The Computer Fraud and Abuse Act, Bandwidth Throttling, and Breaking Promises on the Internet
I taught computer law in 1998-1999 at South Texas College of Law. How things have changed. The course would now probably be called “Internet Law” or Cyberlaw, though much of the subject matter would be similar (online contracts, spam, computer/Internet related crimes, intellectual property as applied to computer related issues, privacy and data collection, and jurisdictional issues). One thing we covered was the Computer Fraud and Abuse Act, or CFAA (wikipedia; statute). The case we studied here was United States v. Morris,
an appeal of the conviction of Robert Tappan Morris for creating and releasing the Morris worm, one of the first Internet-based worms. This case resulted in the first conviction under the Computer Fraud and Abuse Act.
The aspect of the case we focused on was the fact that someone could be found guilty of tampering under the CFAA even if it couldn’t be shown that he intended to cause damage; the mere unauthorized access was sufficient for conviction.
Like many federal statutes, the scope is arbitrary, artificial, and unjust, and the terms often vague and unclear, and thus subject to manipulation and extension by the state, prosecutors, and judges. (This is one reason legislation is an inappropriate way of “making” law — see my “Legislation and Law in a Free Society.”) Thus, we now have the CFAA being used in, of all things, the “Net Neutrality” debate. ((A Libertarian Take on Net Neutrality; Net Neutrality, Congress, and Obama: The Scuffle Continues; Against Net Neutrality; Net Neutrality Developments; see also Harvard’s Yochai Benkler on Net Neutrality and Innovation.)) As discussed by Internet lawyer Evan Brown, ((See his post ISP’s alleged throttling of BitTorrent and Skype violates Computer Fraud and Abuse Act; also see the discussion by Brown and others in this week’s episode of This Week in Law)) in a recent case, some
plaintiffs sued Time Warner (the provider of Road Runner High Speed Online internet access), alleging, among other things, that Time Warner’s alleged “throttling” of plaintiffs’ internet communications violated the Computer Fraud and Abuse Act, 18 USC 1030 (“CFAA”). Specifically, plaintiffs alleged that without their authorization, Time Warner sent forged reset packets which frustrated plaintiffs’ peer-to-peer communications (e.g., BitTorrent and other P2P mechanisms) as well as their use of Skype.
The court “denied the motion to dismiss and let the case move forward.” So now it’s potentially a federal crime to throttle bandwidth to make Internet communications more efficient. Incredible. (The opinions is here.)
See also the recent column by Orin Kerr about possible uses of/extensions of the CFAA to apply it to “breaking promises” on the Internet. As he writes there:
Imagine that President Obama could order the arrest of anyone who broke a promise on the Internet. So you could be jailed for lying about your age or weight on an Internet dating site. Or you could be sent to federal prison if your boss told you to work but you used the company’s computer to check sports scores online. Imagine that Eric Holder’s Justice Department urged Congress to raise penalties for violations, making them felonies allowing three years in jail for each broken promise. Fanciful, right?
Think again. Congress is now poised to grant the Obama administration’s wishes in the name of “cybersecurity.”
The little-known law at issue is called the Computer Fraud and Abuse Act. It was enacted in 1986 to punish computer hacking. But Congress has broadened the law every few years, and today it extends far beyond hacking. The law now criminalizes computer use that “exceeds authorized access” to any computer. Today that violation is a misdemeanor, but the Senate Judiciary Committee is set to meet this morning to vote on making it a felony.
Breaching an agreement or ignoring your boss might be bad. But should it be a federal crime just because it involves a computer?
Is this any surprise in an age where normal people are convicted of “wire fraud” or “mail fraud”, statutes originally “meant” for organized crime? (Hmm, “mail fraud”–yet another reason to let the US postal service wither and die.)