Congress passed the Computer Fraud and Abuse Act in the early days of the Internet to crack down on malicious hackers, but federal prosecutors have stretched the law since then to apply to computer users who merely violated a website's terms of service. Now, the House Judiciary Committee is circulating a proposed update of the act that, instead of fixing its flaws, would enable prosecutors to threaten alleged violators with dramatically bigger penalties. That's a dangerous step that lawmakers shouldn't even consider in light of the well-documented misuses of the law.
The 1986 act makes it a crime to gain access to information on a computer in an unauthorized way -- for example, by hacking through the passwords protecting a shopping website's server and copying the credit card numbers stored there. That prohibition applies to both people who aren't authorized to use the computer and to people who exceed the authority they were granted.
The problem is that the act doesn't clearly define what it means by exceeding one's authorization. As a result, some prosecutors have argued -- and some judges have agreed -- that simply violating a site's terms of service is equivalent to gaining unauthorized access. The draft circulated by the Judiciary Committee's staff maintains the sorry status quo, affirming that those who violate terms of service to obtain information from a government website or "sensitive or nonpublic information" from any other site could be prosecuted. As cyber-law expert Orin Kerr observed, "the language would make it a felony to lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions."