Thursday, March 7, 2013
David Thaw (University of Connecticut School of Law) has posted Criminalizing Hacking, Not Dating: Reconstructing the CFAA Intent Requirement (Journal of Criminal Law and Criminology, Forthcoming) on SSRN. Here is the abstract:
This article addresses a growing problem with existing United States Federal law addressing cybercrime. The Computer Fraud and Abuse Act of 1986 (CFAA), which in part revised earlier (limited) legislation on the subject, is the primary Federal "anti-hacking" statute providing both criminal penalties and (limited) rights of private action for certain unauthorized activities using computers and similar information systems. Congress originally intended to address only a narrow range of crimes, but as others have observed the statute's scope expanded dramatically over the past two decades.
The result of this expansion threatens to criminalize wide varieties of activities, common to the ordinary computer and Internet user, that are apparently innocuous in the context of "hacking" but technically constitute unauthorized activities or activities exceeding a users authorized access as a result of terms of service agreements defining access boundaries in lengthy and often legally or technically complex language.
This article responds to the debate in existing scholarship and the problems presented in a technologically-interconnected world by the Circuit split on whether such private contracts may define authorized access for criminal purposes. It identifies the shortcomings and risks in current reform proposals, and suggests an alternate method of addressing overbreath and vagueness problems in the existing statute through legislative reform of the mens rea element of the statute.