We've been talking a lot about CFAA reform lately
, but law professor Eric Goldman is taking it a step further. He's written a fantastic piece for Forbes that explains why the whole concept underlying the CFAA is a failure and should be almost entirely done away with
. The key part is the theory underlying the CFAA is an attempt to apply the age-old concept of "trespass to chattels" online, in the theory that the online world can be considered not unlike the offline world. Except... it's not so simple. Not at all.
Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely. The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved. The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn’t worked...
He goes on to point out that there have been massive unintended consequences of trying to apply an offline concept to a very different online world, and to also note that other existing laws can already handle many, if not potentially all, of the scenarios that people normally fear concerning malicious computer hacking.
Indeed, because legal doctrines already overlap so extensively, we almost never see an online trespass to chattels claim asserted on a standalone basis. Instead, an online trespass to chattels claim is usually just one of numerous legal violations asserted against the defendant. These doctrinal overlaps mean we usually don’t need online trespass to chattels either to supplement the more squarely applicable claims or to act as a “gap-filler” to plug the rare and narrow holes left by the other legal doctrines.
And thus, his recommendation is basically to gut the CFAA almost entirely:
1) Repeal most provisions of the CFAA (that don't relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.
2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.
3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.
4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).
It's difficult to argue
with these suggestions, which is probably why most of Congress will likely instead ignore