January 8, 2016

Reform to Ensure the CFAA is a Hacking Rather Than Censorship Statute

Imagine a world in which visiting and using a publicly accessible website could be a criminal violation if the operator of that site banned you for any reason. The operator of the site might not like your politics, view you as a competitor, or just disapprove of what group in society you belong to. As long as their terms of use or a cease and desist letter singled you out for exclusion, and they backed that up by attempting to block access from any computer or phone you ever used in the past, your continued attempts to visit or use their public site could be a violation of the Computer Fraud and Abuse Act. Noteworthy is that such a violation is a criminal as well as a civil violation under the current statute.

In its original inception, the law was meant to penalize hacking into “protected computers” that housed private and confidential financial records and atomic secrets. Hacking involved “breaking into” something protected by passwords and other security measures. But the combination of vague language in the statute about the definition of “authorized access” and “exceeding authorized access” has been couple with the notion that Terms of Use rather than security measures can define the boundaries that trigger the draconian application of the statute.

As famously noted by the Electronic Frontier Foundation, a 17 year old visiting the website for Seventeen magazine violates a TOU provision requiring an age of 18 for access – leading to a potential CFAA violation. Or in the case of Padmapper, which displays publicly listed apartment postings on a map from sites like Craigslist, the CFAA has been invoked as a litigation pretext to throttle such innovation and competition in the marketplace.

Read full white paper