Its vague wording often leads to outlandish maximum sentences for hackers — and some lawmakers want them to be even stricter.
In December 2010, a group of hackers logged into the Los Angeles Times’ website and altered an article about tax policy, essentially turning the piece into gibberish by replacing the author’s words with phrases like “Chippy 1337” and “Suck it up.” LA Times staff noticed the alterations and reversed them after about 40 minutes.
A couple of weeks later, on Christmas Day, four gang members in L.A. shot a 25-year-old woman to death in front of her 3-year-old daughter.
Surprisingly, if a court pushes for the maximum penalty in the hacking case, the sentencing outcomes for certain people involved in these two crimes could be remarkably similar.
To wit: In May, gang member Ezekiel Simon, 20, accepted a plea deal and was sentenced to 29 years in prison for his role in the murder. (Simon’s older accomplices, who were more active in the shooting and didn’t take a plea deal, received much harsher sentences.)
Meanwhile, the journalist who leaked the LA Times login information, a 28-year-old by the name ofMatthew Keys, was found guilty on Wednesday of conspiracy to cause damage to a protected computer, transmission of malicious code and attempted transmission of malicious code. For the three felonies, Keys faces a maximum sentence of 25 years in prison.
And the harsh maximum sentence is certainly not an isolated incident, thanks to the Computer Fraud and Abuse Act, a 1986 law used to prosecute hackers that predates Google by 12 years.
As written, CFAA makes it a federal crime to “access a computer without authorization” or to “exceed authorized access,” a vague phrase that could theoretically be used to prosecute something as trivial as violating Facebook’s terms of service.
Lawmakers have updated CFAA six times — most recently in 2008 — but technological changes have outpaced the legislation, which still contains the ambiguous phrase.
As the Center for Democracy and Technology points out, that means countless 12-year-olds who’ve pretended to be 13 in order to set up an account on a social network have committed a federal crime. And if you’ve ever let anyone log in to your account, posted false personal information, or used Facebook to “do anything misleading,” you’re guilty, too. Don’t laugh; at the state level, punishments have been doled out for reasons just as crazy as these.
In 2011, authorities used a different part of the law to prosecute Aaron Swartz, a Harvard University fellow and prominent Internet activist who was accused of hacking into the Massachusetts Institute of Technology’s network in 2010 and downloading 4.8 million academic articles from an online research repository known as JStor.
Prosecutors say Swartz committed a number of felonies in the process, including wire fraud, computer fraud and unlawfully obtaining information from a protected computer — all of which added up to a potential 35-year prison sentence.
But there was no conviction. Swartz died by suicide in 2013, before the case even went to trial.
For comparison: In 2013, a man named David Coleman Headley also received a 35-year prison sentence. His crime? Aiding in the 2008 terrorist attacks in Mumbai, India, that killed 164 people and left hundreds more wounded, and plotting a second terrorist attack against a newspaper in Denmark.
Following Swartz’s death, Rep. Zoe Lofgren (D-Calif.) and Sen. Ron Wyden (D-Ore.) introduced a sorely needed CFAA reform known as “Aaron’s Law.” The first iteration of the bill stalled out, but they reintroduced it this year with the added support of Sen. Rand Paul (R-Ky.).
Among other things, Aaron’s Law seeks to more precisely define the “access without authorization” phrase, focusing it instead on “malicious hacks such as sending fraudulent emails, injecting malware, installing viruses or overwhelming a website with traffic,” The Hill reports.
“It’s time we reformed this law to better focus on truly malicious hackers and bad actors, and away from common computer and Internet activities,” Lofgren said in a statement when the bill was revived this spring.
One such amendment, pushed by Sen. Sheldon Whitehouse (D-R.I.), aims to increase sentences and decrease judicial oversight.
“As it stands, the CFAA is a threat to speech, activism, and research,” David Segal, the executive director of Internet freedom group Demand Progress, wrote in an email to HuffPost.
“It needs to be reined in through changes like the ones offered by Aaron’s Law — and not be expanded,” he said. “Proposals to harshen this already absurdly heavy-handed law betray a continued blindness to growing concerns about over-criminalization, a misunderstanding of criminogenics, and a lack of sophistication about basic technology issues.”
In his State of the Union address earlier this year, President Barack Obama suggested increasing the penalties for hacking while also broadening the definition of what, exactly, “hacking” entails.
“There are problems with the CFAA as it is. … What the president’s proposal would do would be to actually broaden the act,” Lofgren said at the time. “It’s the wrong thing to do.”
As proposed CFAA expansions have failed to gain traction, ramifications for both personal and political freedom remain.
“The Computer Fraud and Abuse Act is entirely out of sync with the way people use computers — and with a changing criminal justice paradigm that recognizes the particular undue harshness of the American criminal code,” Segal said.