"Some have worried, for example, that the statute permits prosecution of people who merely lie about their age when going to a dating site, or harmlessly violate the terms of service of an e-mail provider," said Mythili Raman, acting assistant attorney general. "To that end, we are open to addressing these concerns by working with Congress to develop appropriate statutory amendments."
The Justice Department's comments reflect an incremental shift away from its historical stance on the law. In the case of Swartz, the activist had allegedly downloaded millions of articles from the academic repository JSTOR against its terms of service. DOJ used the terms-of-service violation to invoke the CFAA. (Importantly, the George Washington University legal expert Orin Kerr points out that the TOS violation was just one of a number of government arguments against Swartz; closing the TOS loophole would likely not have exonerated him.)
Analysts point to two recent cases that may be partly motivating the Justice Department's softening on CFAA. One is United States v. Nosal, in which the Ninth Circuit Court of Appeals ruled that violating terms of service was not enough to run afoul of the CFAA. Another is WEC Carolina Energy V. Miller. In that case, the Fourth Circuit Court of Appeals said the CFAA could not be used to prosecute a man who had allegedly violated his employer's computer policies.
"To my knowledge," said Harley Geiger, senior counsel at the Center for Democracy and Technology, "those are the most recent opinions in this question and they are trending in the direction of not allowing the CFAA to apply to terms of service violations."
While Raman said the rulings would increase the likelihood of corporate insiders abusing their IT permissions to commit computer crimes, the court decisions may be convincing DOJ that it lacks a slam-dunk legal argument on linking TOS violations to the CFAA.
It's not entirely clear what the agency would prefer by way of actual reforms. Raman said DOJ was interested in making clear "that the statute does not permit prosecution based on access restrictions that are not clearly understood." But even that statement is unclear, said Hanni Fakhoury, a staff attorney at the Electronic Frontier Foundation.
"Does that mean no terms of service violations can serve as the basis of CFAA liability?" he asked. "Only clear ones that are explained to a person in writing or personally? Displayed on a Web site in a giant banner? Its very vague."
Still, the Justice Department's acknowledgement of its critics is an interesting step, particularly as lawmakers begin pressing harder for an update to the 30-year-old statute. Last year, Rep. Zoe Lofgren (D-Calif.) introduced a bill that would restrict the CFAA's scope and limit its penalties. (Each violation currently carries the risk of a five-year jail sentence, with more for repeat offenses.) Sen. Patrick Leahy's (D-Vt.) proposal to tackle corporate data breaches also includes more modest CFAA revisions.