The law, in its simplest form, prohibits unauthorized access—or exceeding authorized access—to protected computers and networks. That seems straightforward enough, but because the law was so broadly written, creative prosecutors have stretched the interpretation of unauthorized access far beyond what lawmakers likely intended. For example, it was used to criminally prosecute Andrew Auernheimer for accessing unprotected data that was freely available on an AT&T website.
Another disturbing and growing trend is how prosecutors use the law to criminally charge employees and ex-employees for exceeding authorized access. In 1994, the CFAA was amended to allow civil actions to be brought under the statute. This opened a path for corporations to sue workers who steal company secrets in violation of their authorized access. But instead of using this civil recourse, companies have, in several cases, worked with the government to criminally charge employees who violate work contracts.
“It’s a poorly written statute that doesn’t effectively define the main thing it seeks to prohibit,” says Tor Ekeland, a New York-based defense attorney who has worked on a number of controversial CFAA cases. “There are ambiguities surrounding that definition that allow prosecutors wide latitude to bring charges under theories that shock computer people in the infosec community. Combine that with the fact that there is this general paranoia about hackers—it’s a sort of hysteria that’s on par with the hysteria about witchcraft.”
Civil liberty and legal advocacy groups have called on lawmakers to reform the CFAA to prevent zealous prosecutors from punishing conduct that many feel doesn’t truly constitute a computer crime. Calls for reform grew particularly loud in 2013 after internet activist Aaron Swartz committed suicide following his indictment on charges related to downloading academic papers.