In my recent post about the status of the Computer Fraud and Abuse Act (CFAA) in the Senate Judiciary Committee, I described the palpable tension that exists between federal law enforcement interests and civil liberties advocates over whether and how the CFAA should be changed. Law enforcement fears any changes to the CFAA that would diminish their ability to pursue wrongdoers who are increasingly using computers to further their activities. In particular, the Justice Department has raised a valid concern that certain proposed changes could have a detrimental effect on situations where an insider engages in activity that exceeds authorized access but doesn’t involve circumvention of a technical measure. Civil liberties advocates, on the other hand, believe that the CFAA should not allow law enforcement to impose felony charges in cases involving such illicit (but not criminal) behavior as a terms of use (TOU) violation or employment contract breach. The latter cite supposed abuses in the past when such charges were brought.
The Senate Judiciary Committee held an executive business meeting on Thursday, September 22nd, to address these conflicting viewpoints, as part of a larger effort to work through a number of different pending cybersecurity bills. On the agenda was S.1151, the Personal Data Privacy and Security Act of 2011 (Leahy, Schumer, and Franken); S.1408, the Data Breach Notification Act (Feinstein); and S.1535, the Personal Data Protection and Breach Accountability Act of 2011(Blumenthal).
In response to the concerns articulated above, an amendment to S.1151 was adopted by the Judiciary Committee that clarifies the circumstances where “exceeding authorized access” will constitute a felony under the CFAA. Specifically, if the amended S.1151 passes, any “access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized” would not constitute a felony.
The proposed exclusion clearly addresses the concerns of the civil liberties community. In doing so, however, it leaves a potential void in law enforcement’s ability to take action against people that commit serious wrongful acts solely in conjunction with a contractual violation of a terms of use or acceptable use policy. The Justice Department believes it can utilize the current law responsibly by taking what amounts to a “we know it when we see it” approach. Unfortunately, no easy answers exist. We clearly need an update to the CFAA but we need it to address the concerns of all stakeholders.