The law in question — the Computer Fraud and Abuse Act, America’s premier anti-hacking statute — makes it illegal to access a computer without authorization. But the 35-year-old legislation has long been dogged by critics who say the law’s vagueness has been abused to go after even relatively innocuous behavior that happens every day.
When the law was passed in 1984, it largely focused on unauthorized penetration into government computers, said Paul Ohm, a professor in computer and privacy law at Georgetown University. But within a couple of years, he said, it was broadened significantly.
“It is really sweeping,” Ohm said. “And it’s been expanded in lots of ways to cover lots of unsavory activity involving computers, even if it’s activity we never would consider traditional computer hacking. It’s become a sort of Swiss Army knife for punishing misconduct online.”
Assange is hardly the only foreign national to come into the law’s crosshairs. U.S. officials invoked the CFAA to seek the extradition of Lauri Love, a Briton who allegedly broke into the computer networks of the FBI, NASA and the Energy Department in 2012 and 2013. Another British national, Gary McKinnon, faced similar charges over his alleged hacking of the Defense Department in 2001 and 2002. Neither Love nor McKinnon was successfully extradited to the United States. In McKinnon’s case, then-Home Secretary Theresa May blocked the extradition request, saying the suspect’s suicide risk was so high that extradition would violate his human rights.
In 2016, journalist Matthew Keys became a visible example of how flexible the CFAA has become when he was sentenced to two years in confinement under the law. Keys, who formerly worked for Tribune Media, was convicted under the CFAA for passing computer log-in information to the digital activist group Anonymous.
Using the credentials, members of the online collective logged onto the website of the Los Angeles Times, which was then owned by Tribune, and altered one of the newspaper’s online articles. In an interview with The Washington Post following his conviction, Keys argued the hacking charges were a form of punishment for refusing to reveal the identities of his sources within Anonymous.
The vagueness of the CFAA, Ohm said, stems from varying interpretations of its two key parts: prohibitions on accessing a computer “without authorization” and “exceeding” authorized access.
“It’s always been a puzzle — what does it mean to ‘exceed’ authorized access?” said Ohm. “If you use someone’s network, even if you’re a totally legitimate or invited user, but you violate one of the terms of service or an employee policy or contract while you’re using that network, suddenly you’ve violated this federal criminal law.”
Federal courts have since ruled that terms of service violations are not punishable under the CFAA.
Exceeding authorized access was the key to an infamous case involving Aaron Swartz, an Internet activist who killed himself in 2013 after federal prosecutors accused him of hacking into a university computer network. Swartz’s alleged crime was using an automated program to download large troves of public-access academic journals from the online database JSTOR. Swartz’s actions were a violation of JSTOR’s terms of service, but the transgression gave prosecutors an opening to charge him under the CFAA. Swartz faced a maximum of 50 years behind bars and a fine of $1 million, but he hanged himself before the case went to trial.
Following Swartz’s death, Rep. Zoe Lofgren (D-Calif.) introduced legislation to narrow the scope of the CFAA. The bill, which would have removed exceeding authorized access as an offense, was colloquially known as Aaron’s Law. It did not pass.
Assange’s arrest could revive calls for the CFAA to be narrowed in scope. But even that may be unlikely to shield him from prosecution under the law. That’s because Assange’s charge of conspiring to break into a government computer hews much more closely to the CFAA’s original intent, said Ohm.
“It would be a mistake to conflate this case with the really aggressive uses of the CFAA,” he said.
Correction: An earlier version of this story reported that Matthew Keys was sentenced to two years behind bars. In fact, he was confined to a prison camp.