Law Professor Eric Goldman: The CFAA Is A Failed Experiment; It's Time To Gut It
from the take-a-stand dept
We've been talking a lot about CFAA reform lately, but law professor Eric Goldman is taking it a step further. He's written a fantastic piece for Forbes that explains why the whole concept underlying the CFAA is a failure and should be almost entirely done away with. The key part is the theory underlying the CFAA is an attempt to apply the age-old concept of "trespass to chattels" online, in the theory that the online world can be considered not unlike the offline world. Except... it's not so simple. Not at all.Stretching the ancient doctrine of trespass to chattels to apply to Internet activities has been an experiment in law-making. Unfortunately, I think the experiment has failed completely. The CFAA and state computer crime laws initially were designed to restrict hackers from breaching computer security—a sensible objective that, as I discuss below, should be preserved. The expansion of these laws to cover all sending or receiving of data from an Internet-connected server hasn’t worked...He goes on to point out that there have been massive unintended consequences of trying to apply an offline concept to a very different online world, and to also note that other existing laws can already handle many, if not potentially all, of the scenarios that people normally fear concerning malicious computer hacking.
Indeed, because legal doctrines already overlap so extensively, we almost never see an online trespass to chattels claim asserted on a standalone basis. Instead, an online trespass to chattels claim is usually just one of numerous legal violations asserted against the defendant. These doctrinal overlaps mean we usually don’t need online trespass to chattels either to supplement the more squarely applicable claims or to act as a “gap-filler” to plug the rare and narrow holes left by the other legal doctrines.And thus, his recommendation is basically to gut the CFAA almost entirely:
1) Repeal most provisions of the CFAA (that don't relate to government-run computers) and preempt all analogous state laws, including state computer crime laws and common law trespass to chattels as applied online. Note: without dealing with analogous state laws, reforming the CFAA is an incomplete solution.It's difficult to argue with these suggestions, which is probably why most of Congress will likely instead ignore them.
2) Retain only the (A) restrictions on criminal hacking, which I would define as the defeat of electronic security measures for the goal of fraud or data destruction (and some of these efforts are already covered by other laws like the Electronic Communications Privacy Act), and (B) restrictions on denial-of-service attacks, which I would define as the sending of data or requests to a server with the intent of overloading its capacity.
3) Eliminate all civil claims for this conduct, so that only the federal government can enforce violations.
4) Specify that any textual attempts to restrict server usage fail unless the terms are presented in a properly formed contract (usually, a mandatory click-through agreement).
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, cfaa reform, chattles, doj, eric goldman, hacking, internet, laws, trespass, trespass on chattels
Reader Comments
Subscribe: RSS
View by: Time | Thread
- Unfortunately?
What would a successful experiment of this nature look like?
[ link to this | view in thread ]
"This conduct" being trespass to chattels or the breaching of computer security? If the latter, I'm not sure I understand the rational for it. Usually it is in our best interest to not limit what individuals are allowed to do or seek redress for. If someone hacks my personal computer, I have to beg the fed to prosecute? What could possibly go wrong?
[ link to this | view in thread ]
[ link to this | view in thread ]
Another elliptical attempt to legalize "liberating" data.
By the way "data destruction" is a HUGELY vague phrase, so it's no advance. Does it mean changing a single bit, or totally eliminating all copies, even off-line archives?
If this were implemented, it'd only require later efforts to cover all the cases that this academic excises. Mike says it's "difficult to argue with these suggestions" because it's deliberately constructed with UNREALISTIC premises. That's what academics do so they're always "right".
My overall take on the piece is in subject line. The implication is that this would excuse Aaron Swartz because he was only "liberating" data (from those who reasonably "owned" it by setting up the library). I think Swartz was quite outside the law in taking the actions that he did, and CFAA may be a blunt tool, but in practice it's not YET used except in a few narrowly defined cases: DOJ actually IS using reasonable discretion. But apparently Mike and his grifter pals see CFAA as potentially huge obstacle to further grifting: note the narrowing to "fraud or data destruction".
And note that while I'm FOR leaving other people's data alone, doesn't mean I'm for expanding CFAA.
[ link to this | view in thread ]
Re:
This is called equity and is the basis for why LEO's perform criminal investigations and NOT the general public and especially not the alleged wronged party.
If your property is trespassed upon only the appropriate authority (police) should be able to charge for the crime of trespass, if your property (and this includes your personage) is damaged maliciously and with intent then only the appropriate authority (police) should be able to charge for the crime of malicious damage and/or assault.
To allow a private person to charge someone else for a criminal offence is abhorrent to any equitable system of criminal justice and flies in the face of what justice, Equity and due process is all about.
If the Fed's etc do not find enough evidence through their investigation to allow charges to be even laid in the first place then so be it. To be otherwise goes down the dangerous path of vigilantism, revenge and who has more power/ego/money then someone else. Hmmm I think I have just described the current Civil litigation model of the USA
[ link to this | view in thread ]
Re: Re:
Though my comment still stands on face though not directly directed at yourself.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Another elliptical attempt to legalize "liberating" data.
Thats what copyright laws are for. You don't need more laws, you need to effectively apply the laws that currently exist.
FYI, changing a single bit DOES destroy the data. Do you know what checksums are? MD5 Hashes? 1 bit change will change both the checksum and the MD5 hash. (and therefor the integrity of the file(s)) It would also, in most cases, destroy whatever program it was you were altering. I'm not sure what off-line archives have to do with anything. If you destroy data that isn't online, I'm sure theres a law for that already on the books.
"All the cases this academic excises" are already covered by laws that already exist on the books. why do we need more?
No comment on the trollbait at the end of your comment.
[ link to this | view in thread ]
Re: Re: Re:
However, the right to sue in civil court for compensation of real loses should not be removed. Perhaps that is not what Eric was saying should be done.
Begin hypothetical silly question:
If a pimple faced kid living in mom's basement next door sends porn to my printer wasting my ink and paper because I left my wifi open like a dumbass and the government refuses to prosecute then why am I not allowed to ask for compensation in civil court?
End hypothetical silly question
[ link to this | view in thread ]
bizarre!!
[ link to this | view in thread ]
Re: Re:
> Like in any criminal offense you need to
> allow the authorities to investigate the
> allegations
Apples and oranges. The professor is talking about civil claims and you bring up criminal offenses. The two have nothing to do with one another.
[ link to this | view in thread ]
Re: bizarre!!
Assuming you're not being sarcastic, a DDoS attack would be given no 1st Amendment protection, because the purpose and intennt behind each packet of data that's sent to the server isn't expressive. No one cares what that data is or what it says. It's only value is in its amount and ability to slow down the network.
[ link to this | view in thread ]
Re: hypothetical
I know, I know A crime is a crime regardless of the victim's ability or willingness to safegaurd his 'things'.
Maybe the example was too small?
[ link to this | view in thread ]
Re: Re: bizarre!!
[ link to this | view in thread ]
A problem of scale.
If anything, the reverse should be true. It should only be local jurisdictions that are allowed to prosecute for computer trespass unless the infraction occurs across state lines.
That's one problem with the Swartz case. It was clearly a matter of jurisdiction for the Boston authorities and everyone else should have kept out of it.
If anything, the powers of the federal government should be REDUCED.
There are no "small claims" at the federal level. Nor should there be. Along these lines, the Jamie Rasset case should have been thrown out for lack of sufficient damages.
[ link to this | view in thread ]
Re: Re: Re: bizarre!!
You can get arrested for that sort of thing and it's not really a problem. The thing with civil disobedience is that sometimes you get arrested and you have to be willing to accept those consequences. That's part of civil disobedience.
[ link to this | view in thread ]
Re: Re: hypothetical
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re:
and then later expands on this:
[Emphasis mine]
He also goes on to outline several cases of what he believe are unintended consequences as well as pointing out that when it comes to computer crimes there are often overlaps where "at least one–and often numerous–other legal doctrines already apply" (which I also tried to point out below).
[ link to this | view in thread ]
Re: Another elliptical attempt to legalize "liberating" data.
An argument I believe is debatable but deftly points out that you're really barking up the wrong tree here.
[ link to this | view in thread ]
Re: bizarre!!
[ link to this | view in thread ]
Re: Re:
The rational is basically: little guy is toast, tough shit.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: A problem of scale.
These revisions are a reaction to the sloppy current law and is an attempt to narrow the focus of the law to what it probably really was intended to do.
[ link to this | view in thread ]
Re: Re: Re: Re:
Point remains.
[ link to this | view in thread ]
Re: Re: Re: bizarre!!
> sit-in or a picket line, as you're blocking people from
> performing legitimate business activities.
Which you have no right to do on private property. That's why those folks routinely get arrested.
[ link to this | view in thread ]
Re: Re: bizarre!!
This is another view.
People burning an American flag is free speech, why?
[ link to this | view in thread ]
Re: Re: Re: Re: bizarre!!
[ link to this | view in thread ]
Re: Re: Re:
I was explaining why allowing anyone to place charges other than a mandated authority is wrongful under the normal concepts of justice.
[ link to this | view in thread ]
Re: A problem of scale.
The appropriate authority should only be the one that is accepted by the community and is protecting the law for that community. Though there should always be a standardisation of sentencing and jurisprudence across criminal statutes on a federal and state level the state should always be used firstly unless the crime in question affects more than one state/community or is so egregious that it affects actions that ONLY the federal authorities have a mandate over .
[ link to this | view in thread ]
Re: Re: Re: Re:
That makes no sense. Civil claims are civil claims, regardless of which statute authorizes them, and prosecution isn't required in order to bring a valid civil claim. If prosecution was required, it would stop being a civil claim, by definition.
[ link to this | view in thread ]