IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Is It Time to Rethink the Computer Fraud and Abuse Act?

The Computer Fraud and Abuse Act aims to prevent malicious hacking but has long been accused of being overly broad and vague. Some states’ anti-hacking laws are tighter, but confusions can remain.

anonymous mask
Shutterstock/NeydtStock
Kentucky resident Deric Lostutter is fighting to regain the right to vote.

Lostutter is now a paralegal but previously was a member of hacktivist group Anonymous and served out a prison sentence after violating a federal anti-hacking law.

His particular state and the nature of his conviction are proving to be sticking points as he seeks re-enfranchisement: Kentucky indefinitely revokes voting permissions for residents with certain kinds of felonies on their records. That includes offenses that, like Lostutter’s, were tried in federal court; as such, he’d need a governor’s pardon to be re-enfranchised.

Lostutter lost voting rights after being convicted in 2017 of violating the Computer Fraud and Abuse Act (CFAA) and lying to the FBI about his actions, and he served two years. He and a co-collaborator had conducted a hack in an effort to put pressure and public attention on two Steubenville, Ohio, high school football players’ rape of an unconscious 16-year-old, as well as on school employees believed to have enabled or hidden the assault.

“I went after a coverup of a rape case,” Lostutter told Government Technology. “Did I commit a crime? Yes: I accessed a website without permission — a football fan website, where I posted allegations and evidence of the coverup to protect the football team. Do I admit that was wrong? Yes. Did I serve my time? Yes. Was it violent? No.”

That lack of permission is where the CFAA comes in. The federal law criminalizes accessing information on an Internet-connected device either without “authorization” or by exceeding the authorization one already has.

The CFAA is a controversial law. While it appears intended to prevent malicious hacking, it’s also come under fire over the years for its vague wording that some say risks scooping up more innocuous individuals alongside genuinely dangerous actors.

The Department of Justice (DOJ) appeared to acknowledge this concern last May when it issued a policy revision clarifying the law’s scope. The DOJ explained that the CFAA should not, for example, be used to charge security researchers or people who exaggerate in their online dating profiles.

Cindy Cohn, executive director of the Electronic Frontier Foundation (EFF), told GovTech that the latest DOJ revision is helpful but still fails to clearly pin down the parameters of the law and create bright lines between common online behavior and genuinely dangerous and damaging activity.

“There [are] some Supreme Court decisions that have made the Computer Fraud and Abuse Act not as draconian as it used to be, but it’s still pretty problematic. And we’re still seeing bad decisions,” Cohn said.

The federal government isn’t the only one struggling here: state legislation, too, generally fails to precisely pinpoint cyber crime, Cohn said.

“Right now, most of the state laws simply mirror the federal law, in bad ways,” Cohn said. “Many of them are not even as nuanced as the Computer Fraud and Abuse Act.”

THE CFAA’S VAGUE SCOPE


The DOJ’s recent policy revision curtails some ways one might try to apply the CFAA.

“Embellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges,” the DOJ states.

Prosecution should also avoid targeting “good-faith” security researchers, the DOJ said.

Criminal defense lawyer and founder of Jayne Law Group Julia Jayne said the CFAA has historically been applied overbroadly and that it remains to be seen how the new policy revision will impact things.

“You want to criminalize hacking. But when you look at some of the cases over the past few years, why is it … being abused in this way to bring such unnecessary cases? … It sends a message that federal prosecutors, given any little bit of leeway, are going to really stretch the statute beyond its intention, which is why, probably, the policy was brought into play,” Jayne told GovTech. “I would hope that, going forward, it’s really more narrowly applied to what we understand to be true computer hacking.”

Jayne is part of the National Association of Criminal Defense Lawyers (NACDL), which has advocated for “wholesale reform” of the CFAA.

The act prohibits obtaining information by accessing an Internet-connected device you don’t have authority to use, or by going beyond the authorization you do have. But it’s unclear what falls under the category of “unauthorized” or “exceed[ing] authorized access,” and the law’s scope has grown.

Per the Florida Bar, “The CFAA originally prohibited accessing certain financial information from computers,” but has since expanded so that it now “broadly prohibits unauthorized access to nearly all computers connected to the Internet.”

Cohn said the law also hasn’t been sufficiently updated to keep up with how today’s digital world works.

Whenever you’re using the Internet, you’re accessing someone else’s server or database even if you’re browsing from your own device, Cohn said. The CFAA is ambiguous about when that access can become “unauthorized.”

“It’s not right to draw the line at, [if] somebody is unhappy with what you’re doing on their computer, then you could be charged criminally. But you could read the CFAA that way,” Cohn said.

Disputes over CFAA interpretation continued being fought in recent years.

In April 2022, a month before the DOJ released its policy revision, an appeals court ruled that the CFAA could not be invoked to prevent company hiQ Labs from continuing to scrape publicly available data from LinkedIn’s public-facing websites after LinkedIn sent it a case-and-desist letter. Essentially, the court seemed to decide that — as far as the CFAA is concerned — making information publicly available implicitly grants anyone authorization to access it. (EFF filed an amicus brief on this case.)

According to Cohn, the CFAA’s punishment scheme “is very, very severe and really is out of proportion to a lot of the problems that it’s trying to address, or at least the scope it is trying to address.”

The CFAA has a maximum sentence length of five to 10 years, which is on the lower end of the scale compared to federal offenses like wire fraud that can carry a 20-year sentence, Jayne said. At the same time, the severity of penalties under the CFAA jumps up sharply depending on the alleged motivation behind the improper access, she said. Per the Florida Bar, a defendant could face as little as up to a year of imprisonment under the CFAA — a penalty that quickly shifts to up to five years should the defendant be found to be acting for financial gain or in pursuit of another unlawful act.

STATES’ TAKES


All states have some form of computer crime laws, per the National Conference of State Legislatures (NCSL), with many specifically addressing unauthorized access.

Missouri, for example, takes a broad-brush approach to forbidding unauthorized access, Venable LLP attorney Harley Geiger explained at ShmooCon 2023, per CSO. The state prohibits unauthorized access as well as unauthorized taking or disclosure of data that’s stored external to a computer or network — something Geiger said raises questions around whether the law bans someone from scanning “public-facing assets.”

“The point is that states have a lot of messy language. A lot of it is very unclear,” Geiger said. “While we are getting toward greater clarity under the CFAA and Section 1201 under the DMCA [Digital Millennium Copyright Act] that this community exists and this community should not be treated at the same level in the same way as malicious actors, states are just not there yet. They are not quite as mature.”

Illinois’ approach, meanwhile, appears more narrow and focuses on the consequences of the perpetrators’ actions, per FindLaw. The law targets three kinds of offenses: accessing computers, programs or data without permission and then creating or spreading viruses; using a computer to commit fraud; and tampering with a computer to disrupt state or local government or public utilities’ critical services or operations, or in a way that is likely to cause someone to die or suffer serious bodily harm.

California’s equivalent law is Penal Code Section 502 (PC 502). Los Angeles-based criminal defense law firm Eisner Gorin LLP notes that the code “criminalizes the act of accessing a computer or computer network without permission when you have the intent to defraud, cause harm, or commit a crime.”

PC 502 is both less severe and more targeted than the CFAA, said Jayne, who practices law in California.

While the CFAA criminalizes access, PC 502 criminalizes unauthorized taking or use of the information,” she said. “It’s not just the access, it’s sort of what you do with it.” California’s law also carries a three-year maximum sentence, compared to the more punitive CFAA — a “not uncommon” situation when comparing state and federal laws.

LOSTUTTER’S CASE


Lostutter ran afoul of federal law over hacking he conducted in 2013 with collaborator Noah McHugh. To draw attention to the 2012 Steubenville, Ohio, rape case, Lostutter and McHugh worked to gain access to the high school football fan website and its administrator’s email account. On the site, they posted a link to download the administrator’s emails and posted a written manifesto and video. The video displayed social media posts in which students joked about the assault. It also included Lostutter threatening to dox the football team and school faculty unless those accused of the rape apologized publicly to the victim and her family.

Ultimately, the football players were convicted of rape; three school employees were convicted of offenses related to the incident, including underage drinking and obstructing official business; and Lostutter and McHugh were sentenced.

Lostutter accepted a deal in which he pleaded guilty to violating the CFAA and to lying to an FBI agent about whether he’d written the manifesto, accessed password-protected sections of the site or changed the admin password.

The court sentenced McHugh to eight months and Lostutter to two years; one of the rapists was sentenced to just one year.

Mother Jones reported that, at the time, “the prosecutor claimed the sentence [against Lostutter] would send a message that ‘hacks will be taken seriously as crimes, not as pranks or publicity stunts.’”

VOTING RIGHTS


Lostutter’s home state of Kentucky revokes voting permissions for those convicted of certain felonies. For these residents, the path to restoration hinges on successfully appealing to the governor.

Kentucky used to apply such restrictions to everyone with felony charges. That changed with a 2019 executive order automatically restoring voting permissions for residents who’d served out sentences for non-violent state felonies. It did not extend to federal charges like Lostutter’s, however.

“I’m very politically active … and here, even though I’m a non-violent felon and have served my time and paid my fine off in full, I cannot vote alongside state felons whose right to vote was reinstated,” Lostutter said. “I can’t vote for the people that I speak to on a regular basis. I speak at City Council … and I can’t vote for the people or the policies that I’m subject to.”

States vary widely in how they treat voting rights for those convicted of felonies. Residents of Maine, Vermont or D.C. retain voting rights while serving sentences, but most Americans see voting permissions revoked during incarceration. Once sentences are served, residents in 37 states automatically see their voting abilities restored either immediately upon release or after completing steps like parole or probation, per the NCSL.

Kentucky is among those states where residents could permanently lose voting rights or be required to go through additional steps to regain them, such as successfully appealing to the governor.

Kentucky’s appeals-based system and its recent executive order are not equitable ways to determine who gets voting rights restored, according to Lostutter and Fair Elections Center attorney Jon Sherman, who are pursuing an appeals case on the matter.

Their case asserts that states with appeals-based processes for restoring voting permissions violate First Amendment rights. Such an approach potentially lets governors choose to reinstate supporters and deny opponents or otherwise discriminate based on applicants’ viewpoints, Sherman told GovTech.

The appeals case argues that this approach lacks clear, “uniformly applied” rules guiding the governor’s choices and doesn’t require governors to justify their decisions — effectively granting them “unfettered” power. Kentucky governors also have no obligation to make decisions within a specified timeframe either, which means they could, in theory, sit on an application indefinitely, to prevent voting reinstatement while avoiding blame for any official decision, Sherman said.

“Many people [who applied for voting reinstatement] — even under [former] Gov. [Matt] Bevin — would never hear back,” Sherman said. “He would just not rule on the application — that was effectively denying it, [like] a pocket veto.”

Gov. Andy Beshear’s administration did not respond to requests for comment by press deadlines.
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.