Tuesday, November 22, 2011

The CFAA Must Go!

Go ahead and read this article, then come back. Go ahead.

I'll wait.

She's charged with violations of the Computer Fraud and Abuse Act for changing some students' grades.

To quote Bill and Ted, "Bogus!"

I will wager that this woman did not crack any computer systems. I don't know the details of the case, but from seeing this type of case before I'll tell you what most likely happened.

She logged in with her own ID and password, picked another teacher's class (which the system did not have adequate controls to say "you can only modify grades for your own classes"), and changed some grades. Sure, she abused her access privileges (which is wrong), but this should be an administrative issue not criminal. Period.

The nature of the act does not change based on the medium on which it is performed, and the act was that she changed some students' grades; that's it. If this had been a paper grade book that she altered with a pencil, she only would have been fired and her teaching certificate (possibly) revoked. No criminal charges would have been filed. Just because it's on a computer doesn't change the nature of the act -especially to a crime worthy of jail time.

The Computer Fraud and Abuse Act is over-broad and overreaching. It criminalizes actions that would not otherwise be crimes, simply because they're done with a computer. It's time for the CFAA to go, but lawmakers don't know enough about computers to realize it.