I testified yesterday at a House Judiciary Committee hearing that focused in part on the need to narrow the Computer Fraud and Abuse Act, a drum I’ve been beating since 2003. You can watch the video of the hearing here; the CFAA parts were discussed mostly in the opening statements and in the last 15 minutes. For press coverage of the hearing, some of which focuses on my testimony, see Wired News, CBS News, Main Justice, The Register, and Talking Points Memo.
I thought the hearing went relatively well for those of us who believe the CFAA must be narrowed. There were only a handful of Representatives at the hearing at any given time, and at times the only members present were Mr. Gohmert (Vice Chairman of the subcommittee) and Mr. Scott (the ranking minority member). Further, most of the hearing considered other questions in the area of cybersecurity. So any conclusions must be tentative. But in the last 15 minutes or so of the hearing, Gohmert and Scott turned to the CFAA question, and both indicated their view that the CFAA needs to be narrowed so that it doesn’t apply to innocent conduct like TOS violations. I was also interested to see that the other witnesses also seemed to agree that that there was a problem with the overbreadth of the statute — the disagreement was only on what do about it. It was only a hearing, and only a few members were present, but I’m cautiously optimistic.
Perhaps the most promising sign is that after the hearing, DOJ struck a conciliatory note in response to press inquiries on its position. DOJ’s written testimony submitted before the hearing defended a very broad reading of the CFAA, and it expressed the view that it was important to be able to prosecute Terms of Service violations. That drew a lot of negative press stories, and raised eyebrows at the hearing. After the hearing, however, DOJ spokeswoman Alisa Finelli offered a Politico reporter what sounds to me like a different position:
“The only court to rule on this issue [whether TOS violations violate the CFAA] ruled that it was not a violation of the law. The Department did not appeal this decision, and it has not brought a similar case since,” said DOJ spokeswoman Alisa Finelli. “We understand the concern that is motivating these criticisms of the statute, and we are willing to work with Congress on legislative proposals in this area.”
Finelli characterized Downing’s testimony as meaning that “it is not a ‘DOJ position’ that such conduct would violate the Computer Fraud and Abuse Act.”
As I commented in the Politico story, Finelli’s comment leaves me unclear as to what DOJ’s position is: I don’t see how it’s consistent with DOJ’s written testimony. But if DOJ’s opposition has softened, that is very good news.