Computer Fraud and Abuse Act: Is It Time to Rethink?

Is It Time to Rethink the Computer Fraud and Abuse Act?

Kentucky resident Deric Lostutter is fighting to regain the right to vote.

Lostutter is now a paralegal but previously was a member of hacktivist group Anonymous and served out a prison sentence after violating a federal anti-hacking law.

His particular state and the nature of his conviction are proving to be sticking points as he seeks re-enfranchisement: Kentucky indefinitely revokes voting permissions for residents with certain kinds of felonies on their records. That includes offenses that, like Lostutter’s, were tried in federal court; as such, he’d need a governor’s pardon to be re-enfranchised.

Lostutter lost voting rights after being convicted in 2017 of violating the Computer Fraud and Abuse Act (CFAA) and lying to the FBI about his actions, and he served two years. He and a co-collaborator had conducted a hack in an effort to put pressure and public attention on two Steubenville, Ohio, high school football players’ rape of an unconscious 16-year-old, as well as on school employees believed to have enabled or hidden the assault.

“I went after a coverup of a rape case,” Lostutter told Government Technology. “Did I commit a crime? Yes: I accessed a website without permission — a football fan website, where I posted allegations and evidence of the coverup to protect the football team. Do I admit that was wrong? Yes. Did I serve my time? Yes. Was it violent? No.”

That lack of permission is where the CFAA comes in. The federal law criminalizes accessing information on an Internet-connected device either without “authorization” or by exceeding the authorization one already has.

The CFAA is a controversial law. While it appears intended to prevent malicious hacking, it’s also come under fire over the years for its vague wording that some say risks scooping up more innocuous individuals alongside genuinely dangerous actors.

The Department of Justice (DOJ) appeared to acknowledge this concern last May when it issued a policy revision clarifying the law’s scope. The DOJ explained that the CFAA should not, for example, be used to charge security researchers or people who exaggerate in their online dating profiles.

Cindy Cohn, executive director of the Electronic Frontier Foundation (EFF), told GovTech that the latest DOJ revision is helpful but still fails to clearly pin down the parameters of the law and create bright lines between common online behavior and genuinely dangerous and damaging activity.

You can read the full article at Government Technology.