Law Professor Eric Goldman: The CFAA Is A Failed Experiment; It's Time To Gut It

from the take-a-stand dept

We’ve been talking a lot about CFAA reform lately, but law professor Eric Goldman is taking it a step further. He’s written a fantastic piece for Forbes that explains why the whole concept underlying the CFAA is a failure and should be almost entirely done away with. The key part is the theory underlying the CFAA is an attempt to apply the age-old concept of “trespass to chattels” online, in the theory that the online world can be considered not unlike the offline world. Except… it’s not so simple. Not at all.

Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely. The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved. The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn’t worked…

He goes on to point out that there have been massive unintended consequences of trying to apply an offline concept to a very different online world, and to also note that other existing laws can already handle many, if not potentially all, of the scenarios that people normally fear concerning malicious computer hacking.

Indeed, because legal doctrines already overlap so extensively, we almost never see an online trespass to chattels claim asserted on a standalone basis. Instead, an online trespass to chattels claim is usually just one of numerous legal violations asserted against the defendant. These doctrinal overlaps mean we usually don’t need online trespass to chattels either to supplement the more squarely applicable claims or to act as a “gap-filler” to plug the rare and narrow holes left by the other legal doctrines.

And thus, his recommendation is basically to gut the CFAA almost entirely:

1) Repeal most provisions of the CFAA (that don’t relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.

2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.

3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.

4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).

It’s difficult to argue with these suggestions, which is probably why most of Congress will likely instead ignore them.

Filed Under: , , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Law Professor Eric Goldman: The CFAA Is A Failed Experiment; It's Time To Gut It”

Subscribe: RSS Leave a comment
Anonymous Coward says:

“3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations. “

“This conduct” being trespass to chattels or the breaching of computer security? If the latter, I’m not sure I understand the rational for it. Usually it is in our best interest to not limit what individuals are allowed to do or seek redress for. If someone hacks my personal computer, I have to beg the fed to prosecute? What could possibly go wrong?

G Thompson (profile) says:

Re: Re:

Like in any criminal offense you need to allow the authorities to investigate the allegations that you make with no fear nor favour towards yourself or the alleged perpetrator.

This is called equity and is the basis for why LEO’s perform criminal investigations and NOT the general public and especially not the alleged wronged party.

If your property is trespassed upon only the appropriate authority (police) should be able to charge for the crime of trespass, if your property (and this includes your personage) is damaged maliciously and with intent then only the appropriate authority (police) should be able to charge for the crime of malicious damage and/or assault.

To allow a private person to charge someone else for a criminal offence is abhorrent to any equitable system of criminal justice and flies in the face of what justice, Equity and due process is all about.

If the Fed’s etc do not find enough evidence through their investigation to allow charges to be even laid in the first place then so be it. To be otherwise goes down the dangerous path of vigilantism, revenge and who has more power/ego/money then someone else. Hmmm I think I have just described the current Civil litigation model of the USA

Anonymous Coward says:

Re: Re: Re: Re:

Well, yes – a bit of sarcasm because it will probably be the government behind the hacking.

However, the right to sue in civil court for compensation of real loses should not be removed. Perhaps that is not what Eric was saying should be done.

Begin hypothetical silly question:
If a pimple faced kid living in mom’s basement next door sends porn to my printer wasting my ink and paper because I left my wifi open like a dumbass and the government refuses to prosecute then why am I not allowed to ask for compensation in civil court?
End hypothetical silly question

Anonymous Coward says:

Re: Re: Re:3 hypothetical

Agreed, it is the wifi owners responsibility to secure their possessions, that does not mean others are welcome to help themselves to real property. Possibly, a better example might be the spamming of a fax machine or cell phone, this is considered theft. But the government hardly ever goes after the perpetrators. Individuals would not be allowed to?

Anonymous Coward says:

Re: Re: Re:2 Re:

If you can show loses there will be something you can sue even if it’s not this. In your example I think you could absolutely sue for damages. To go back to the trespass analogy, it’s not just trespass if you’re on someone’s land and you then mess with their stuff. If you spraypaint their barn that’s vandalism. I don’t see why them printing porn on your paper would be any different.

G Thompson (profile) says:

Re: Re: Re: Re:

Nope the professor was talking about civil claims (under a criminal statute) and the person I commented to was then referring to criminal actions via the question ” I have to beg the fed to prosecute?”

I was explaining why allowing anyone to place charges other than a mandated authority is wrongful under the normal concepts of justice.


Re: Re: A problem of scale.

The problem here though is restricting this activity to only the federal government. Typically this implies a very large threshold for injury. That would mean that most crimes would be completely ignored for lack of interest. There is some value in allowing local jurisdictions to prosecute for petty theft and trespassing.

If anything, the reverse should be true. It should only be local jurisdictions that are allowed to prosecute for computer trespass unless the infraction occurs across state lines.

That’s one problem with the Swartz case. It was clearly a matter of jurisdiction for the Boston authorities and everyone else should have kept out of it.

If anything, the powers of the federal government should be REDUCED.

There are no “small claims” at the federal level. Nor should there be. Along these lines, the Jamie Rasset case should have been thrown out for lack of sufficient damages.

madasahatter (profile) says:

Re: Re: Re: A problem of scale.

I think the proposed changes indirectly address the Schwartz case. Having a narrower legal framework of what is illegal under the statute means by default other actions are not criminal under this statute. So if under the propose revisions what Aaron did is not criminal then the problem disappears.

These revisions are a reaction to the sloppy current law and is an attempt to narrow the focus of the law to what it probably really was intended to do.

G Thompson (profile) says:

Re: Re: Re: A problem of scale.

I actually agree with you, that’s why I said “appropriate authority (police)” and “Feds etc”

The appropriate authority should only be the one that is accepted by the community and is protecting the law for that community. Though there should always be a standardisation of sentencing and jurisprudence across criminal statutes on a federal and state level the state should always be used firstly unless the crime in question affects more than one state/community or is so egregious that it affects actions that ONLY the federal authorities have a mandate over .

Anonymous Coward says:

Re: Re:

He goes over the rational for it:

All of these legal doctrines (the CFAA, state computer crimes, common law trespass to chattels) require that the online chattel owner show that the defendant?s activity was unauthorized and that the owner suffered some damage from the defendant?s use of the chattel, but the legal standards differ somewhat between the doctrines. In practice, the required damages showing is often trivial. For example, both the CFAA and California?s computer crime law count the chattel owner?s efforts to prevent the defendant?s usage as actionable damage?and in California?s case, no further showing of harm to the chattel owner is required. Effectively, simply making unauthorized use of a third party?s Internet-connected chattel violate the state computer crime law.

and then later expands on this:

Given that chattel owners can easily restrict how their Internet-connected chattel is used, they should bear the onus to take the contractual or technological steps to do so. Otherwise, society incurs significant transaction costs for individual users trying to determine their rights to interact with Internet-connected chattel, and overly protective legal doctrines create border cases where users engaged in socially beneficially conduct nevertheless unintentionally commit legal violations.

[Emphasis mine]

He also goes on to outline several cases of what he believe are unintended consequences as well as pointing out that when it comes to computer crimes there are often overlaps where “at least one?and often numerous?other legal doctrines already apply” (which I also tried to point out below).

Anonymous Coward says:

Re: Re: Re:

An individual who modifies the URL to a corporate website, thusly gaining access to a page which is inadequately secured, is considered a hacker and subjected to over the top retaliation at the taxpayers’ expense. Meanwhile, a corporate offering inserted into an individuals’ computer CD drive, installs a rootkit allowing unfettered access to said computer by anyone with knowledge of the protocol is summarily ignored.

The rational is basically: little guy is toast, tough shit.

madasahatter (profile) says:

Re: Re: Re: Re:

They are two different scenarios actually. One requires an internet connection while the other damage caused by defective product. The CFAA and related laws deal with online situations, very poorly. The second scenario is covered by existing laws (mostly), both criminal and civil. In the Sony rootkit fiasco Sony could have faced numerous civil suits for malicious damage to property with the possibility that some criminal activity would be uncovered – I do not remember the details.

out_of_the_blue says:

Another elliptical attempt to legalize "liberating" data.

“restrict hackers from breaching computer security?a sensible objective that, as I discuss below, should be preserved.” — BUT it’s NOT preserved by defining it away as: “criminal hacking … for the goal of fraud or data destruction”. That’d be workable IF were NO copyright or we could always restrict laws to very narrow areas. But bypassing security meant to keep copyrighted works locked up is inextricably tangled, and in practice THEFT of commercial items is far more often the goal because a $100M movie is of more immediate value than Defense Dept top secrets.

By the way “data destruction” is a HUGELY vague phrase, so it’s no advance. Does it mean changing a single bit, or totally eliminating all copies, even off-line archives?

If this were implemented, it’d only require later efforts to cover all the cases that this academic excises. Mike says it’s “difficult to argue with these suggestions” because it’s deliberately constructed with UNREALISTIC premises. That’s what academics do so they’re always “right”.

My overall take on the piece is in subject line. The implication is that this would excuse Aaron Swartz because he was only “liberating” data (from those who reasonably “owned” it by setting up the library). I think Swartz was quite outside the law in taking the actions that he did, and CFAA may be a blunt tool, but in practice it’s not YET used except in a few narrowly defined cases: DOJ actually IS using reasonable discretion. But apparently Mike and his grifter pals see CFAA as potentially huge obstacle to further grifting: note the narrowing to “fraud or data destruction”.

And note that while I’m FOR leaving other people’s data alone, doesn’t mean I’m for expanding CFAA.

Anonymous Coward says:

Re: Another elliptical attempt to legalize "liberating" data.

Who said anything about copyrights?

Thats what copyright laws are for. You don’t need more laws, you need to effectively apply the laws that currently exist.

FYI, changing a single bit DOES destroy the data. Do you know what checksums are? MD5 Hashes? 1 bit change will change both the checksum and the MD5 hash. (and therefor the integrity of the file(s)) It would also, in most cases, destroy whatever program it was you were altering. I’m not sure what off-line archives have to do with anything. If you destroy data that isn’t online, I’m sure theres a law for that already on the books.

“All the cases this academic excises” are already covered by laws that already exist on the books. why do we need more?

No comment on the trollbait at the end of your comment.

btr1701 (profile) says:

Re: bizarre!!

DDoS is pure freedom of speech!!

Assuming you’re not being sarcastic, a DDoS attack would be given no 1st Amendment protection, because the purpose and intennt behind each packet of data that’s sent to the server isn’t expressive. No one cares what that data is or what it says. It’s only value is in its amount and ability to slow down the network.

Anonymous Coward says:

that is the first thing that has to happen. if Congress are kept on board, as with so many other things, there will either be no changes or changes made for the worse. the biggest problem with 99% of computer law, certainly within the USA is the morons that are writing it dont have a damn clue about it in the first place. add to that their desire to only add or change things that will make them personally better off, both financially and otherwise, and the problems manifest in droves!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...