ticking all the boxes indicating spyware/malware according to the FTC).

I also recall EA personnel stating that to reveal Securom usage would have been a violation of the anti-circumvention clause of the DMCA, which I’d never heard of, and yes, I wish I had screenshot it back then, it was removed from existence shortly thereafter. EA did have to admit that Securom was responsible for software conflicts and other issues afflicting paying customers (not that EA resolved those issues in any satisfactory way, but…it’s EA).

I came across the CFAA but, not being fluent in legalese, could only gather that it applied to government computers. Apparently that isn’t the case and the DOJ could have prosecuted EA, or any other company that did such, to the fullest extent of their interpretation of THE LAW.

Instead I’m a potential felon for reading TechDirt at work.

special-interesting (profile) says:

Is personal opinion but ALL weapons should be under the control of the Defense Department. (with the exception of citizen held weaponry) Spy agencies in charge of killing anyone anyone plus the nearby innocent civilians? No way. NSA or White House is still out of the question. No way. Killing is for professionals and leave it at that.

A separate agency is silly when compared to Democratic and the Three branches of government. Defense Department or nothing. (must keep clear on foreign or domestic issues)

The actual invocation of a lethal response requiring the assistance of the Armed Forces creates the same scenario as a judicial review does. It creates the paperwork and documentation trail for an (grudgingly) required assault be it marines or drone missile.

Please (more personal opinion) A request to end the congressionally approved war on terror. (Which arguably does not exist.) Write your local congressmen.

reactionary: (more great posts)

Anonymous and DH’s Love Child; No, the justice branch must not fall into the ‘interpretation of the law doctrine’ trap. Every case must be examined by judge and jury in relation to basic constitutional law. Tossing out the ridiculous special interest influenced congressional sponsored nonsense is the control that our original founding fathers anticipated. Not anticipated are the special interest sponsored appointees to the judicial department. (ievil in any analysis)

ECA; states the obvious.

Anonymous: Secureom? Sounds like a root issue. Please elaborate. (anyone?) It’s enforceable regardless of TOS notice.

Anonymous Coward says:

Re: Re:

Root issue? Irrelevant. It was the unannounced placement of software on someone’s computer, that proceeded to affect personal computers in negative fashion, without the consent or knowledge of the user. It resulted in several class actions against EA resulting in the wristslap of requiring notice that Securom usage is included in game documentation and packaging.

Why is it okay for a company to do such a thing on such a grand scale but Swartz is prosecuted for downloading files that were there for no other reason but to be downloaded? Both involve interference with computers that do not belong to them.

special-interesting (profile) says:

Re: Re: Re:

Was busy hat night and mixed matched posts. -embarrassed-

I try to compose each post on a word processor before entry. Helps most of the time. Especially when detail, facts and links are needed.

Except for the reactionary part most of the text should have been in the ?Report Suggests Obama May Take Drones Away From The CIA? post.

Getting to the point.

Securom. Is it a rootkit? (I don’t know) May not be but any monitoring or DRM program should be mentioned on the outside of the game box. Its more than basic courtesy. Another reason I wont trust EA products on any computer in house. I agree that an announcement is necessary.

The Aaron Swartz issue was tragic and hope heads will roll (so to speak). This is what we get for allowing copyright lawyers into official positions.

Anonymous Coward says:

Oh don’t worry we will never go for the small timers. Oh yeah except when you do something we don’t like. If you speak up against us, then we accumulate all the small things you have ever done in your life to make you either shut up, discredit you or go to jail for 30 years.
I wouldn’t be surprised to see “embarrassing” information be leaked to the press in the future against anyone who challenges the wrong powerful person.

da says:

'limited interpretation'

“the Justice Department should announce a change in its criminal-enforcement policy. It should no longer consider terms-of-service violations to be criminal. It can join more than a dozen federal judges and scholars, like Kerr, who adopt a reasonable and more limited interpretation.”

you are correct that your suggestion would be a good approach. however, you have ignored the ideology that inspires the current regime. the Obama administration will only take a narrow interpretation on a law if it is a law that limits government power, never on one that empowers government. it is against their nature to limit their power, as they believe that all ppower should reside in a central government. they do not seem to care that our Nation was founded on the idea that individuals are sovereign, and delegate powers to their various levels of government. they also do not seem to care that our Constitution was written to protect that idea in practice. the People need to take back our power and our rights to stop these abuses!!!

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...