In light of the string of high-profile hacks at companies in 2014, culminating with Sony, it is not surprising that President Obama, as part of the State of the Union, has announced several legislative proposals involving cybersecurity. One of the proposals seeks to amend the controversial Computer Fraud and Abuse Act (“CFAA”), the federal computer hacking statute that was used by the government to prosecute Aaron Swartz, who committed suicide after being charged. Swartz’s father among others blamed overzealous federal prosecutors for the suicide. Since then, commentators have urged Congress to amend the CFAA to make clear, among other things, that simply violating a term of service, as Mr. Swartz allegedly did is not a federal crime. However, it is unlikely that the White House proposal will do much to satisfy these critics since the proposal not only increases the penalties for certain types of cybercrime, but also resolves the current circuit split by explicitly providing that breaching a written restriction on computer use is a crime. Moreover, the proposal is very similar to previous White House proposals that failed to make the case that increasing penalties for certain types of cyber crime will deter future crime. While there is little doubt that the CFAA should be amended, the Administration’s proposal does not really appear to be a constructive step in that direction.
The CFAA is currently composed of a number of provisions that, in general, outlaw computer trespass under a variety of circumstances. The central and most commonly used provision is 18 U.S.C. § 1030(a)(2), which broadly prohibits accessing a computer “without authorization” or “in excess of authorization” and obtaining information. Since the statue does not define “without authorization,” courts have grappled and split on what it means to access a computer without authorization.
Cases that have arisen under the CFAA since it was originally enacted in 1986 can generally be grouped into three categories. The first and least controversial category is cases in which the defendant actually “hacked” into a computer by circumventing a technological barrier, such as by exploiting a flaw in security. The CFAA was intended to cover such “code” based activities and courts have universally agreed that such activity is illegal because it constitutes “access without authorization.”
Finally, the third category involves situations in which the defendant did not explicitly violate a term of service, but engaged in activity that could be considered a breach of a social norm such as where an employee downloads information from his employer’s computer with authorization and then subsequently uses that information to the detriment of the employer such as by starting a competing company. Some courts have found that where the employee had authorization to access the information at the time of the access, the fact that the information was subsequently misused is irrelevant and no violation was committed. In contrast, other courts have found that this is illegal unauthorized access to the employer’s computer.
Currently, regardless of the category of the case, where criminal liability is recognized, the basic violation is a misdemeanor under 18 U.S.C., and the defendant is subject to at most one year in jail. However, a violation is treated as felony if the act is committed for profit, if the information obtained is worth more than $5,000, or if the act is done in further of a state or federal crime or tort.
The Administration’s proposal would impact the above understanding of section 1030(a)(2) in a number of important respects. First, a basic violation, which is now a misdemeanor, would become a three-year felony and instead of a five-year felony, it would become a ten-year felony where one of the enhancements applied. So far, the White House has offered no justification for the need to substantially increase the potentially sentences for a violation of the CFAA. In fact, the Administration has repeatedly failed to make its case with prior Congresses that increasing sentences for violating section 1030(a)(2) is a good idea, and it is probably a bad idea for a number of reasons and should be rejected by Congress.
First, making all violations of this section a felony is not an insubstantial change. Government prosecutors are loathe to charge misdemeanors for a variety of reasons, including that “misdemeanors are not real crimes.” By making conduct that previously could only be prosecuted as a misdemeanor crime into a felony crime, the proposal would create a far greater incentive for the government to charge a defendant in a close case where the government really should exercise its prosecutorial discretion and decline to prosecute. The White House has offered no evidence that such a drastic step is necessary.
Moreover, defendants in federal court are sentenced pursuant to the Federal Sentencing Guidelines, which take into account a variety of factors relating to the crime, such as financial gain to the defendant or economic loss to the victim, and the defendant’s criminal history. In practice, the actual sentence is almost always substantially less than the permitted statutory maximum. Indeed, one study has suggested that federal sentences max out less than 3% of the time. In the case of the CFAA, there is not a single report of a federal judge being constrained by the current statutory maximum from sentencing a defendant to a longer prison term. The Administration is considering, therefore, to simply strengthen the maximum statutory prison penalties without a record that such changes are actually needed.
Next the Administration proposal would resolve the current circuit split by amending the definition of “exceeds authorized access” by adding to the definition that a user exceeds authorized access when he accesses a computer “for a purpose that the accesser knows is not authorized by the computer owner.” Thus, where a defendant breaches a written restriction on computer use, he violates this section since the written restriction puts him on notice that his activity is not authority by the computer owner. However, the proposal narrows the scope of this change by providing exceeding authorized access is only a violation where (1) the value of the information obtained exceeds $5,000, (2) the computer is owned or operated by the United States; or (3) the offense was committed in furtherance of any felony violation of the laws of the United States, or of any state. Thus, the proposal would broaden the scope of section 1030(b)(2) in those jurisdictions that have found that violation of a written restriction is not a crime and narrow its scope in those jurisdictions that have held that it is a crime.
It is noteworthy that under the Administration’s proposal, the government could still have charged Aaron Swartz with a violation of section 1030(a)(2) since he allegedly breached a written restriction that expressly put him on notice that he was accessing the computer system for a purpose that was not authorized by the owner of the system, and the value of the information obtained by Mr. Swartz likely exceeded $5,000. Because the proposal probably would not decriminalize the conduct at-issue in Mr. Swartz’s case this provision is likely to find tepid support in Congress especially amongst those members who supported “Aaron’s Law,” which was proposed shortly after Mr. Swartz committed suicide, and which would have decriminalized such conduct.
Another potential problem with the Administration’s proposal is it is not clear as to the type of conduct that may be covered under this section, if at all, where the conduct involved a violation of a social norm. It is clear that under the amended definition of exceeds authorization, where a defendant violates a written policy it is a violation of this section since the written restriction puts the defendant on notice, however, where the defendant’s conduct violates a social norm, but not a written restriction, the outcome is far from certain. A violation would depend on whether the government could establish that the defendant knew that he was accessing the computer and obtaining information for a purpose that “is not authorized by the computer owner.” How does one know what the computer owner has authorized? Courts have problems with criminal statutes that do not provide individuals with adequate notice of the prohibited conduct. It seems likely that most courts would have problems with this language. Accordingly, Congress would need to address this language before going forward with the Administration’s proposal.
Most commentators in this area agree that the CFAA is a mess and should be amended, especially since the Supreme Court appears not to be interested in settling the circuit split. The current Administration proposal, while it may be an improvement over previous White House proposals is still not ready for prime time. Apart from the issues discussed above, the proposal also does not provide for a broader basis for damages in a civil case, which ultimately may be the best way to reduce computer crime. While the CFAA is primarily a criminal law, it does provide for a private right of action. However, the basis for bringing a civil action is limited and recovery of damages is also limited. Since the government admittedly lacks the resources to investigate and prosecute every instance of computer hacking, it should be made easier for the victims to sue and recover damages. In short, the White House proposal is unlikely to deter computer crime and does very almost nothing to correct the problems with the existing version of the CFAA. Given the choice between adopting this proposal and doing nothing, Congress would be wise to pick the latter.