Rebooting Computer Crime Part 3: The Punishment Should Fit The Crime

Cindy Cohn, Hanni Fakhoury, and Marcia Hofmann | Electronic Frontier Foundation | February 8, 2013

In the wake of social justice activist Aaron Swartz's tragic death, Internet users around the country are taking a hard look at the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking law. As we've noted, the CFAA has many problems. In this three-part series, we're exploring these problems in detail and giving more explanation of our suggested fixes. For more details about our proposal for CFAA reform, see part 1 and part 2.

As we've noted before, we suggest four basic penalty changes to the CFAA.1 As Aaron's case indicated, the CFAA's current broad language and draconian penalty scheme allow overreaching prosecutors to abuse their discretion. This can turn minor incidents with no real harm into serious criminal prosecutions, with the threat of long prison sentences and the consequences that go along with a felony conviction—like not being able to vote.

Our suggested changes aren't a get-out-of-jail-free card for computer criminals. Computer crime can be serious and law enforcement should properly investigate and prosecute those who use computers to cause financial harm and violate the privacy of others. But at the same time, punishments should fit crimes.

Our full reform proposal (which is still a work in progress) attempts to ensure the CFAA isn't used to target innovative uses of technology or violations of contractual restrictions, but still retains enough measured and proportionate punishment to deter malicious criminals. If we were able to start from scratch, we might change the law even more, but starting from the current CFAA we've suggested some modest amendments even the most anti-crime Congressperson should be able to support. Specifically on penalties, we suggest...