Law Professor Eric Goldman: The CFAA Is A Failed Experiment; It's Time To Gut It
from the take-a-stand dept
We’ve been talking a lot about CFAA reform lately, but law professor Eric Goldman is taking it a step further. He’s written a fantastic piece for Forbes that explains why the whole concept underlying the CFAA is a failure and should be almost entirely done away with. The key part is the theory underlying the CFAA is an attempt to apply the age-old concept of “trespass to chattels” online, in the theory that the online world can be considered not unlike the offline world. Except… it’s not so simple. Not at all.
Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely. The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved. The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn’t worked…
He goes on to point out that there have been massive unintended consequences of trying to apply an offline concept to a very different online world, and to also note that other existing laws can already handle many, if not potentially all, of the scenarios that people normally fear concerning malicious computer hacking.
Indeed, because legal doctrines already overlap so extensively, we almost never see an online trespass to chattels claim asserted on a standalone basis. Instead, an online trespass to chattels claim is usually just one of numerous legal violations asserted against the defendant. These doctrinal overlaps mean we usually don’t need online trespass to chattels either to supplement the more squarely applicable claims or to act as a “gap-filler” to plug the rare and narrow holes left by the other legal doctrines.
And thus, his recommendation is basically to gut the CFAA almost entirely:
1) Repeal most provisions of the CFAA (that don’t relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.
2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.
3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.
4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).
It’s difficult to argue with these suggestions, which is probably why most of Congress will likely instead ignore them.
Filed Under: cfaa, cfaa reform, chattles, doj, eric goldman, hacking, internet, laws, trespass, trespass on chattels
Comments on “Law Professor Eric Goldman: The CFAA Is A Failed Experiment; It's Time To Gut It”
“Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely.”
– Unfortunately?
What would a successful experiment of this nature look like?
“3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations. “
“This conduct” being trespass to chattels or the breaching of computer security? If the latter, I’m not sure I understand the rational for it. Usually it is in our best interest to not limit what individuals are allowed to do or seek redress for. If someone hacks my personal computer, I have to beg the fed to prosecute? What could possibly go wrong?
Re: Re:
Like in any criminal offense you need to allow the authorities to investigate the allegations that you make with no fear nor favour towards yourself or the alleged perpetrator.
This is called equity and is the basis for why LEO’s perform criminal investigations and NOT the general public and especially not the alleged wronged party.
If your property is trespassed upon only the appropriate authority (police) should be able to charge for the crime of trespass, if your property (and this includes your personage) is damaged maliciously and with intent then only the appropriate authority (police) should be able to charge for the crime of malicious damage and/or assault.
To allow a private person to charge someone else for a criminal offence is abhorrent to any equitable system of criminal justice and flies in the face of what justice, Equity and due process is all about.
If the Fed’s etc do not find enough evidence through their investigation to allow charges to be even laid in the first place then so be it. To be otherwise goes down the dangerous path of vigilantism, revenge and who has more power/ego/money then someone else. Hmmm I think I have just described the current Civil litigation model of the USA
Re: Re: Re:
PS: just reread your comment and not sure if it was sarcastic now.. It’s 2:30am here & brain tired.
Though my comment still stands on face though not directly directed at yourself.
Re: Re: Re: Re:
Well, yes – a bit of sarcasm because it will probably be the government behind the hacking.
However, the right to sue in civil court for compensation of real loses should not be removed. Perhaps that is not what Eric was saying should be done.
Begin hypothetical silly question:
If a pimple faced kid living in mom’s basement next door sends porn to my printer wasting my ink and paper because I left my wifi open like a dumbass and the government refuses to prosecute then why am I not allowed to ask for compensation in civil court?
End hypothetical silly question
Re: Re: Re:2 hypothetical
You mean beyond the part about it being your own fault for not securing your belongings (wifi)?
I know, I know A crime is a crime regardless of the victim’s ability or willingness to safegaurd his ‘things’.
Maybe the example was too small?
Re: Re: Re:3 hypothetical
Agreed, it is the wifi owners responsibility to secure their possessions, that does not mean others are welcome to help themselves to real property. Possibly, a better example might be the spamming of a fax machine or cell phone, this is considered theft. But the government hardly ever goes after the perpetrators. Individuals would not be allowed to?
Re: Re: Re:2 Re:
If you can show loses there will be something you can sue even if it’s not this. In your example I think you could absolutely sue for damages. To go back to the trespass analogy, it’s not just trespass if you’re on someone’s land and you then mess with their stuff. If you spraypaint their barn that’s vandalism. I don’t see why them printing porn on your paper would be any different.
Re: Re: Re:
Re: Re: Re: Re:
Nope the professor was talking about civil claims (under a criminal statute) and the person I commented to was then referring to criminal actions via the question ” I have to beg the fed to prosecute?”
I was explaining why allowing anyone to place charges other than a mandated authority is wrongful under the normal concepts of justice.
Re: Re: Re:2 Re:
Re: Re: A problem of scale.
The problem here though is restricting this activity to only the federal government. Typically this implies a very large threshold for injury. That would mean that most crimes would be completely ignored for lack of interest. There is some value in allowing local jurisdictions to prosecute for petty theft and trespassing.
If anything, the reverse should be true. It should only be local jurisdictions that are allowed to prosecute for computer trespass unless the infraction occurs across state lines.
That’s one problem with the Swartz case. It was clearly a matter of jurisdiction for the Boston authorities and everyone else should have kept out of it.
If anything, the powers of the federal government should be REDUCED.
There are no “small claims” at the federal level. Nor should there be. Along these lines, the Jamie Rasset case should have been thrown out for lack of sufficient damages.
Re: Re: Re: A problem of scale.
I think the proposed changes indirectly address the Schwartz case. Having a narrower legal framework of what is illegal under the statute means by default other actions are not criminal under this statute. So if under the propose revisions what Aaron did is not criminal then the problem disappears.
These revisions are a reaction to the sloppy current law and is an attempt to narrow the focus of the law to what it probably really was intended to do.
Re: Re: Re: A problem of scale.
I actually agree with you, that’s why I said “appropriate authority (police)” and “Feds etc”
The appropriate authority should only be the one that is accepted by the community and is protecting the law for that community. Though there should always be a standardisation of sentencing and jurisprudence across criminal statutes on a federal and state level the state should always be used firstly unless the crime in question affects more than one state/community or is so egregious that it affects actions that ONLY the federal authorities have a mandate over .
Re: Re:
He goes over the rational for it:
and then later expands on this:
[Emphasis mine]
He also goes on to outline several cases of what he believe are unintended consequences as well as pointing out that when it comes to computer crimes there are often overlaps where “at least one?and often numerous?other legal doctrines already apply” (which I also tried to point out below).
Re: Re: Re:
An individual who modifies the URL to a corporate website, thusly gaining access to a page which is inadequately secured, is considered a hacker and subjected to over the top retaliation at the taxpayers’ expense. Meanwhile, a corporate offering inserted into an individuals’ computer CD drive, installs a rootkit allowing unfettered access to said computer by anyone with knowledge of the protocol is summarily ignored.
The rational is basically: little guy is toast, tough shit.
Re: Re: Re: Re:
The article very clearly delineates between activity over the internet, your first example, and not, your second. Are you sure you read it?
Re: Re: Re:2 Re:
Paying for and downloading an executable rather than inserting a CD would fit the bill.
Point remains.
Re: Re: Re: Re:
They are two different scenarios actually. One requires an internet connection while the other damage caused by defective product. The CFAA and related laws deal with online situations, very poorly. The second scenario is covered by existing laws (mostly), both criminal and civil. In the Sony rootkit fiasco Sony could have faced numerous civil suits for malicious damage to property with the possibility that some criminal activity would be uncovered – I do not remember the details.
The second blockquote in the article appears to be the same as the first but with a couple of formatting errors. It appears that this was not intentional.
Another elliptical attempt to legalize "liberating" data.
“restrict hackers from breaching computer security?a sensible objective that, as I discuss below, should be preserved.” — BUT it’s NOT preserved by defining it away as: “criminal hacking … for the goal of fraud or data destruction”. That’d be workable IF were NO copyright or we could always restrict laws to very narrow areas. But bypassing security meant to keep copyrighted works locked up is inextricably tangled, and in practice THEFT of commercial items is far more often the goal because a $100M movie is of more immediate value than Defense Dept top secrets.
By the way “data destruction” is a HUGELY vague phrase, so it’s no advance. Does it mean changing a single bit, or totally eliminating all copies, even off-line archives?
If this were implemented, it’d only require later efforts to cover all the cases that this academic excises. Mike says it’s “difficult to argue with these suggestions” because it’s deliberately constructed with UNREALISTIC premises. That’s what academics do so they’re always “right”.
My overall take on the piece is in subject line. The implication is that this would excuse Aaron Swartz because he was only “liberating” data (from those who reasonably “owned” it by setting up the library). I think Swartz was quite outside the law in taking the actions that he did, and CFAA may be a blunt tool, but in practice it’s not YET used except in a few narrowly defined cases: DOJ actually IS using reasonable discretion. But apparently Mike and his grifter pals see CFAA as potentially huge obstacle to further grifting: note the narrowing to “fraud or data destruction”.
And note that while I’m FOR leaving other people’s data alone, doesn’t mean I’m for expanding CFAA.
Re: Another elliptical attempt to legalize "liberating" data.
Who said anything about copyrights?
Thats what copyright laws are for. You don’t need more laws, you need to effectively apply the laws that currently exist.
FYI, changing a single bit DOES destroy the data. Do you know what checksums are? MD5 Hashes? 1 bit change will change both the checksum and the MD5 hash. (and therefor the integrity of the file(s)) It would also, in most cases, destroy whatever program it was you were altering. I’m not sure what off-line archives have to do with anything. If you destroy data that isn’t online, I’m sure theres a law for that already on the books.
“All the cases this academic excises” are already covered by laws that already exist on the books. why do we need more?
No comment on the trollbait at the end of your comment.
Re: Another elliptical attempt to legalize "liberating" data.
Maybe read the rest of the article:
An argument I believe is debatable but deftly points out that you’re really barking up the wrong tree here.
Applying real world solutions on the internet, that are’nt even acceptable in the real world…….then betting on the ignorance of the people
bizarre!!
this “law professor” clearly doesn’t understand technology in any way. DDoS is pure freedom of speech!!
Re: bizarre!!
Re: Re: bizarre!!
At its most basic, the closest physical equivalent is a sit-in or a picket line, as you’re blocking people from performing legitimate business activities.
Re: Re: Re: bizarre!!
…and that’s trespassing.
You can get arrested for that sort of thing and it’s not really a problem. The thing with civil disobedience is that sometimes you get arrested and you have to be willing to accept those consequences. That’s part of civil disobedience.
Re: Re: Re: bizarre!!
Re: Re: Re:2 bizarre!!
They may not be able to sit in inside the private property but they can sit in and surround that property.
Re: Re: bizarre!!
May not be entirely true, the packets symbolize something and thus are more than just packets, they are being sent for a reason, you are sending your message in the form of packets.
This is another view.
People burning an American flag is free speech, why?
Re: bizarre!!
He also opines that “Copyright law already applies to search engines republished copyrighted material they scrape.” Oh well, no one’s perfect.
that is the first thing that has to happen. if Congress are kept on board, as with so many other things, there will either be no changes or changes made for the worse. the biggest problem with 99% of computer law, certainly within the USA is the morons that are writing it dont have a damn clue about it in the first place. add to that their desire to only add or change things that will make them personally better off, both financially and otherwise, and the problems manifest in droves!