| > When the CFAA is overly broad, and the ability to investigate is granted to all "offenses", where does that leave us? Good question. The "offenses" are defined in the (a), and here you see the scope of the problem. It's a terse summation that describes what amounts to an offense under the CFAA in very general terms, and therein lies the problem. (a)(5) for instance is a catch-all: "Whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;" Both "damage" as well as "protected" can be broadly interpreted. This leaves definitively asserting the interpretation of those terms in the hands of courts. And that's problematic. > Can Apple cry "CFAA!" at anything they don't like? Strictly speaking: Yes. Of course, Apple can only start civil cases under tort law and contract law. Equivalent to anyone, they can notify / inform law enforcement. It's the prerogative of the latter to decide on steps necessary. Also strictly speaking, prosecution doesn't happen at the behest of an individual plaintiff (e.g. Apple) but at the behest of the state (hence why cases are named United States versus ...). > In practice, there are some checks and balances: in this case, Judge Lois Bloom decided to sign the warrant; Judge Judith Philips refused to prosecute. Is this enough? That's the question at heart. The legal branch of government, Congress, has voted and backed the CFAA into law. In doing so, it leaves the interpretations of the CFAA to the judicial branch of government. How problematic an overly broad law applied to an extremely complex, and rapidly changing technological and societal context can be, is demonstrated by cases like yours and Aaron's. Having law enforcement knocking on your door, or being outright arrested raise questions about the proportionality with which the state responds to a suspicion, and how that then ripples through and harms individual citizens. However, the judicial system also allows room for re-interpretation and clarification of laws. Just last month, a case under the CFAA was ruled by SCOTUS curbing the scope of the CFAA: Van Buren vs. United States > In a six-three decision, the US Supreme Court yesterday ruled in Van Buren v. United States that Federal prosecutors may not go after authorized individuals who access databases for unauthorized purposes under the 1986 Computer Fraud and Abuse Act (CFAA), Politico reports. The incident in question in Van Buren v. United States concerned an ex-officer caught searching a license plate database in return for a bribe. > Though explaining the decision as a product of the law’s language, not its effects, Justice Barrett wrote in the majority ruling, “The Government’s interpretation of the statute would attach criminal penalties to a breathtaking amount of commonplace computer activity" including “using a pseudonym on Facebook.” Justice Thomas in a dissenting opinion observed, “Much of the Federal Code criminalizes common activity," and “discomfort” with that fact “does not give us authority to alter statutes.” > Technology and advocacy groups like the National Whistleblower Center had raised concerns that the standing interpretation of the law jeopardized free speech and security research in addition to criminalizing trivial terms of service violations. Organizations like the Federal Law Enforcement Officers Association, on the other hand, worry that narrowing the scope of the CFAA will limit prosecutors’ ability to tackle “insider threats.” A CNN Supreme Court analyst said the ruling will require Governments and companies “to be far more specific in their policies governing access to databases.” https://thecyberwire.com/newsletters/policy-briefing/3/107 It just goes to show that the discussion about the language of the CFAA is also at loggerheads at the highest judicial court. However, here SCOTUS clearly signals to lower courts that the scope and interpretation of the CFAA actually does have limits. Both sides do have a valid argument though. On the one hand, in it's current form, the vagueness of the CFAA causes issues when it comes to "freedom of press" rights e.g. investigative journalism, however the CFAA also protects your business as it gives law enforcement the authority to go after ransomware groups. To my mind, for all its vagueness, the CFAA is a prime example of democracy in action as the innate vagueness is discussed in the public debate (media), as well as in courts (SCOTUS, courts, precedents,...) as well as in Congress. In that regard, I don't think there will ever be a gold standard everyone can and will agree on. It will be more of a continued debate that might yield subsequent rulings and amending bills in the future, as technology and society changes throughout the next decade(s). It's up to us to have that debate. |