Where did the CFAA come from, and where is it going?

In June 1983, President Ronald Reagan attended a screening at Camp David of WarGames, a movie in which a hacker inadvertently almost starts World War III. Intrigued, the movie star-turned politician asked Gen. John W. Vessey Jr., chairman of the Joint Chiefs of Staff, if the WarGames scenario could become a reality.

A week later, Vessey returned with an answer: Yes, he said, according to new research published in Dark Territory: The Secret History of Cyber War, a book by Fred Kaplan.

Later that year, six antihacking bills began working their way through Congress, as the Reagan administration demanded legislation to address computer security risks suggested in WarGames. By 1986, the president signed into law the regulations he wanted as the Computer Fraud and Abuse Act, an amendment to the existing computer fraud law, the Comprehensive Crime Control Act of 1984.

The CFAA was revolutionary in that it criminalized, for the first time, most forms of computer hacking in the United States, regardless of hackers’ intentions or results. Penalties for computer hacking reached the point at which people convicted on charges of illegal hacking could be locked up with sentences far worse than those of people convicted on charges of aggravated physical assault.



READ MORE ON THE CFAA

Legality of scientific research at stake in CFAA lawsuit (Q&A)
Uncertain future for Wassenaar ‘cyberweapons’ agreement under Trump
20 years on, L0pht hackers return to D.C. with dire warnings
Privacy protection hole of 29-year-old law is hard to measure


For downloading articles from academic journals, Aaron Swartz, an Internet activist and computer programmer who was instrumental in the creation of Reddit, for example, in 2011 faced 35 years in prison, and more than $1 million in fines, including loss-of-property and restitution payments. He was charged with 11 violations of the CFAA and two counts of federal wire fraud, and he killed himself after prosecutors refused to agree to a plea deal.

Although the CFAA has been amended eight times since 1986 to address newer threats, its core remains an obstacle to today’s security researchers and coders. And although revisions to the CFAA have had bipartisan support as recently as last year, experts say reforms to address those obstacles won’t be coming anytime soon.

The law was intended for an era when computers had just begun to enter the consumer market and link to one another over the Internet. (Indeed, 1986 also marked the spreading of the first personal-computer virus, by floppy disk.) However, its ambiguous phrasing is hard to consistently interpret. CFAA violations include accessing information publicly available on a major telecommunications company’s website and lying about your age when accessing a website that has an age restriction in its terms of service.

Security researchers testing the strength of passwords in evaluating the severity of the widespread Heartbleed Internet security flaw, for example, risked being charged with federal crimes under the CFAA, says Jen Ellis, a widely acknowledged CFAA expert.

“Testing for Heartbleed involved exercising the vulnerability to obtain information by accessing a protected computer without authorization,” says Ellis, who has briefed Congress on the bill more than 150 times since 2013. “Technically, this is a violation of the CFAA.”

Computer security contractors in Texas and Georgia were actually prosecuted under the CFAA for attacking networks whose security they were hired to test. And a Wisconsin high-school student who wrote about—but did not act upon—school computer system security flaws for an underground high-school paper was likewise prosecuted and expelled.

A brief history of CFAA revisions

Today’s computer threats, from international espionage to malicious software that can lock your computer until you pay a ransom, were the stuff of science fiction 30 years ago. Although threats to industrial computer networks, such as those that control nuclear-power plants, are still incredibly rare, they are growing and getting worse, Ellis says, adding that “opportunities for cybercrime are more prevalent today” than in 1986.

Ellis is no impartial analyst: As the vice president of community and public affairs at security research company Rapid7, part of her job is to protect the interests of security researchers and hackers. And the time she’s spent on Capitol Hill advocating for reform, not repeal, has earned her some influence with lawmakers.

“We’re trying to get the CFAA reformed because we want to protect the security researchers,” she says. They’re ”the only people who can fix” the security vulnerabilities that modern cybercriminals exploit.

None of the CFAA’s eight amendments, spanning from 1988 to 2008, have addressed the growing importance of independent security researchers’ and hackers’ roles in preventing, uncovering, and responding to security threats and vulnerabilities, Ellis says.

The biggest revisions to the CFAA, which respectively came in 1994, 1996, 2001, and 2008, expanded the law’s reach and made penalties more strict. The law can now be cited in civil lawsuits. It covers all federal computer systems, as well as all privately owned computers used in interstate or international commerce. And penalties for violations of it include empowering the government to seize property used in crimes charged under the CFAA.

In 1996, lawmakers removed the clause “intent to use” from the “taking classified information” offense, such that any kind of access of classified information without authorized consent could be prosecuted under the law. And in 2008, they added taking information from any private computer system in the United States to the already long list of CFAA offenses.

For more details in a pop-culture context, check out our CFAA revision timeline above.

Aaron’s Law, other reform efforts going nowhere

Among various attempts to amend or repeal the CFAA that have gone nowhere, notable is the twice-failed Aaron’s Law amendment.

Had Aaron’s Law, first introduced by Rep. Zoe Lofgren (D-Calif.) and Sen. Ron Wyden (D-Ore.) in 2013, after Aaron Swartz’s suicide, been approved by Congress and the president, it would have been the first bill to reduce the CFAA’s reach and severity. A second pass at Aaron’s Law in 2015 also went nowhere.

Co-sponsored by several Democrats and one Republican upon each introduction to Congress, Aaron’s Law focused on three CFAA revisions: People caught violating a site or software application’s terms of service would receive no prison time; security researchers, hackers, casual tinkerers, and privacy advocates would be protected from prosecution; and prosecutors would be restricted from charging the accused on overlapping federal and state statutes.

“At its very core, CFAA is an antihacking law,” Rep. Lofgren said in a statement when reintroducing Aaron’s Law’s last year. “Unfortunately, over time, we have seen prosecutors broadening the intent of the act, handing out inordinately severe criminal penalties for less-than-serious violations. It’s time we reformed this law to better focus on truly malicious hackers and bad actors, and away from common computer and Internet activities.”

Rapid7 Public-Policy Director Harley Geiger, who as Rep. Lofgren’s senior legislative counsel from 2012 to 2014 worked extensively on Aaron’s Law, says people are “starting to take very seriously this idea of CFAA reform.” Aaron’s Law, he says, has “been a base for people to move the conversation of CFAA modernization forward.”

But because there is little common ground between the various groups that want to guide its future, the chances of Aaron’s Law or any other CFAA reform actually becoming law remain low, according to a current Congressional staffer involved in the CFAA reform process who requested anonymity.

“Congress is aware that the CFAA is causing problems with security researchers [and] that law enforcement doesn’t like it because it’s vague enough that if it gets in front of a judge, the judge could do something radical,” the staffer says. “Congress’ view is that if nobody’s happy with it, then we must be doing something right.”

Ellis echoes that sentiment.

“Civil-liberties groups want to see the penalties go away” for computer security research that could qualify as hacking in violation of the current CFAA, she says, but “lawmakers don’t want to do anything that’s going to impact national security.”

A third party adding complexity to CFAA reform

Large corporations that have influence in Washington also benefit from CFAA’s current structure, Ellis says, because of the power the law gives to enforce software and website terms of service.

“Contained in the CFAA is the means for any corporation to change what the CFAA means by changing their terms of service. That’s insane,” she says. “It’s extremely hard for any member of Congress to get the support they need to take a bill through.”

Database software maker Oracle is the highest-profile corporate supporter of the current CFAA, but not the only one. Adobe Systems, maker of image-editing software Photoshop, has come out against revisions to the law, as has the Software and Information Industry Association, a trade group that counts IBM, Intuit, and Red Hat as members, in addition to Adobe and Oracle.

Oracle in 2011 filed an amicus brief on behalf of the government in United States v. Nosal, a case in which the United States Court of Appeals for the Ninth Circuit found that employees cannot be criminally prosecuted under the CFAA for violating their employers’ computer use policies. The company previously was accused of using the CFAA to stymie competition.

Representatives of Oracle, which in 2007 sued rival SAP for unauthorized access to password-protected technical-support documents on its website, did not return requests for comment.

Between the logjam of law enforcement agencies, civil-liberties groups and security researchers, and influencers in the larger tech world, the CFAA is likely to stay just as it is for the foreseeable future, the Congressional staffer says: “Until there’s a compromise between the Justice Department and security researchers, Congress won’t budge.”