Skip to content

Leahy Computer Fraud Abuse Amendment to the Cybersecurity Act

By
Monday, July 30, 2012 at 7:41 PM

Senator Leahy has an proposed Cybercrime Amendment to S3414 that would, effectively, substantially enhance penalties for cyber crime and impose mandatory minimum sentences.  There are plenty of reasons to be skeptical of this — but the main one offered by this bipartisan group of observers (including me) is that Senator Leahy is considering leaving out of his bill an important amendment — the “Grassley/Franken/Lee” amendment — that was adopted in the Judiciary Committee.

In brief the Computer Fraud and Abuse Act  (18 U.S.C. § 1030) makes it a crime to access a computer “without” or “in excess” of “authorization.”  In some ways, both of these make sense, especially if you substitute the word “permission” for the legal term “authorization.”  If I haven’t given you permission to use my computer at all or if I have only given it to you for a limited purpose and you go rooting around in my cyber-files, that’s something that clearly ought to be punished.

But how do we determine what the limits of your “authorization” are?  Since the term is not defined in the law, some courts have looked to contractual agreements that govern the use of a computer or internet system.  These agreements are known as the “Terms of Service” or “ToS.”  They are those long, detailed legal terms that everyone clicks on to “accept” before they sign up for, say, a Facebook account.   But, as the diverse group of concerned groups points out, this means that private corporations can in effect establish what conduct violates federal criminal law when they draft such policies.

And those polices are often very broad.  For example, many companies limit your use of the internet for personal purposes.  Spending excessive time checking your fantasy football team roster is probably a bad idea – but it shouldn’t be a Federal crime.  Senators Grassley, Franken, and Lee (not a typical combination) have the right idea.  They simply say that the CFAA can’t be used to prosecute contractual violations.  Violations of a contact should be left to contract law and the civil arena, not Federal criminal court.

UPDATE:  That’s what happens in a fast moving environment.  The draft amendment at issue actually has the amendment I have referenced in it . … good for the Senator.

Share on Facebook1Share on Google+0Email this to someoneTweet about this on Twitter6Print this pageShare on Reddit3