March 30, 2017

Supreme Court needs to clarify the scope of the CFAA

The Computer Fraud and Abuse Act (CFAA) has been the primary “go to” statute for the federal government to prosecute hackers since it was originally enacted in 1986. Despite being amended several times since then, it is woefully out of date and appellate courts have reached contrary conclusions about the meaning of key provisions, including what it means to access a computer without authorization or in excess of authorization, which form the CFAA’s basis for criminal and civil liability. Indeed, the very recent decision by the Second Circuit in United States v. Valle, deepened the split, between, on the one hand, the Second Circuit, Fourth and Ninth Circuit that have adopted a narrow interpretation of the exceeding authorized access and, on the other, the First, Fifth, Seventh and Eleventh Circuits that have adopted a broad interpretation that, among other things, would allow an employer to claim a violation where an employee misused employer information that he or she was otherwise permitted to obtain. Since Congress has shown no ability to act, the Supreme Court needs to resolve this serious conflict.

Valle arises from a truly gruesome and ghoulish set of facts. Gilberto Valle, a/k/a, the “Cannibal Cop,” was charged with a number of counts including mproperly accessing a computer in violation of the CFAA. The evidence at trial included detailed emails and chats on websites where defendant discussed butchering, raping, torturing and eating women whom he knew. The defendant obtained details about certain of these women using various restricted databases at work, including the National Crime Information Center database. The jury convicted Valle for violating the CFAA and the court denied Valle’s motion for judgment of acquittal on the CFAA count.

On appeal, the Second Circuit reversed the judgment of conviction on the CFAA count finding finding that while he violated the terms of his employment by accessing the restricted databases for personal reasons, his actions did not constitute a violation of the CFAA because he was authorized to access the databases. The Valle Court adopted the approach set forth by the Ninth Circuit, and by the Fourth Circuit that “without authorization” applies to “outside hackers (individuals who have no authorized access to the computer at all) and ‘exceeds authorized access’ would apply to insider hackers (individuals whose initial access to a computer is authorized but who access unauthorized information or files).” The Second Circuit was concerned that while it may be distasteful not to impose criminal liability in this case, the “interpretation of ‘exceeds authorized access’ will govern many other situations” and could “unintentionally turn ordinary citizens into criminals, and, thus, “the rule of lenity requires that Congress, not the courts or prosecutors, must decide whether conduct is criminal.”

In contrast, the First, Fifth, Seventh and Eleventh Circuits have interpreted the term “exceeds authorized access” much more broadly, and upheld convictions where the defendant was authorized to access the databases, but exceeded authorized access because the defendant accessed certain files was not in furtherance of the defendant’s duty as an employee.

There is now a clear split between the narrow and broad interpretation of what it means to access a computer without authorization or in excess of authorization under the CFAA. The Supreme Court needs to resolve this circuit split at the first possible opportunity because Congress has not shown an inclination to act. Further, as one commentator has noted, the Supreme Court also must adopt the narrow interpretation in order to prevent arbitrary and discriminatory enforcement of the law under the broad interpretation, which, among other things, would be unconstitutional under the void-for-vagueness doctrine of the Due Process Clause.

Further, the fact that the government has promised not to pursue garden-variety violations of the CFAA does not provide the necessary basis to uphold the broad interpretation. Indeed, it does just the opposite. The government has admitted, in essence, that they have the power to arrest almost everyone, but we should trust them to prosecute only the serious cases. The obvious problem with this approach is that this is not a decision that should be made the government. Whatever the merits of imposing criminal liability in a case such as Valle, it is the role of Congress, and not the courts or prosecutors to decide whether conduct is criminal.

Since 1986, the CFAA has remained the principal criminal statute used by the federal government to prosecute hackers and, unfortunately, Congress appears to have largely given up any effort to remake the law to reflect the realities of the 21st Century. It is therefore high time for the Supreme Court to step in and determine the breadth of unauthorized access under the CFAA and ensure that it will not be used by the government to prosecute, for example, an individual for checking their Facebook account at work, not withstanding the government’s promise not to do so.

This blog first appeared in The Hill, Congress Blog on December 24, 2015.

Speak Your Mind