On November 15, 2013, self-described “hacktivist” Jeremey Hammond was sentenced to ten years in federal prison for obtaining and publishing confidential information from private defense firm Strategic Forecasting (Stratfor). [1] At the urging of the U.S. Department of Justice (DOJ), Judge Preska of the Southern District of New York imposed the maximum sentence under the Computer Fraud and Abuse Act (CFAA). Although not the most sympathetic case, Mr. Hammond’s conviction once again reignited debate about the CFAA. [2]
Broadly speaking, the CFAA is a federal statute that criminalizes a list of activities that may be considered “computer hacking.” [3] The list includes, among others, unauthorized access to government computers to obtain confidential information, accessing a protected computer in order to commit fraud, and extortion by threatening to damage to a protected computer. Perhaps the most controversial provision of the CFAA can be found at 18 U.S.C. §1030(a)(2), which criminalizes “obtain[ing] . . . information from any protected computer” if the user does not have “authorization or exceeds authorized access.” The DOJ has interpreted “exceeds authorized access” to mean any conduct that violates a website’s terms of service. [4] Under such a broad reading, the CFAA not only covers activities commonly perceived as “hacking,” but criminalizes an entire host of online actions as well. As Professor Orin Kerr noted in his testimony to Congress, the CFAA prohibits innocuous conduct such as lying on your online dating profile, since most dating sites require truthful personal information as a part of their terms of service. [5]
Of course, it is hard to imagine the DOJ prosecuting a lonely bachelor for shedding a few pounds on his Match.com profile in an attempt to appear more attractive. Nevertheless, the seemingly absurd scope of the CFAA presents a more salient issue, which is that it gives federal prosecutors broad discretion to pursue draconian prison sentences against individuals. Perhaps the most notorious example is the prosecution of Aaron Swartz, a twenty-four year old Harvard researcher for the downloading of millions of academic articles from a MIT server. [6] After the DOJ refused to accept multiple plea bargains and pushed for a 35 year prison sentence, Mr. Swartz hanged himself in his New York apartment. [7]
In the wake of Mr. Swartz’s suicide, there have been a number of calls to reform the CFAA, including a bill that would change the meaning of “exceeds authorized access” under the CFAA. [8] It is unclear if this bill will garner enough support to become law. Nonetheless, as “hacktivist” groups such as Anonymous garner media attention, the CFAA will likely remain an important tool for Federal law enforcement, and the statute’s breadth will likely be a continued source of contention in Internet regulation.
[1] Aaron Katersky, Anonymous Stratfor Hacker Given 10 Years, Nov. 15, 2013.
[2] Hanni Fakhoury & Trevor Timm, Jeremy Hammond Case Demonstrates the Draconian Nature of the CFAA, Jun. 4, 2013.
[3] 18 U.S.C. §1030.
[4] Testimony of Orin S. Kerr, United States House of Representatives, Nov. 15, 2011.
[5] Paul Larkin, The Heritage Foundation, Reasonably Construing the Computer Fraud and Abuse Act to Avoid Overcriminalization
[6] John Schwartz, Open-Access Advocate Is Arrested for Huge Download, NY Times, Jul. 19, 2011.
[7] John Schwartz, Internet Activist, a Creator of RSS, Is Dead at 26, Apparently a Suicide, Jan. 12, 2013.
[8] M. M. Jaycox, K. Opsahl, T. Timm, Aaron’s Law Introduced: Now Is the Time to Reform the CFAA, Jun. 20, 2013.