When Is Hacking A Crime? Potential Revisions to the CFAAPosted: July 9, 2014 | |
In the wake of the much-publicized federal criminal prosecution and suicide of Aaron Swartz, the Computer Fraud and Abuse Act (“CFAA”) (codified at 18 USC §1030) has drawn deserved criticism from legal commentators and lawmakers. Indeed, the CFAA is an outdated, patchwork statute, in need of revision.
Swartz, a computer programmer, entrepreneur, and activist, was accused of accessing restricted portions of MIT’s computer network in order to download millions of journal articles from a digital library. He faced as much as 35 years in prison and a $1 million fine under the CFAA and related statutes.
Prominent critics, like Congresswoman Zoe Lofgren (D-CA), contend that the CFAA imposes substantial criminal liability and punishment for relatively innocuous conduct. In 2011, in the wake of the Swartz case, Congresswoman Lofgren introduced “Aaron’s Law” to prevent arguably disproportionate penalties for certain CFAA violations. However, the proposed statute would also seemingly insulate “authorized users” of computers from prosecution, regardless of the nature of their conduct or the harm it causes. Congress should not seek to fix the CFAA by opening unnecessary gaps in the statute. Instead, a more careful revision would ensure that violations of, for example, terms of service agreements would not trigger criminal liability for users, while also giving law enforcement means to punish malicious, damaging conduct by even “authorized” computer users.
The Computer Fraud and Abuse Act
The CFAA criminalizes many activities done after “knowingly access[ing] a computer without authorization or exceeding authorized access.” Generally speaking, the seven provisions of the CFAA punish: (1) obtaining national security information; (2) obtaining information of a government agency or of a confidential nature (e.g., financial information); (3) trespassing in a government computer; (4) accessing a computer to commit a fraud; (5) damaging a computer (e.g., by worm, virus, or denial of service attack); (6) trafficking in computer passwords; and (7) threatening to damage a computer.
The CFAA punishes computer access “without authorization” or “exceeding authorized access.” Penalties under the CFAA range from a misdemeanor (imprisonment for not more than one year) to 20 years incarceration, with the majority of offenses carrying a penalty of five years incarceration for a first offense and ten years for a second. There is a jurisdictional requirement of $5,000 worth of damage which is, in effect, a technicality since that amount can be satisfied by investigative and administrative costs related to understanding and assessing an intrusion.
Late in 2010, Swartz entered a restricted network wiring closet in the basement of an MIT building. He then rigged a laptop and external hard drive to retrieve 4.8 million articles from JSTOR, a not-for-profit digital library that offered paid subscribers access to 2,000 academic journals. Swartz was apprehended and arrested on January 6, 2011, as he sought to retrieve the laptop and hard drive, while obscuring his identity with a bicycle helmet.
The operative 13 count indictment was returned against Swartz on September 12, 2012 and included five counts charging violations of §1030(a)(4) (computer fraud, 5 year maximum penalty), five counts charging violations of §1030(a)(2) (unlawfully obtaining information from a protected computer, 5 year maximum penalty), one count charging a violation of §1030(a)(5) (recklessly damaging a protected computer, misdemeanor), and two wire fraud counts.
The original CFAA counts against Swartz were premised on Swartz accessing protected computers without authorization and in excess of authorized access. In the superseding indictment, the United States alleged only that Swartz accessed protected computers without authorization.
The Courts have long debated the meaning of both “without authorization” and “exceed[ing] authorized access” under the CFAA. There have been inter and even intra circuit splits on this issue for some time. The Fifth, Seventh and Eleventh Circuits all have held that the CFAA broadly covers violations of corporate computer use restrictions. See U.S. v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); U.S. v. John, 597 F.3d 263 (5th Cir. 2010); and Int’l Airport Ctrs. LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).
In contrast, more recently the Ninth and Fourth Circuits have narrowly interpreted “exceeds authorized access” as not to include mere violations of corporate computer restrictions. In the leading case, United States v. Nosal, 676 F.3d 854 (9th Cir. 2012), the Ninth Circuit en banc dismissed the indictment of David Nosal, a former employee of a search firm, who convinced his former colleagues to download and provide him with confidential firm information. The CFAA counts against Nosal were grounded in a theory that he aided and abetted his former colleagues to “exceed [their] authorized access” with intent to defraud. In other words, he was alleged to have violated the CFAA by persuading his former co-workers to use a company computer in a way prohibited by company policy. The court expressed great concern over the government’s attempt to “transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.” It ultimately held that there was no liability under the CFAA because it covers only the “unauthorized procurement or alteration of information, not its misuse or misappropriation.” Thus, violating company policy regarding computer use is not an actionable offense, according to the Ninth Circuit, under the CFAA. See also WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 202, 207 (4th Cir. 2012) (affirming the dismissal of a complaint for failure to state a claim under the CFAA).
It is clear that the meanings of “without authorization” and “exceeding authorized access” are subject to varying interpretations. The trend among courts, however, appears to be narrowing the scope of the CFAA rather than broadening it.
The latest version of Aaron’s Law dates to June 20, 2013 and has been stalled in the House Subcommittee on Crime, Terrorism, Homeland Security, and Investigations since July 2013.
Aaron’s Law would make changes to both the CFAA and the wire fraud statute (18 U.S.C. §1343). In substance, the proposal would eliminate the “exceeds authorized access” language. It would further define “access without authorization” to include only obtaining “information on a protected computer,” that the “accesser lacks authorization to obtain,” by “knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining or altering that information.”
With the prohibition on “exceed[ing] authorized access” abolished, Aaron’s Law would decriminalize violations of an agreement, policy, duty, or contractual obligation regarding Internet or computer use, such as an acceptable use policy or a terms of service agreement. No longer would use of a computer service by a 16-year-old arguably create criminal liability where the operative service agreement provides that the user must be over 18. This change would bring the statute in line with the cases like Nosal that have construed the CFAA narrowly.
By limiting the applicability of the CFAA to outside computer hacking, Aaron’s Law would re-write the CFAA such that even malicious, destructive conduct by a person with legitimate access to information on a computer would not seem to be prohibited. By eliminating “exceeding authorized access” as a basis for criminal liability, Aaron’s Law might be going too far in its efforts to limit criminal liability only to hackers.
Although Nosal and some other cases focus on whether violations of terms of service agreements should be a basis for criminal liability, “exceeding authorized access” covers a much broader swath of conduct, including users with authorized access who steal or destroy valuable information. Under Aaron’s Law there would arguably be no liability for even the most serious misconduct undertaken by legitimate users like subscribers or employees.
The CFAA should, instead, differentiate authorized users who access immaterial, non-sensitive information from authorized users who exceed their access rights in a malicious and destructive way. A more comprehensive amendment to the CFAA would (i) define what types of information are worthy of greater protection and (2) ensure that benign activities such as violations of terms of service agreements would not risk criminal liability. The CFAA must still allow prosecution both of true hackers, regardless of content accessed, and authorized users who access or compromise a defined subset of sensitive or valuable information and thereby cause meaningful harm.
Finally, even had they been in place in 2010, the amendments proposed by Aaron’s Law may not have shielded Swartz from prosecution. After all, the superseding indictment charged Swartz with “unauthorized access” of the MIT network and he allegedly circumvented both technological and physical measures to obtain JSTOR information. Such conduct is very likely prohibited by the current version of CFAA and would have been explicitly prohibited by Aaron’s Law.
Allison D. Burroughs, a partner in the Litigation Department at Nutter McClennen & Fish LLP, focuses her practice on white collar criminal defense and government investigations, computer fraud and abuse and complex civil litigation.
Benjamin L. Mack, a partner in the Litigation Department at Nutter McClennen & Fish LLP, focuses his practice on securities litigation, government investigations, commercial business disputes, bankruptcy litigation and intellectual property litigation.
Heather B. Repicky, a partner in the Litigation Department at Nutter McClennen & Fish LLP, focuses her practice on civil litigation, with an emphasis on IP and complex commercial matters.