The Computer Fraud and Abuse Act (CFAA) can be unsettling even to the most stalwart security researcher. The law, enacted in 1986 and revisited several times since, is still littered with loopholes and nuances that can be leveraged by a prosecutor in a criminal case, or turned against a white hat in civil litigation.
The consequences can be extreme as in the tragic case of Aaron Swartz, who was looking at decades in prison for accessing an MIT database of articles if convicted; Swartz committed suicide in January before his case concluded. Or they can be revealing as in the case of controversial figure Andrew Auernheimer, also known as weev, who was sentenced to 41 months in prison for violating the CFAA by conspiring with codefendant Daniel Spitler in a breach of AT&T’s iPad registration process and exposing the data online.
These two cases in particular illustrate how prosecutors can take advantages of weaknesses in the language of the law to, and in some cases, stack violations one atop another resulting in sentences that rival or exceed those given to violent criminals. Marcia Hofmann, an attorney and fellow at the Electronic Frontier Foundation, will be speaking next week at the Black Hat Briefings in Las Vegas on the topic. She hopes the talk will increase awareness of how subtleties in the law apply to researchers.
“The reason I wanted to give this talk is that I feel like people are paying a lot of attention to the CFAA and there are fears and concerns about it,” Hofmann said. “The discussion was prompted by Aaron Swart’s tragic death, and I think that is a situation we need to talk about and consider. There are other things in the act that may be relevant to researchers and their work that they don’t know about.”
Hofmann said the CFAA can be dangerous in the hands of an overzealous prosecutor. For example, the law does not define what it means to access computers without authorization, but there are provisions for exceeding authorized access. Hofmann said legislators assumed it was obvious what authorized and unauthorized meant when the law was passed. Aaron’s Law, proposed by Rep. Zoe Lofgren (D-Calif.) after Swartz’s death, would attempt to define what access without authorization means, Hofmann said.
“Researchers are unsettled about how vague the (CFAA) is and unsure if they do X-Y-Z whether it violates the law,” Hofmann said. “Loss is not discussed much either, and I doubt they know a lot of about it; they worry more about unauthorized access.”
The CFAA mandates that in civil matters, for example, $5,000 in damages or loss must be demonstrated. Loss is not clearly defined in the legislation and it can be stretched to include, for example, the costs associated with investigating and repairing a vulnerability reported to a software company. There could be cases, Hofmann said, where a breach occurred and litigants would have standing to file a civil suit to recover the costs of hiring consultants to assess the breach and fix the problem. A more direct example would be weev’s case where he and Spitler must pay AT&T $73,000 in losses attributed to notification of individuals affected by the breach.
“I get the sense anecdotally [researchers] find what happened to Aaron Swartz and weev to be very concerning. They worry about the fact the CFAA provides any excuse to go after any behavior, that it’s not hard to get up an argument,” said Hofmann. “There’s not much in the law that contains that. There are some people out there who are thinking this is not the time to do something edgy.”
Hofmann’s talk will focus on a number potential gotchas in the CFAA that concern researchers, such as whether port scanning is legal, or how violations of terms of service can be considered crimes or grounds for civil action. She also said she plans to spend time covering Swartz and weev’s cases, despite the fact that in weev’s example, he’s a controversial and polarizing figure in the security community.
“It’s important to realize that edgy CFAA prosecutions are like this; there are situations where the government is looking for an excuse to go after somebody and this is how they do it by coming up with a novel, aggressive CFAA argument,” Hofmann said. “If the government wins, case law is established that applies to everybody, that’s why [researchers] need to care, even if they don’t like weev or think what he did was appropriate. Even those who are not fans agree what he went to prison for was not worth three and a half years.”