The Failure of the Computer Fraud and Abuse Act: Time to Take a New Approach to Regulating Computer Crime
23 Pages Posted: 3 Feb 2016
Date Written: February 2, 2016
Whenever a legislature creates a technology-specific crime, it faces a number of challenges. First, there is a risk that the new statute will merely duplicate existing crimes, thus overcriminalizing the conduct and creating unnecessary confusion. Second, the legislature needs to ensure that it provides the proper guidance to prosecutors, citizens, and courts with regard to the new concepts that need to be defined. And finally, the legislature needs to ensure that the law can be amended and updated as the technology evolves.
The Computer Fraud and Abuse Act (“CFAA”) is an example of technology-specific criminal provisions that fails all of these tests. Much of the CFAA is comprised of extortion, fraud, and criminal damaging statutes which prohibit conduct that is already covered by existing laws (or could be covered through minor changes to those laws). Meanwhile, the critical concepts of “loss,” “access,” and “authorization” in the statute remain poorly defined or completely undefined by the statute thirty years after it was first passed.
The best solution to this problem is for Congress to stop trying to regulate computer misconduct directly through legislation and empower an administrative agency to set more detailed and technical rules regarding what constitutes “computer trespass.” Thirty years of the CFAA have demonstrated that Congress lacks either the expertise or the inclination (or both) to define the relatively new concept of “computer trespass,” and the challenge is only becoming greater as the types of digital devices and the ways of communicating with these devices increase every year.
Keywords: CFAA, computer crime
JEL Classification: K14
Suggested Citation: Suggested Citation