We've discussed for years how broken the CFAA
(Computer Fraud and Abuse Act) is. The law, which was written many years ago, is problematically vague in certain areas, allowing prosecutors to claim that merely breaking a terms of service you didn't read is a form of felony hacking -- as they define it as "unauthorized access." While there have been many egregious CFAA cases, one of the most high-profile, of course, was that of activist Aaron Swartz, who was arrested for downloading too many research papers from JSTOR from the computer network on the MIT campus. The MIT campus network gave anyone -- even guests -- full access to the JSTOR archives if you were on the university network. Swartz took advantage of that to download many files -- leading to his arrest, and a whole bunch of charges against him. After the arrest, the DOJ proudly talked about how Swartz faced 35 years in prison. Of course, if you bring that up now, the DOJ and its defenders get angry, saying he never really would have faced that much time in prison -- even though the number comes from the DOJ's (since removed) press release
Swartz, of course, tragically took his own life in the midst of this legal battle, after facing tremendous pressure from the DOJ to take a plea deal as a felon, even as Swartz was sure he had done nothing illegal or wrong. Since then, there have been a few attempts to update the CFAA to block this kind of abuse, but they have been blocked
at every turn by a DOJ that actually wants to make the law even worse
. This includes the White House's latest proposal for CFAA reform, which would actually make more things a felony
under the CFAA, and could drastically increase sentencing for things that many of us don't think should be a crime at all -- such as tweeting out a list of worst passwords
on the internet.
Outgoing Attorney General Eric Holder has done his best to ignore
any suggestion that his Justice Department abused the CFAA in going after Swartz. And it looks like his likely replacement is trying to do the same.
Senator Al Franken questioned nominee Loretta Lynch about Swartz and the CFAA
and got back a response that is basically her avoiding the question. She doesn't say anything about Swartz, but goes off on some FUD about the dangers of malicious hackers and how the DOJ needs the tools to fight spyware. She then claims that the newly proposed CFAA changes are okay because they only increase the possible maximum sentences, but not the minimums, leaving things up to the discretion of judges (and prosecutors):
Question 1. The Computer Fraud and Abuse Act (CFAA) has received attention for its
potentially harsh penalties. In 2013, I wrote a letter to the Department of Justice expressing my
concern about the way in which Aaron Swartz was aggressively prosecuted under the CFAA,
and associating myself with a similar letter by Senator Cornyn. The Department’s response was,
in short, that the prosecution of Swartz was consistent with the Act. Since then we have heard
many people – from all over the political spectrum – call for reform of the CFAA. Recently, the
White House announced a proposal to amend the Act. Some have characterized the proposal as a
step in the wrong direction, noting – for example – that it would increase certain sentences. What
is your assessment of these criticisms, and what is your opinion of the proposal?
RESPONSE: I believe that the Department of Justice has a responsibility to protect Americans
from invasions of their privacy and security by prosecuting and deterring computer
crimes. Accordingly, we must ensure that the CFAA, like all of our tools, remains up-to-date
and reflects the changes in the way that cybercrimes are committed, changes that have occurred
in the decades since it was first enacted. For example, I understand that the Administration’s
proposals include provisions designed to facilitate the prosecution of those who traffic in stolen
American credit cards overseas, to enable the Department to dismantle botnets that victimize
hundreds of thousands of computers at a time, and to deter the sale of criminal “spyware.”
With respect to the sentencing provisions contained in those proposals, I believe it is appropriate
to ensure that, in the event a defendant is convicted of a hacking offense, the sentencing court
has the authority to impose a sentence that fits the crime. For example, the enormous harm
caused by the massive thefts of Americans’ personal financial data from retailers illustrates the
need to ensure that the maximum sentences available are adequate to deter the worst
offenders. As the level of harm caused by the worst cybercrimes increases, I support increasing
the maximum penalties available to punish those crimes to a level commensurate with similar
crimes, such as mail fraud or wire fraud.
It is also important to understand that these statutory maximum sentences do not control what
sentence is appropriate for less significant offenses under the CFAA. In many criminal
prosecutions, including prosecutions under the CFAA of all but the most serious offenses, the
statutory maximum penalty has little or no impact on the sentencing of convicted
defendants. Instead, in each case, prosecutors make individualized sentencing recommendations,
and judges make individualized decisions, based on such factors as the facts of the case, the
offender’s history, and the U.S. Sentencing Guidelines.
Finally, I note that the Administration’s 2015 proposal does not include any new mandatory
minimum sentences, and I support the decision not to seek any such new sentences in the CFAA
at this time.
This, of course, misses the point. First, it assumes that longer sentences are somehow going to do anything
to diminish the likelihood of malicious attacks. It won't. This is such a total braindead law enforcement view of things: that if only there were greater punishment it would scare the "bad people" out of doing what they're going to do. That's never really worked, and especially not in this area, where the law is being abused to go after people who don't think they're actually doing anything wrong.
Second, it just plays up the FUD that "bad stuff is happening" so "something must be done." But it ignores how vague the law is and how it's wide open to abuse. A good
law enforcement official would ask for clearer laws that more narrowly target actual bad behavior, rather than celebrating a broad and vague law that can be, and is, widely abused just to rack up more DOJ headlines and "victories."