Law Professor Eric Goldman: The CFAA Is A Failed Experiment; It's Time To Gut It

from the take-a-stand dept

We've been talking a lot about CFAA reform lately, but law professor Eric Goldman is taking it a step further. He's written a fantastic piece for Forbes that explains why the whole concept underlying the CFAA is a failure and should be almost entirely done away with. The key part is the theory underlying the CFAA is an attempt to apply the age-old concept of "trespass to chattels" online, in the theory that the online world can be considered not unlike the offline world. Except... it's not so simple. Not at all.
Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely. The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved. The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn’t worked...
He goes on to point out that there have been massive unintended consequences of trying to apply an offline concept to a very different online world, and to also note that other existing laws can already handle many, if not potentially all, of the scenarios that people normally fear concerning malicious computer hacking.
Indeed, because legal doctrines already overlap so extensively, we almost never see an online trespass to chattels claim asserted on a standalone basis. Instead, an online trespass to chattels claim is usually just one of numerous legal violations asserted against the defendant. These doctrinal overlaps mean we usually don’t need online trespass to chattels either to supplement the more squarely applicable claims or to act as a “gap-filler” to plug the rare and narrow holes left by the other legal doctrines.
And thus, his recommendation is basically to gut the CFAA almost entirely:
1) Repeal most provisions of the CFAA (that don't relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.

2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.

3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.

4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).
It's difficult to argue with these suggestions, which is probably why most of Congress will likely instead ignore them.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 8:01am

    "Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely."

    - Unfortunately?
    What would a successful experiment of this nature look like?

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 8:10am

    "3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations. "

    "This conduct" being trespass to chattels or the breaching of computer security? If the latter, I'm not sure I understand the rational for it. Usually it is in our best interest to not limit what individuals are allowed to do or seek redress for. If someone hacks my personal computer, I have to beg the fed to prosecute? What could possibly go wrong?

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 8:16am

    The second blockquote in the article appears to be the same as the first but with a couple of formatting errors. It appears that this was not intentional.

     

    reply to this | link to this | view in thread ]

  4. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Mar 29th, 2013 @ 8:34am

    Another elliptical attempt to legalize "liberating" data.

    "restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved." -- BUT it's NOT preserved by defining it away as: "criminal hacking ... for the goal of fraud or data destruction". That'd be workable IF were NO copyright or we could always restrict laws to very narrow areas. But bypassing security meant to keep copyrighted works locked up is inextricably tangled, and in practice THEFT of commercial items is far more often the goal because a $100M movie is of more immediate value than Defense Dept top secrets.

    By the way "data destruction" is a HUGELY vague phrase, so it's no advance. Does it mean changing a single bit, or totally eliminating all copies, even off-line archives?

    If this were implemented, it'd only require later efforts to cover all the cases that this academic excises. Mike says it's "difficult to argue with these suggestions" because it's deliberately constructed with UNREALISTIC premises. That's what academics do so they're always "right".

    My overall take on the piece is in subject line. The implication is that this would excuse Aaron Swartz because he was only "liberating" data (from those who reasonably "owned" it by setting up the library). I think Swartz was quite outside the law in taking the actions that he did, and CFAA may be a blunt tool, but in practice it's not YET used except in a few narrowly defined cases: DOJ actually IS using reasonable discretion. But apparently Mike and his grifter pals see CFAA as potentially huge obstacle to further grifting: note the narrowing to "fraud or data destruction".

    And note that while I'm FOR leaving other people's data alone, doesn't mean I'm for expanding CFAA.

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    G Thompson (profile), Mar 29th, 2013 @ 8:40am

    Re:

    Like in any criminal offense you need to allow the authorities to investigate the allegations that you make with no fear nor favour towards yourself or the alleged perpetrator.

    This is called equity and is the basis for why LEO's perform criminal investigations and NOT the general public and especially not the alleged wronged party.

    If your property is trespassed upon only the appropriate authority (police) should be able to charge for the crime of trespass, if your property (and this includes your personage) is damaged maliciously and with intent then only the appropriate authority (police) should be able to charge for the crime of malicious damage and/or assault.

    To allow a private person to charge someone else for a criminal offence is abhorrent to any equitable system of criminal justice and flies in the face of what justice, Equity and due process is all about.

    If the Fed's etc do not find enough evidence through their investigation to allow charges to be even laid in the first place then so be it. To be otherwise goes down the dangerous path of vigilantism, revenge and who has more power/ego/money then someone else. Hmmm I think I have just described the current Civil litigation model of the USA

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    G Thompson (profile), Mar 29th, 2013 @ 8:44am

    Re: Re:

    PS: just reread your comment and not sure if it was sarcastic now.. It's 2:30am here & brain tired.

    Though my comment still stands on face though not directly directed at yourself.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 8:53am

    Applying real world solutions on the internet, that are'nt even acceptable in the real world.......then betting on the ignorance of the people

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 8:56am

    Re: Another elliptical attempt to legalize "liberating" data.

    Who said anything about copyrights?

    Thats what copyright laws are for. You don't need more laws, you need to effectively apply the laws that currently exist.


    FYI, changing a single bit DOES destroy the data. Do you know what checksums are? MD5 Hashes? 1 bit change will change both the checksum and the MD5 hash. (and therefor the integrity of the file(s)) It would also, in most cases, destroy whatever program it was you were altering. I'm not sure what off-line archives have to do with anything. If you destroy data that isn't online, I'm sure theres a law for that already on the books.

    "All the cases this academic excises" are already covered by laws that already exist on the books. why do we need more?

    No comment on the trollbait at the end of your comment.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 9:25am

    Re: Re: Re:

    Well, yes - a bit of sarcasm because it will probably be the government behind the hacking.

    However, the right to sue in civil court for compensation of real loses should not be removed. Perhaps that is not what Eric was saying should be done.

    Begin hypothetical silly question:
    If a pimple faced kid living in mom's basement next door sends porn to my printer wasting my ink and paper because I left my wifi open like a dumbass and the government refuses to prosecute then why am I not allowed to ask for compensation in civil court?
    End hypothetical silly question

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    uRspqF7L (profile), Mar 29th, 2013 @ 9:53am

    bizarre!!

    this "law professor" clearly doesn't understand technology in any way. DDoS is pure freedom of speech!!

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    btr1701 (profile), Mar 29th, 2013 @ 10:09am

    Re: Re:

    > > Eliminate all civil claims for this conduct

    > Like in any criminal offense you need to
    > allow the authorities to investigate the
    > allegations

    Apples and oranges. The professor is talking about civil claims and you bring up criminal offenses. The two have nothing to do with one another.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    btr1701 (profile), Mar 29th, 2013 @ 10:14am

    Re: bizarre!!

    > DDoS is pure freedom of speech!!

    Assuming you're not being sarcastic, a DDoS attack would be given no 1st Amendment protection, because the purpose and intennt behind each packet of data that's sent to the server isn't expressive. No one cares what that data is or what it says. It's only value is in its amount and ability to slow down the network.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    MonkeyFracasJr (profile), Mar 29th, 2013 @ 11:27am

    Re: hypothetical

    You mean beyond the part about it being your own fault for not securing your belongings (wifi)?

    I know, I know A crime is a crime regardless of the victim's ability or willingness to safegaurd his 'things'.

    Maybe the example was too small?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 11:33am

    Re: Re: bizarre!!

    At its most basic, the closest physical equivalent is a sit-in or a picket line, as you're blocking people from performing legitimate business activities.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    JEDIDIAH, Mar 29th, 2013 @ 11:33am

    A problem of scale.

    The problem here though is restricting this activity to only the federal government. Typically this implies a very large threshold for injury. That would mean that most crimes would be completely ignored for lack of interest. There is some value in allowing local jurisdictions to prosecute for petty theft and trespassing.

    If anything, the reverse should be true. It should only be local jurisdictions that are allowed to prosecute for computer trespass unless the infraction occurs across state lines.

    That's one problem with the Swartz case. It was clearly a matter of jurisdiction for the Boston authorities and everyone else should have kept out of it.

    If anything, the powers of the federal government should be REDUCED.

    There are no "small claims" at the federal level. Nor should there be. Along these lines, the Jamie Rasset case should have been thrown out for lack of sufficient damages.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    JEDIDIAH, Mar 29th, 2013 @ 11:35am

    Re: Re: Re: bizarre!!

    ...and that's trespassing.

    You can get arrested for that sort of thing and it's not really a problem. The thing with civil disobedience is that sometimes you get arrested and you have to be willing to accept those consequences. That's part of civil disobedience.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 11:42am

    Re: Re: hypothetical

    Agreed, it is the wifi owners responsibility to secure their possessions, that does not mean others are welcome to help themselves to real property. Possibly, a better example might be the spamming of a fax machine or cell phone, this is considered theft. But the government hardly ever goes after the perpetrators. Individuals would not be allowed to?

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 12:17pm

    that is the first thing that has to happen. if Congress are kept on board, as with so many other things, there will either be no changes or changes made for the worse. the biggest problem with 99% of computer law, certainly within the USA is the morons that are writing it dont have a damn clue about it in the first place. add to that their desire to only add or change things that will make them personally better off, both financially and otherwise, and the problems manifest in droves!

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 12:30pm

    Re: Re: Re: Re:

    If you can show loses there will be something you can sue even if it's not this. In your example I think you could absolutely sue for damages. To go back to the trespass analogy, it's not just trespass if you're on someone's land and you then mess with their stuff. If you spraypaint their barn that's vandalism. I don't see why them printing porn on your paper would be any different.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 12:47pm

    Re:

    He goes over the rational for it:

    All of these legal doctrines (the CFAA, state computer crimes, common law trespass to chattels) require that the online chattel owner show that the defendant’s activity was unauthorized and that the owner suffered some damage from the defendant’s use of the chattel, but the legal standards differ somewhat between the doctrines. In practice, the required damages showing is often trivial. For example, both the CFAA and California’s computer crime law count the chattel owner’s efforts to prevent the defendant’s usage as actionable damage–and in California’s case, no further showing of harm to the chattel owner is required. Effectively, simply making unauthorized use of a third party’s Internet-connected chattel violate the state computer crime law.


    and then later expands on this:

    Given that chattel owners can easily restrict how their Internet-connected chattel is used, they should bear the onus to take the contractual or technological steps to do so. Otherwise, society incurs significant transaction costs for individual users trying to determine their rights to interact with Internet-connected chattel, and overly protective legal doctrines create border cases where users engaged in socially beneficially conduct nevertheless unintentionally commit legal violations.
    [Emphasis mine]

    He also goes on to outline several cases of what he believe are unintended consequences as well as pointing out that when it comes to computer crimes there are often overlaps where "at least one–and often numerous–other legal doctrines already apply" (which I also tried to point out below).

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 12:49pm

    Re: Another elliptical attempt to legalize "liberating" data.

    Maybe read the rest of the article:

    Copyright law already applies to search engines republished copyrighted material they scrape.


    An argument I believe is debatable but deftly points out that you're really barking up the wrong tree here.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 12:50pm

    Re: bizarre!!

    He also opines that "Copyright law already applies to search engines republished copyrighted material they scrape." Oh well, no one's perfect.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 1:51pm

    Re: Re:

    An individual who modifies the URL to a corporate website, thusly gaining access to a page which is inadequately secured, is considered a hacker and subjected to over the top retaliation at the taxpayers' expense. Meanwhile, a corporate offering inserted into an individuals' computer CD drive, installs a rootkit allowing unfettered access to said computer by anyone with knowledge of the protocol is summarily ignored.

    The rational is basically: little guy is toast, tough shit.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 1:59pm

    Re: Re: Re:

    The article very clearly delineates between activity over the internet, your first example, and not, your second. Are you sure you read it?

     

    reply to this | link to this | view in thread ]

  25.  
    icon
    madasahatter (profile), Mar 29th, 2013 @ 2:20pm

    Re: Re: Re:

    They are two different scenarios actually. One requires an internet connection while the other damage caused by defective product. The CFAA and related laws deal with online situations, very poorly. The second scenario is covered by existing laws (mostly), both criminal and civil. In the Sony rootkit fiasco Sony could have faced numerous civil suits for malicious damage to property with the possibility that some criminal activity would be uncovered - I do not remember the details.

     

    reply to this | link to this | view in thread ]

  26.  
    icon
    madasahatter (profile), Mar 29th, 2013 @ 2:27pm

    Re: A problem of scale.

    I think the proposed changes indirectly address the Schwartz case. Having a narrower legal framework of what is illegal under the statute means by default other actions are not criminal under this statute. So if under the propose revisions what Aaron did is not criminal then the problem disappears.

    These revisions are a reaction to the sloppy current law and is an attempt to narrow the focus of the law to what it probably really was intended to do.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 3:01pm

    Re: Re: Re: Re:

    Paying for and downloading an executable rather than inserting a CD would fit the bill.

    Point remains.

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    btr1701 (profile), Mar 29th, 2013 @ 4:19pm

    Re: Re: Re: bizarre!!

    > At its most basic, the closest physical equivalent is a
    > sit-in or a picket line, as you're blocking people from
    > performing legitimate business activities.

    Which you have no right to do on private property. That's why those folks routinely get arrested.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 4:29pm

    Re: Re: bizarre!!

    May not be entirely true, the packets symbolize something and thus are more than just packets, they are being sent for a reason, you are sending your message in the form of packets.

    This is another view.

    People burning an American flag is free speech, why?

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Mar 29th, 2013 @ 4:30pm

    Re: Re: Re: Re: bizarre!!

    They may not be able to sit in inside the private property but they can sit in and surround that property.

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    G Thompson (profile), Mar 29th, 2013 @ 10:13pm

    Re: Re: Re:

    Nope the professor was talking about civil claims (under a criminal statute) and the person I commented to was then referring to criminal actions via the question " I have to beg the fed to prosecute?"

    I was explaining why allowing anyone to place charges other than a mandated authority is wrongful under the normal concepts of justice.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    G Thompson (profile), Mar 29th, 2013 @ 10:21pm

    Re: A problem of scale.

    I actually agree with you, that's why I said "appropriate authority (police)" and "Feds etc"

    The appropriate authority should only be the one that is accepted by the community and is protecting the law for that community. Though there should always be a standardisation of sentencing and jurisprudence across criminal statutes on a federal and state level the state should always be used firstly unless the crime in question affects more than one state/community or is so egregious that it affects actions that ONLY the federal authorities have a mandate over .

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    btr1701 (profile), Mar 31st, 2013 @ 10:56am

    Re: Re: Re: Re:

    > Nope the professor was talking about civil claims (under a criminal statute)

    That makes no sense. Civil claims are civil claims, regardless of which statute authorizes them, and prosecution isn't required in order to bring a valid civil claim. If prosecution was required, it would stop being a civil claim, by definition.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This