A US anti-hacker law has the potential to criminalize things like using a fake name on Facebook, putting false numbers on your Match.com profile or buying gold in World of Warcraft, says a former prosecutor.
The Computer Fraud and Abuse Act (CFAA), which was first implemented in the 1980s and has been reviewed four times, increasingly broadening its scope, can be interpreted in a way which outlaws mundane activities in which the majority of computer users are engaged every day.
“In the Justice Department’s view, the CFAA criminalizes conduct as innocuous as using a fake name on Facebook or lying about your weight in an online dating profile. That situation is intolerable,” Orin Kerr, George Washington University law professor and a former federal prosecutor of the Department of Justice argued at Congress subcommittee hearings on Tuesday.
The woman was convicted on misdemeanor charges, but a judge subsequently overruled the verdict on the grounds that the CFAA was constitutionally vague and that upholding the verdict would set a dangerous precedent. Kerr was part of Drew’s defense team as pro bono co-counsel.
One of Kerr’s opponents at the hearings, DoJ Deputy Chief of Computer Crime and Intellectual Property Section Criminal Division Richard Downing, argued that limiting the CFAA in a way suggested by Kerr will impede prosecutors’ ability to fight crime.
“We are concerned that restricting the statute in this way would make it difficult or impossible to deter and address serious insider threats through prosecution,” Downing said. “Limiting the use of such terms to define the scope of authorization would, in some instances, prevent prosecution of exactly the kind of serious insider cases the department handles on a regular basis.”
Harvard Law School Lecturer James Baker, who was also giving his opinion to the subcommittee members, agreed that Kerr’s concern has grounds, but argued that “to the extent that Congress is concerned that such abuses might occur, it strikes me that it may make more sense to use your oversight powers to ensure that enforcement of the CFAA is properly focused on the worst offenders.”
He suggested that the Congress could legislate a reporting requirement to ensure that individuals or entities for exclusively know that they may be facing prosecution for violating the terms of service of a website.