Leahy Computer Fraud Abuse Amendment to the Cybersecurity Act
Senator Leahy has an proposed Cybercrime Amendment to S3414 that would, effectively, substantially enhance penalties for cyber crime and impose mandatory minimum sentences. There are plenty of reasons to be skeptical of this -- but the main one offered by this bipartisan group of observers (including me) is that Senator Leahy is consideri
Published by The Lawfare Institute
in Cooperation With
Senator Leahy has an proposed Cybercrime Amendment to S3414 that would, effectively, substantially enhance penalties for cyber crime and impose mandatory minimum sentences. There are plenty of reasons to be skeptical of this -- but the main one offered by this bipartisan group of observers (including me) is that Senator Leahy is considering leaving out of his bill an important amendment -- the "Grassley/Franken/Lee" amendment -- that was adopted in the Judiciary Committee.
In brief the Computer Fraud and Abuse Act (18 U.S.C. § 1030) makes it a crime to access a computer “without” or “in excess” of “authorization.” In some ways, both of these make sense, especially if you substitute the word “permission” for the legal term “authorization.” If I haven’t given you permission to use my computer at all or if I have only given it to you for a limited purpose and you go rooting around in my cyber-files, that’s something that clearly ought to be punished.
But how do we determine what the limits of your “authorization” are? Since the term is not defined in the law, some courts have looked to contractual agreements that govern the use of a computer or internet system. These agreements are known as the “Terms of Service” or “ToS.” They are those long, detailed legal terms that everyone clicks on to “accept” before they sign up for, say, a Facebook account. But, as the diverse group of concerned groups points out, this means that private corporations can in effect establish what conduct violates federal criminal law when they draft such policies.
And those polices are often very broad. For example, many companies limit your use of the internet for personal purposes. Spending excessive time checking your fantasy football team roster is probably a bad idea – but it shouldn’t be a Federal crime. Senators Grassley, Franken, and Lee (not a typical combination) have the right idea. They simply say that the CFAA can’t be used to prosecute contractual violations. Violations of a contact should be left to contract law and the civil arena, not Federal criminal court.
UPDATE: That's what happens in a fast moving environment. The draft amendment at issue actually has the amendment I have referenced in it . ... good for the Senator.
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.