Not A Crime: the CFAA and Respectability PoliticsKendra Albert / Jan 3, 2022
Kendra Albert is a public interest technology lawyer with a special interest in computer security law and freedom of expression.
(Please note this piece contains non-explicit discussion of death by suicide.)
"Hacking is not a crime." It has become an oft-repeated mantra to advocate against criminalization, especially under laws like the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking statute in the United States. As an attorney who defends security researchers against CFAA claims, this phrase is one I’ve heard repeated countless times, across a variety of contexts. And yet, over the years I’ve come to recognize that it contains within it a contradiction that is important for those concerned with tech policy and social justice to understand.
Is hacking like skateboarding? Or journalism?
Advocates employ it to emphasize the moral righteousness (or at least harmlessness) of the activity, and to indicate their disapproval of its criminalization. When Van Buren v. United States, a major CFAA case, was before the United States Supreme Court, investigative journalism outlet The Markup debuted t-shirts that said "scraping is not a crime." Many tech policy luminaries, including friends of mine, posted pictures of themselves wearing the shirts on Twitter. When Van Buren was decided for a narrower read of the CFAA, Georgetown law professor Paul Ohm tweeted "…The @themarkup t-shirt caption used to be a plea for relief; today it feels a little bit more like the summary of a Supreme Court holding."
As Ohm said, it was a plea - but also an implicit bargain with an unnamed viewer. “Hacking is not a crime,” as a slogan, combined with advocacy emphasizing the positive aspects of hacking, relies on the assumption that if the behavior is prosocial or not actively harmful, it shouldn’t be criminalized. And that underpinning is a moral position that is deeply out of step with the reality of criminalization in the United States. Or to put it another way, one only needs to review the “Hacking is Not A Crime” webpage which says, “A criminal engages in unethical activities with malicious intent. Hackers do not.” to see the effort to distinguish prosocial hackers from ‘eeevill’ criminals.
It’s funny, because “not a crime” started somewhere very different. We can trace the lineage of this strategy back to the popular phrase “skateboarding is not a crime”, a slogan that was used on bumper stickers, that in the words of Jeff Ferrell, were pasted on “cars, [skateboarders’] boards, and at times over ‘Skateboarding In This Area Prohibited by Law’ signs.” Ferrell wrote about skateboarding in his 1997 article “Youth, Crime, and Cultural Space,” where he notes that youthful style (like the pro-skateboarding campaign) was at war with media to determine “whose interest will systems of urban authority operate, and by whose standards will [people] be judged desirable or undesirable, criminal or noncriminal.”
As Ferrell points out, as a matter of cultural pushback, calling something “not a crime” may be effective. But of course, as a matter of law, it is inaccurate. If by crime we mean something that can be prosecuted by state or federal governments, resulting in jail time, hacking is a crime. Scraping is a crime (or at least, it was), and in certain circumstances, it still might be. Therefore accountability research is, under those circumstances, a crime. And in a moment like the 1990s (or today) where a police officer could arrest someone for loitering, or just for kicks (pardon the pun), skateboarding was too.
But the “scraping is not a crime” folks probably weren’t intentionally invoking skateboarding counterculture when they coined the slogan. Since the 1990s, another group has picked up the torch where skateboarding left it. The other major users of the phrase “X is not a crime” are press freedom advocates, whose invocation draws on a similar battle as Farrell describes. “Journalism is not a crime” has been the name of a number of human rights reports on imprisoned journalists, from Ethiopia to Iran. In fact, the campaign called “journalism is not a crime” supports journalists and activists who are imprisoned in Iran. We can see shades of Ferrell’s claims about the role of skateboarding counterculture here – although now journalists are the ones persecuted, rather than the ones responsible for the persecution. In this context, advocates are using the claim about criminalization to appeal to a broader international audience, fighting against the power of the legal entities that have imprisoned journalists and advocates.
We're not like the “real criminals”.
There’s a drawback to this sloganeering, though. By saying that something "good" or "socially beneficial" is not a crime, more recent invokers of the slogan are resisting the opportunity to meaningfully interrogate the social construction of criminal conduct. Crime is, and has always been, a way of defining deviance. Being gay was a crime. Having HIV can be criminalized. Sex work can be a crime. Loitering can be a crime. Being homeless can be a crime. Protesting can be a crime. Something being a crime is not a sign that it is morally repugnant. It means it is against the law. By saying that "x is not a crime," proponents are expressing interest in being inside the charmed circle of appropriate conduct and context. There's an exceptionalism to this kind of rhetorical move. Criminalization is inappropriate when placed on these activities that might penalize the (presumably innocent) computer security expert or journalist.
Perhaps these slogans are meant to invoke the counterculture of the skateboarder, but at the point in which the head of a major United States security agency speaks at prominent hacker conferences, it’s time to stop pretending that “hacker” is a disempowered minority. Indeed, to call on the legacy of the “not a crime” slogan and apply it to the CFAA has another irony. As Ferrell points out, skateboarders and others who used cultural advocacy campaigns lacked the ability to meaningfully contest narratives in other ways. Although the academics and advocates who wore the “scraping is not a crime” t-shirts may view themselves as the underdogs (and in many ways, they are), the t-shirt was part of an advocacy campaign that included an amicus brief submitted to the Supreme Court, as well as many years of successful fundraising. Hardly the arrested skateboarder or the (literally) tortured Iranian journalist.
The criminalization of routine computing activity is an amazing opportunity to refuse to equate criminalization with bad conduct—to push through the idea that the criminal law creates the distinction between appropriate and inappropriate action. But instead, this slogan now operates as a version of respectability politics. Much of anti-CFAA advocacy has concentrated on carving out certain conduct as unobjectionable or safe - to protect people who do not deserve the investigation of the criminal system from its baleful eye. They focus on the positive benefits of hacking or scraping, the goals of research, rather than taking the next step to point out that many forms of criminalized conduct have always had positive benefits. These small-scale reforms are at odds with efforts led by prison abolitionists as well as others from more radical traditions, which attack the very notion of criminality and push back against the notion that the problem with criminalization is that we’re just not criminalizing the right things.
But one does not need to be a prison abolitionist to find ways for technology policy to act in solidarity rather than respectability. Although I hesitate to bring it up because Aaron Swartz’s death has become symbolic and thus disconnected from those who knew and loved him, the advocacy from technology law community members after the death by suicide of Aaron Swartz is an excellent example of this phenomenon. For folks who are unfamiliar: Swartz was a young, White man charged with a number of felonies—two counts of wire fraud and eleven counts of violating the CFAA. He faced a potential sentence of up to 35 years in prison. Whether Swartz would have been convicted is a matter of some debate, but what is clear is that Swartz rejected a plea bargain that would have had him serve six months, which some have suggested was due to his concerns about losing the right to vote. While the charges were pending, he died by suicide.
Aaron’s Law and The Focus on CFAA Reform
After Swartz’s death, Carmen Ortiz, the U.S. Attorney who prosecuted Swartz, rejected claims that her actions were inappropriate. Lawrence Lessig, a friend of Swartz’s and a Harvard Law professor and Internet policy luminary, took to his blog to decry a bullying prosecutor, and commend Swartz’s kind soul. He noted that the architects of the financial crisis were not felons, whereas Swartz was facing felony charges. Subsequently, Lessig gave a chair lecture at Harvard about Aaron Swartz’s life and work (see the transcript). In this talk, he listed a number of ways to respect Aaron’s work and activism – first, passing Aaron’s Law, which would reform the CFAA. Lessig then proposes fixing “dumb copyright”, “fixing the system that made dumb copyright,” and then “fixing obliviousness.” (Lessig also, in a moment of what I hope was some of that obliviousness brought on by grief, compares Swartz’s activism to Rev. Martin Luther King Jr, arguing that civil disobedience to copyright is more difficult than it was to segregation. The offensiveness of that statement speaks for itself.)
Lessig’s call has not gone unheard. In addition to his refocusing of his work towards ending political corruption, including an unsuccessful run for president, the Electronic Frontier Foundation has advocated for the passage of Aaron’s Law, the CFAA reform bill. The first iteration of Aaron’s Law was introduced by Congresswoman Zoe Lofgren and Senator Ron Wyden in 2013. It aimed to limit the scope of the CFAA. The bill never made it out of committee, but it has been a perennial advocacy priority. Imagine that instead of an Aaron's Law that aimed to amend just the CFAA, we had an Aaron's law that fought to do something about the phenomenon of prosecutors loading up on the greatest possible charge in hopes of forcing the accused to take a plea deal in contexts beyond federal hacking charges. Both the reach of the CFAA and the charging practices of prosecutors contributed to Swartz's death by suicide. But advocacy on one of those matters only benefits a limited class of people, primarily White folks, whose prosecution risk is extraordinarily low as a general matter. Advocacy on prosecution practices more generally could limit the scope of the criminal legal system's violence on a much larger number of people.
This is not a novel sentiment. Catherine Bracy made this point in her blog post discussing exactly this topic in 2013. To quote only part of her excellent piece, which is absolutely worth a read (or re-read) “… the calls for action have focused on reforming cybercrime law. Which is great and noble, but I can’t help but wonder why people recognize the unfairness of Aaron’s prosecution not as a flaw in cybercrime legislation but as a flaw in the justice system as a whole?”
Unfortunately, her blog post did not catalyze change (or it appears, much reflection). Since 2015, CFAA advocacy has focused on carve outs, safe harbors, and exceptions. If I were to hazard a guess as to why this is true, I would suggest that the tech policy world's view of the CFAA as exceptional is primarily driven by its lack of contact with the criminal legal system. And that, I would suspect, is due to its Whiteness. It is no coincidence that Catherine Bracy, a Black woman, pointed out the broader systemic context of advocacy around Swartz’s death in 2013 by connecting Swartz’s prosecution to her experience and that of her family members.
To Wyden, Lofgren, and the EFF’s credit, Aaron’s Law as proposed does include some steps to limit potential felony charges associated with the CFAA, primarily by not allowing multiple charges to lead to sentencing enhancements. But the rhetoric around this is a clear predecessor to our current moment re: “not a crime.” Wyden’s press release says “What’s more, the available penalties under CFAA do not correspond to the crime. When a person commits a computer crime where there is substantial harm caused, the person should be subject to substantial sanctions. But, under the CFAA, a computer crime that results in little or no economic or other harm, could still lead to a felony conviction and substantial jail time.”
Crime in the eye of the beholder
The CFAA is not unique in creating potential felony convictions out of harmless molehills. But because of the version of respectability politics at play, CFAA reform advocates don’t take up Bracy’s point that this is common across criminal statutes, rather than a CFAA-specific problem. Other federal criminal statutes contain just as much uncertainty as the CFAA (if not more- consider the Travel Act). And state criminal law is an unspeakable morass of ill-defined crimes and selective prosecution. But the targets of prosecutions under most of those statutes are not (mostly) White technologists. They are Black and brown folks, mostly men and boys. Most criminal laws are broad statutes that can be used to snare the well-meaning as well as the nefarious, if those are even discrete categories. The difference between a “criminal” and a “law-abiding citizen” can be the racist beliefs of the cop who pulled someone over or whether the prosecutor (or the judge) ate breakfast. It has never been good intentions or the nature of the conduct.
Discretion in criminal charging and overloading felony charges is not a CFAA problem. It is a criminal law problem. Vagueness and criminalization of prosocial conduct is not a CFAA problem. It is a criminal law problem. But because of the anti-Blackness of criminal law, it usually doesn't substantially constrain the behavior of White, upper middle class nerds with stable jobs who are used to having institutional power.
My goal here is not to trade in whataboutism, nor to say that no one should care about the CFAA or push for changes to lessen the harms it inflicts: there would be incredible irony to that, given my vocation. Instead, I hope to point out that there is power in solidarity – in recognizing the forces that harm hackers and scrapers are not unique to them, but part of a broader, violent, power structure. Rather than fighting to be within the circle of non-criminal conduct, hackers, scrapers, and accountability researchers alike should advocate against rampant criminalization.
US journalists, security researchers, and academics may see themselves as scrappy, lacking the institutional resources of Facebook or the United States government, but they are not the skateboarders of the 1990s, nor the ones most impacted by overbroad laws. It’s time they, or maybe to put it more accurately, we, act like it.
Scraping should not be a crime, nor should hacking, in many cases. But neither should sex work, possessing marijuana, loitering, or for that matter, skateboarding. And prosecution of those crimes has harmed more people than the CFAA ever has.
Acknowledgements: Thank you to Ted Han, who provided support and helpful thoughts for this essay, particularly the journalism bits; to Andy Sellars, who despite wearing a t-shirt (☺), provided excellent feedback and reminded me about the slogan’s ties to skateboarding. Apryl Williams also provided valuable edits and encouragement. This essay is based in part on this tweet.
Social share image credit & license: Flickr/dasroofless