How to reform the outdated federal anti-hacking law
The more than 30-year-old Computer Fraud and Abuse Act carries overly harsh penalties for trivial digital transgressions – and it needs to be completely overhauled (or abolished altogether).
—The Computer Fraud and Abuse Act (CFAA) is notorious for its failure to define what offenses it seeks to prohibit, namely unauthorized access or unauthorized damage to a computer. This is problematic because the CFAA is the US government’s primary tool for prosecuting computer hacking crimes. Defendants can face maximum sentences of 5 to 10 years (or 20 years if there is a prior CFAA conviction) depending on what part of the CFAA they violate, for crimes where there is little or no real harm.
Between 2011 and 2014, criminal CFAA prosecutions by the Department of Justice (DOJ) increased roughly 41 percent. Complicating matters is the fact that the CFAA is also a civil statute, and most of the interpretive case law is from civil cases, not criminal, where the burden of proof is lower and no one’s liberty is at stake. It is unclear why the DOJ does not prosecute the civil cases criminally. Most are potentially criminal as well, and between business entities, yet the DOJ has never brought a CFAA prosecution against any type of business entity.
Regardless, the resulting case law is a contradictory mishmash of statutory interpretations by federal courts across the country, much of it standing antithetical to norms of the information security community or normal computer use. The vague and often contradictory case law grants an inordinate amount of discretion to the DOJ to engage in politically-motivated prosecutions and allows civil litigants to clog court dockets with frivolous lawsuits. The CFAA is in serious need of reform.
The question of what constitutes authorization is controversial and subject to contradictory interpretations in federal courts nationwide. Among the questions courts have confronted is whether the definition of authorization should depend on if a contract like an employment or terms of service agreement has been breached, like lying about your age on a dating website. But this is arguably a criminalization of contract law. Other courts and commentators base authorization on agency law and a defendant’s relationship, employment or otherwise, to the computer owner, resulting in a scenario where a defendant can be convicted of hacking without breaching a system, such as in a password sharing scenario. Lastly some courts have considered limiting authorization to the circumvention of technical access barriers, such as an authentication protocol. These are difficult and complicated questions to which the CFAA provides no clear answers. Unfortunately, the current proposals for reform either do too little or do too much.
Origins of the anti-hacking law
The CFAA originated, appropriately, in 1984, before the internet existed as we know it today. Among other things, it prohibits two main categories of conduct:
- Accessing a computer without authorization, or exceeding authorization after having properly accessed a computer.
- Damaging a computer without authorization.
Nowhere in the CFAA is there a definition of authorization, and the federal courts nationally are divided on the issue. Damage is defined broadly as “any impairment to the integrity or availability of data, a program, a system, or information” and prosecutions for computer damage usually involve deleted files or distributed denial of service attacks. The question of damage gets murkier when you ask if the deletion of backup files constitutes CFAA damage, or if you can impair the “integrity” of a system by merely possessing a username and password to the system even if you don’t use it, as the government recently alleged in a filing in the Ninth Circuit Court of Appeals.
CFAA damage needs to be distinguished from CFAA loss, something that causes a great deal of understandable confusion for courts, lawyers, and commentators. Most people automatically think of “damages” in a legal case as a monetary figure. But under the CFAA, the notion of monetary damages is covered by its definition of “loss,” which includes any reasonable cost related to the computer intrusion. Such costs associated with “loss” include those incurred to investigate and restore a system, and those incurred from any interruption of service. The question of the definition of CFAA loss hasn’t gotten as much attention as the question of what constitutes authorization, but it is just as problematic and in need of reform since the murkiness of the definition invites Enron-style accounting. A civil litigant cannot maintain a private action against an individual until at least $5,000 in loss is established, and the $5,000 threshold is one way that the government establishes felony liability under the CFAA, by far one of the most contested issues in any CFAA case. On the criminal side, the higher the loss number, the higher a defendant’s potential sentencing exposure under the US Sentencing Guidelines. On the civil side, it is usually used to bludgeon a defendant into a settlement.
Because the Federal Appeals Courts are divided as to what constitutes unauthorized access, the interpretation of the law may be different in one circuit than in another. When that happens, this is called a “circuit split.” The primary function of the US Supreme Court is to resolve circuit splits. Currently, there is a major circuit split when it comes to what constitutes unauthorized access to a computer under the CFAA.
To crudely summarize, four circuit courts of appeal (the Second, Fourth, Sixth, and Ninth) have held that a CFAA defendant’s actions are only “without authorization” when he has no right to take those actions under any circumstances (i.e. instances where authorization has been explicitly revoked or that involve circumventing technologically imposed restrictions) and cannot be based on a breach of contract such as violating a website’s Terms of Service. Two (the First and Seventh) have held that, in civil cases, a defendant’s authorization can depend upon his employer’s policies or his duty of loyalty. One (the Fifth) has held that a criminal defendant acts “without authorization” when he accesses information he is authorized to access but does so in furtherance of a violation of a separate criminal law. And only one (the Eleventh) has held that a defendant can be held criminally liable for violating his employer’s policy — however, only where he was specifically notified of criminal penalties for unauthorized access. The US Supreme Court has yet to rule on the issue.
This interpretive ambiguity has led to criticisms that the CFAA violates the Fifth Amendment's due process clause, which requires that a defendant be on notice that the actions they are engaging in are illegal and that a statute gives clear guidance to law enforcement to avoid arbitrary prosecutions. One of the primary complaints about the CFAA in the information security industry is that it criminalizes what many consider normal behavior, such as probing a publicly accessible server for vulnerabilities. And some DOJ CFAA prosecutions have alarming implications for all Americans, regardless of skill. For instance, Google searches that happen to take a computer user to an area of a website that the owner failed to secure could constitute criminal behavior in the eyes of the law. Indeed, the DOJ has prosecuted defendants for accessing and obtaining information from publicly facing servers with no password protection under the theory that it was done against the server owner’s wishes.
The DOJ has also used the CFAA to prosecute individuals whose activities were largely harmless, but whose views were politically unpalatable to them — even when the alleged “victims” did not want a criminal prosecution. This happened most notably in the prosecution of the computer innovator and activist Aaron Swartz. Mr. Swartz was prosecuted for downloading, via a closet at the Massachusetts Institute of Technology (where hacking, at least in the US, was invented) academic articles from a company called JSTOR, under the theory that information should be free. But even though JSTOR didn’t believe he should be criminally prosecuted, the DOJ indicted Swartz.
Swartz’s suicide in the face of an egregious CFAA prosecution for essentially bulk downloading academic articles from a proprietary academic database brought calls for change. Part of what Swartz was accused of was violating the Terms of Service for the academic database, thereby making his access of it criminal.
A bill, known as “Aaron’s Law” was first introduced in Congress after his death in 2013, and then again in 2015. The bill went nowhere both times. It sensibly seeks to stop Terms of Service violations from qualifying as unauthorized access. However, the bill leaves the loss and damage provisions largely untouched, leaving an opening for both frivolous civil suits and draconian criminal prosecutions. The proposed changes are, however, far better than the “reforms” the Obama administration proposed that would have result in an even harsher CFAA.
The most troubling aspect of the Obama administration’s 2015 proposal is the attempt to turn violations of the CFAA into what is known as a RICO predicate act. This proposal is currently stalled, but the thinking behind it is troubling and indicative of the DOJ’s thinking on the issue. It would have the practical effect of imposing CFAA criminal liability on individuals associated with groups that commit computer crimes, even though that individual has no knowledge of the illegal activity. For instance, if you are part of a political activist group and administer the group’s social media accounts with others, you may find yourself being prosecuted just by the mere fact that you are associated via the administration of the social media accounts to someone who engages in criminal activity without your knowledge. Expanding criminal liability under the CFAA in such a dramatic fashion will not only harm the interests of legitimate information security researchers and normal computer users but will chill political speech on the internet. Given the DOJ’s long, troubled, and well documented history of criminal activity against political groups it finds distasteful, this is not fanciful speculation.
To add insult to injury, the Obama administration’s proposal seeks to raise the maximum sentences under the CFAA dramatically. It should be rigorously opposed should it rear its ugly head again. Instead, the CFAA needs to be reformed in a manner that meets the concerns of legitimate computer researchers and users, prevents felony prosecutions for relatively harmless hacks, while at the same time providing law enforcement with the tools to prosecute computer crimes where the harm, or attempted harm, is real rather than fanciful hyperbole.
How to reform CFAA
First, the “loss” felony threshold is too low and needs to be revised. One of the ways that a CFAA hacking misdemeanor turns into a felony is if the value of information obtained, or the monetary loss that the computer intrusion causes, exceeds $5,000. As a practical matter, this threshold is extremely easy to meet, particularly when the “victim” is a large corporation, as is often the case. Large meetings are called, expensive forensics firms are hired, and often a lot of unnecessary work is performed, all of which is often poorly documented or in the worst cases “churned” to increase the bill. Most of the time a lot of the work involves the “victim” realizing that its information security is atrocious because it was viewed as an expensive hassle. The hacker who exposes the negligent information security, often by publicly disclosing it, usually foots the bill for this. Judges and juries tend to accept companies’ self-serving estimates of time and money expended, no matter how shoddy. I’ve seen spreadsheets with numerous blank entries, or filled with vague descriptions like “opportunity cost” or “good will” be offered by the government as proof of loss — even though those concepts were unrelated to any harm caused by the intrusion. In short, it is far too easy to meet the $5,000 felony threshold and this number needs to be dramatically raised to circumscribe the far too expansive criminal scope of the CFAA. A more practical number is $250,000. $5,000 still puts you in small claims court in New York State.
Second, there is a $5,000 threshold to bring a civil suit under the CFAA. This number should be raised as well, although perhaps not as high as the threshold for a felony prosecution. That’s because, if we have to live with a dual civil and criminal statute as poorly drafted as the CFAA, most of what is now prosecuted criminally should be civil. Rarely is there any other harm than monetary when it comes to hacking. This is not to say that monetary harm cannot be serious, or require criminal sanction, just that in most instances criminal sanctions are not warranted.
Consider the fact that every civil CFAA case is a potential criminal one. There are hundreds of civil CFAA cases between companies, and more will come since it has become a popular way for companies to attempt to enforce intellectual property rights and side step the more onerous burden of proof involved with bringing a trade secrets claim. It also allows companies to go after former employees who copy files on the way out the door (or after they’ve walked through the door). Yet the DOJ has never criminally prosecuted a company for a CFAA violation. The DOJ has only prosecuted individuals.
This is purely an exercise of prosecutorial discretion on the DOJ’s part. And the exercise of prosecutorial discretion is not a legal exercise, but a moral one. There is no statute that directs a prosecutor whether or not to bring a criminal case as long as the elements of the crime are met. But the implicit message from this DOJ morality play in not prosecuting companies for CFAA violations is that the harm in the civil cases is not worth criminal prosecution and is just as well handled civilly. Yet the monetary harms in CFAA civil cases are just as great, if not greater, than those in criminal CFAA cases. Thus, most of what is prosecuted criminally under the CFAA should not be allowed, since the matters should be dealt with in civil court, if at all.
Third, the definition of damage should be circumscribed to only include real damage to data, or its method of access, on a computer. Innocuous instances of an employee deleting their emails on the way out the door, or the deletion of back up data for which there are multiple readily available copies, should be eliminated from the scope of CFAA damage. Otherwise CFAA criminal liability can attach for simple acts, such as editing a Word document without permission, or turning off someone’s computer without permission, as both these acts can be read as constituting CFAA damage under a broad reading of the statute.
Finally, unauthorized access should be strictly construed to only include instances where a technical, code-based barrier to access is by bypassed. Unauthorized access should not be based on agency, contractual, or any type of relationship between entities, individuals, or entities and individuals. This approach allows the courts to avoid debates over whether conduct was authorized from becoming mired in analysis of relationships developed in the physical world.
Additionally, there would be no risk of criminalizing password sharing, which is often done by Netflix and other streaming video subscribers. Although there are some instances where password sharing can lead to serious criminal and civil offenses, there are other provisions of the CFAA, such as the damage provisions, that provide for litigation against someone who harms a computer, as well as a number of other federal statutes dealing with identity theft, wire fraud, and the like, that are readily available to deal with any issues that may arise.
Tor Ekeland focuses on computer and business law, and on the increasing convergence of those two fields. He represents defendants charged with federal computer crimes in high profile cases nationwide.