Editorial: Change the Computer Fraud and Abuse Act
I call upon Congress to completely rewrite the Computer Fraud and Abuse Act (CFAA) 18 U.S. Code §1030. It is high time we stop trying to patch up this old whole-cloth of legislation and case law. For an example of current case law with issues that arise when a court tries to apply this outdated law, see eg, Craigslist v. 3Taps, 942 F. Supp. 2d 962, (N.D.Ca. 2013). Judge Charles Breyer (he’s the brother of Justice Stephen Breyer) explained in Craigslist some of the issues in footnote 8:
The CFAA was passed in 1986, well before the development of the modern internet, and originally only covered certain computers operated by the federal government or financial institutions. See Christine D. Galbraith, Access Denied: Improper Use of the Computer Fraud and Abuse Act to Control Information on Publicly Accessible Internet Websites, 63 Md. L.Rev. 320, 329 (2004). In 1996, Congress amended the CFAA to cover all computers used in interstate commerce, but “[r]eferences can be found throughout the amendment’s legislative history that support the premise that the changes were designed to safeguard the privacy of information,” rather than to “widen dramatically the protection of the CFAA to include all information on all computer systems on the Internet, such as … data contained on publicly accessible websites.” Id. at 330-31 (citing 142 Cong. Rec. S10,889; S.Rep. No. 104-357 (1996)).
Although courts in this district have held that the CFAA may apply to unauthorized access to websites, the parties have not cited a case from this district or the Ninth Circuit addressing its application to information that is generally available to the public. … Applying the CFAA to publicly available website information presents uncomfortable possibilities. Any corporation could subject its competitors to civil and criminal liability for visiting its otherwise publicly available home page; in theory, a major news outlet could seek criminal charges against competing journalists for reading articles on its website.
Congress needs to enact technologically current legislation that rationally and fairly divides the line between legal and illegal hacking. The complete rewrite should include different Acts for criminal and civil rules and enforcement, and should tie into privacy and security legislation. President Obama proposed changes to the CFAA and related laws in January 2015. The draft legislation can be found here. It has been widely criticized, but is at least a start at sorely needed reform. See eg EFF critique, and Huffington Post article.
In addition to this general call for reform, I propose a specific amendment to the final subsection (g) of CFAA, which now states:
No action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.
People and companies should be held responsible for their negligence. If they make mistakes in software programming that facilitate hackers unauthorized use of other people’s computers, then they should be held accountable. It is basic negligence law and this protective provision in existing law is irresponsible. I propose that damages be allowed, but capped. Here is the new language I propose:
Private civil actions may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware, but damages shall not exceed 25% of the profits attained from the defective product.
We need an economic incentive because the code errors are so dangerous. It is getting worse each day with all of the quick to market phone apps. All of the programming errors make our systems vulnerable to black hat hackers. I also call upon our lazy, do-nothing Congress to enact tax rebates to encourage investment in cybersecurity infrastructure and personnel. This is not a partisan issue. It is a matter of common sense and security. Let’s get something on the books now and replace this outdated legislation.
I also urge the insurance industry to offer discounts to companies with verified cybersecurity compliance activities. They should also offer discounts to software developers who invest in quality control programs designed to eliminate coding errors. It is a matter of enlightened self-interest.