A Sigh of CFAA Relief For Those Of You With Fake Facebook Profiles

Published On September 27, 2011 | By Randy Sabett | General
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

In my recent post about the status of the Computer Fraud and Abuse Act (CFAA) in the Senate Judiciary Committee, I described the palpable tension that exists between federal law enforcement interests and civil liberties advocates over whether and how the CFAA should be changed.  Law enforcement fears any changes to the CFAA that would diminish their ability to pursue wrongdoers who are increasingly using computers to further their activities.  In particular, the Justice Department has raised a valid concern that certain proposed changes could have a detrimental effect on situations where an insider engages in activity that exceeds authorized access but doesn’t involve circumvention of a technical measure.   Civil liberties advocates, on the other hand, believe that the CFAA should not allow law enforcement to impose felony charges in cases involving such illicit (but not criminal) behavior as a terms of use (TOU) violation or employment contract breach.  The latter cite supposed abuses in the past when such charges were brought.

The Senate Judiciary Committee held an executive business meeting on Thursday, September 22nd, to address these conflicting viewpoints, as part of a larger effort to work through a number of different pending cybersecurity bills.  On the agenda was S.1151, the Personal Data Privacy and Security Act of 2011 (Leahy, Schumer, and Franken); S.1408, the Data Breach Notification Act (Feinstein); and S.1535, the Personal Data Protection and Breach Accountability Act of 2011(Blumenthal).

In response to the concerns articulated above, an amendment to S.1151 was adopted by the Judiciary Committee that clarifies the circumstances where “exceeding authorized access” will constitute a felony under the CFAA.  Specifically, if the amended S.1151 passes, any “access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized” would not constitute a felony.

The proposed exclusion clearly addresses the concerns of the civil liberties community.  In doing so, however, it leaves a potential void in law enforcement’s ability to take action against people that commit serious wrongful acts solely in conjunction with a contractual violation of a terms of use or acceptable use policy.  The Justice Department believes it can utilize the current law responsibly by taking what amounts to a “we know it when we see it” approach.  Unfortunately, no easy answers exist.  We clearly need an update to the CFAA but we need it to address the concerns of all stakeholders.

About The Author

Randy V. Sabett joined ZwillGen as Counsel in 2011. He advises clients on information security, privacy, IT licensing, and intellectual property. Randy has over 20 years of infosec experience, including as an NSA crypto engineer and a CISSP. He works closely with companies in helping them develop strategies to protect and exploit their information and IP based on various evolving business models, including SaaS, mobile applications, cloud, and more traditional client/server architectures. Specific areas on which he focuses include information security, privacy, IT licensing, IP strategy, big data, metrics, active defense, venture capital, legislative matters, government contracting, digital and electronic signatures, federated identity, state and federal information security and privacy laws, identity theft, and data breaches. He also drafts and negotiates a variety of technology transaction agreements.