by Matt Andersen, Op-Ed Participant
We currently reside in a technologically
rich era, and our personal information is constantly under attack, or available
to attack, by hackers. Luckily, the
United States legislature enacted the Computer Fraud and Abuse Act (CFAA) in
1984, and it has been heavily critiqued ever since. It goes without question that technology has significantly
changed since 1984, and for that reason judges and United States citizens are calling for reform of the
29-year-old law. Additionally, every state legislature has enacted a statute similar to the CFAA
(Pennsylvania’s can be found at 18 Pa. Consol. Stat. Ann. § 7611 (West 2012)).
The
biggest news story came in January when Aaron Swartz, an internet activist who advocates
for absolute freedom of information, committed suicide while he was awaiting
trial. Swartz allegedly hacked into the
Massachusetts Institute of Technology’s digital archive and stole millions of
scholarly journals that would normally require payment to access. Swartz was facing a potential prison sentence
of more than 30 years. Many devout fans
of Swartz believe that the federal prosecutor’s threats of an extreme prison
sentence are what led Swartz to commit suicide.
 |
| © www.news.com.au |
The
CFAA can be found at 18 U.S.C.A. § 1030 (West 2012), and it specifically states
that it is illegal to “intentionally access a computer without authorization or
exceed authorized access.” In recent
months, there has been public outcry over the CFAA, and, most notably, because
the United States government has used the CFAA to indict a few well respected
members of the hacker community.
Most
recently, Andrew Auernheimer, commonly known in the hacker community as “Weev,”
was sentenced to 41 months in prison for violating the CFAA. Specifically, Auernheimer hacked into
AT&T’s servers and obtained the email addresses of over 114,000 iPad users.
By doing this, Auernheimer was able to
obtain the email addresses of New York City Mayor Michael Bloomberg, New York
Times CEO Janet Robinson, ABC’s Diane Sawyer, and former White House Chief of
Staff Rahm Emmanuel.
Auernheimer
considers himself a “gray hat” in the hacking community, which means he hacks
into a company’s servers, strictly to expose the flaws in their cyber security.
When a gray hat finds a flaw in a
company’s cyber security, they will usually let the company know, and offer to
sell them the information so they can fix it.
After a company is hacked, it will usually spend at least $100,000 to
fix the breach, because companies are required to inform every customer who
could be affected, and they have to pay to resolve the breach. In fact, the largest hack in history happened
to the Sony Playstation Network, which caused Sony to shut down the network for
24 days, and pay the 77 million affected users a total of $170 million.
However,
this was not a normal “gray hat” hack for Auernheimer. The jury did not believe Auernheimer’s
argument that he was acting as a gray hat, because, upon obtaining these email
addresses, he subsequently handed the data over to Gawker, which publicly
posted the information on its website.
Just
a week before Auernheimer’s sentencing, federal prosecutors indicted Reuters
social media editor Matthew Keys for
helping the world-renowned hacker group “Anonymous” attack the website of his
former employer, the Tribune Company.
Keys is facing up to 25 years in prison, as well as fines that could
reach $750,000.
 |
| © theverge.com/Daniel J. Sieradski |
Auernheimer,
Keys, and Swartz were all charged under the CFAA, and many have criticized this
law for being too broad and overly vague.
Many also criticize the CFAA for imposing sentences that are entirely
too harsh for merely computer crimes.
However, many critics do not realize that Keys and Swartz were indicted
under completely separate provisions of the CFAA. Swartz was indicted for violating the
provision of the CFAA dealing with unauthorized access, and Keys was indicted for
violating the provision dealing with damage to a computer.
The
provision of the CFAA dealing with unauthorized access, which Auernheimer and
Swartz violated, is what has received the most criticism in recent months. It certainly seems that a law enacted in 1984
that deals with computer hacking is most likely out-of-date, and in need of
some serious change. With high profile
cases in federal courts, and the attention that this issue is getting from
mainstream media, an amendment to the CFAA within the next few years appears
likely.
