The problem results from the law's vague language: The act criminalizes "unauthorized access" to a computer. But almost 30 years after its passage, no one yet knows when access is unauthorized.
Some courts say (correctly, we think) that access is unauthorized only when a person bypasses a technological restriction like a password gate. But other courts take a broader view, finding access unauthorized whenever a user violates the terms of service on a website or even just uses the computer in a way the owner wouldn't like.
The difference is huge. Under the narrow reading, the law only prohibits breaking into a computer -- the sort of thing that very few people do. But under the broader approach, the law criminalizes the ordinary behavior of millions.
Terms of service on websites routinely say, for instance, that users must enter only truthful information. As Judge Alex Kozinski, a Reagan appointee, wrote, the law -- at least as the government reads it -- means that "describing yourself as 'tall, dark and handsome' [on a dating website] when you're actually short and homely [could] earn you a handsome orange jumpsuit."
The law cries out for a common-sense reworking. After Swartz's death, a cross-partisan coalition in Congress, led by Democrat Zoe Lofgren and Republican Darrell Issa, did just that, proposing a law that would end liability for terms-of-service violations and would limit felony liability for violations. But, incredibly, some in Congress are going the other way. Last month, the House Judiciary Committee, ignoring that common-sense reworking, circulated a draft of proposed changes to the law that would actually increase its penalties, not decrease them -- making the law even broader and more punitive than before. The new bill would jack up criminal penalties and largely embrace the broadest views of the law's reach.
Some suggest that the Judiciary Committee's proposed changes would soften the CFAA by limiting liability for violating terms of service to a few specific situations. But those situations are hardly specific. To the contrary, the circulated bill is written in such vague terms that the proposed changes impose almost no limits at all. One of the "specific situations," for example, makes it a felony if a person violates terms of service to obtain information that is "sensitive." But sensitive in what way, and to whom? The language doesn't say, and you can bet that prosecutors will see information as sensitive whenever they want to bring a prosecution.
Defenders of this mass criminalization tell us not to worry. Even if the law is over-broad, they say, prosecutors will be careful. Only really dangerous hackers will be hit. But as recent prosecutions demonstrate, trust hasn't worked. It's time to cut back on this massive overregulation by narrowing the reach of the law.