Working in the tech industry these days is incredibly exciting — but it’s also fraught with dangers due to outmoded legislation and overeager prosecutors who can, quite literally, create a crime out of virtually nothing.
The Computer Fraud and Abuse Act, or CFAA, is a cybersecurity bill that the federal government designed way back in the early days of internet technology, when “hackers” was a term everyone was using and it created a lot of fear in the hearts and minds of everyday Americans. Unfortunately, that was way back in 1986 — and both technology and the internet have evolved in incredible ways.
The law, however, has not. That might not surprise anyone who watched the founder of Facebook try to explain how the internet works to an aging congress that seemed largely confused about what social media really does. What might surprise you, however, is just what can constitute a serious, felony-level offense under the CFAA.
You can be charged with a felony, fined and sentenced to a lengthy prison term for such varied acts as:
- Continuing to use an internet program after violating the terms of service in any way (for example, downloading too many free academic journals in violation of a university’s terms of service or creating a fictitious online identity on Facebook or Myspace)
- Identifying flaws in a computer’s security system, even if you report the flaws and do no actual harm
- Using an open wifi source designed to benefit a company’s paying customers without actually being a customer or “borrowing” your neighbor’s wifi
- Deleting an important file on the way out the door to intentionally aggravate your former employer (or even deleting your own emails) after you’ve been fired
In other words, using a bot that fools the Pokemon Go system into believing you are somewhere you aren’t so you can collect rare Pokemon (which violates the terms of service) is as serious a crime under the law as malicious attacks on a computer system designed to steal hundreds of credit card numbers. Acts that are really inconsequential, acts that should really be civil offenses and acts of electronic terrorism are all treated with the same heavy hand due to prosecutorial overreach.
There are movements aimed at reforming the CFAA, but for now, it’s important for anyone who works in information technology — or with a computer — to be aware of the CFAA, it’s broad use in white collar criminal prosecutions, and the potential for personal risk.