How to reform the outdated federal anti-hacking law
(CFAA) is notorious for its failure to define what offenses聽it seeks to prohibit, namely unauthorized access or unauthorized damage to a computer. This is problematic because the CFAA is the US government鈥檚 for prosecuting computer hacking crimes. Defendants can face maximum sentences of 5 to 10 years (or 20 years if there is a prior CFAA conviction) depending on what part of the CFAA they violate, for crimes where there is little or no real harm.
Between 2011 and 2014, criminal CFAA prosecutions by the Department of Justice (DOJ) . Complicating matters is the fact that the CFAA is also a civil statute, and most of the , not criminal, where the burden of proof is lower and no one鈥檚 liberty is at stake. It is unclear why the DOJ does not prosecute the civil cases criminally. Most are potentially criminal as well, and between business entities, yet the DOJ has never brought a CFAA prosecution against any type of business entity.
Regardless, the resulting case law is a contradictory mishmash of statutory interpretations by federal courts across the country, much of it standing or normal computer use. The grants an inordinate amount of discretion to the DOJ to engage in politically-motivated prosecutions and allows civil litigants to clog court dockets with frivolous lawsuits. The CFAA is in serious .
The question of what constitutes authorization is controversial and subject to contradictory interpretations in federal courts nationwide. Among the questions courts have confronted is whether the definition of authorization should depend on聽if a contract like an employment or terms of service agreement has been breached, like lying about your age on a dating website. But this is arguably a criminalization of contract law. Other courts and commentators base authorization on agency law and a defendant鈥檚 relationship, employment or otherwise, to the computer owner, resulting in a scenario where a defendant can be convicted of hacking聽without breaching聽a system, such as in a password sharing scenario. Lastly some courts have considered limiting authorization to the circumvention of technical access barriers, such as an authentication protocol. These are difficult and complicated questions to which the CFAA provides no clear answers. Unfortunately, the current proposals for reform either do too little or do too much.
Origins of the anti-hacking law
The CFAA originated, appropriately, in 1984, before the internet existed as we know it today. Among other things, it prohibits two main categories of conduct:聽
- Accessing a computer without authorization, or exceeding authorization after having properly accessed a computer.
- Damaging a computer without authorization.聽
Nowhere in the CFAA is there a definition of authorization, and the federal courts nationally are divided on the issue. Damage is defined broadly as 鈥渁ny impairment to the integrity or availability of data, a program, a system, or information鈥 and prosecutions for computer damage usually involve deleted files or . The question of damage gets murkier when you ask if the deletion of backup files constitutes CFAA damage, or if you can impair the 鈥渋ntegrity鈥 of a system by merely possessing a username and password to the system even if you don鈥檛 use it, as the government recently alleged in a filing in the Ninth Circuit Court of Appeals.
CFAA damage needs to be distinguished from CFAA loss, something that causes a great deal of understandable confusion for courts, lawyers, and commentators. Most people automatically think of 鈥渄amages鈥 in a legal case as a monetary figure.聽But聽under the CFAA, the notion of monetary damages is covered by its definition of 鈥渓oss,鈥 which includes any reasonable cost related to the computer intrusion. Such costs associated with 鈥渓oss鈥 include those incurred to investigate and restore a system, and those incurred from any interruption of service. The question of the definition of CFAA loss hasn鈥檛 gotten as much attention as the question of what constitutes authorization, but it is just as problematic and in need of reform since the murkiness of the definition invites Enron-style accounting. A civil litigant cannot maintain a private action against an individual until at least $5,000 in loss is established, and the $5,000 threshold is one way that the government establishes felony liability under the CFAA,聽by far one of the most contested issues in any CFAA case. On the criminal side, the higher the loss number, the higher a defendant鈥檚 potential sentencing exposure under the . On the civil side, it is usually used to bludgeon a defendant into a聽settlement.
Because the Federal Appeals Courts are divided as to what constitutes unauthorized access,聽the interpretation of the law may be different in one circuit than聽in another. When that happens, this is called a 鈥渃ircuit split.鈥 The primary function of the US Supreme Court is to resolve circuit splits. Currently, there is a major circuit split when it comes to what constitutes unauthorized access to a computer under the CFAA.
To crudely summarize, four circuit courts of appeal (the Second, Fourth, Sixth, and Ninth) have held that a CFAA defendant鈥檚 actions are only 鈥渨ithout authorization鈥 when he has no right to take those actions under any circumstances (i.e. instances where authorization has been explicitly revoked or that involve circumventing technologically imposed restrictions) and cannot be based on a breach of contract such as violating a website鈥檚 Terms of Service. Two (the First and Seventh) have held that, in civil cases, a defendant鈥檚 authorization can depend upon his employer鈥檚 policies or his duty of loyalty. One (the Fifth) has held that a criminal defendant acts 鈥渨ithout authorization鈥 when he accesses information he is authorized to access but does so in furtherance of a violation of a separate criminal law. And only one (the Eleventh) has held that a defendant can be held criminally liable for violating his employer鈥檚 policy 鈥 however, only where he was specifically notified of criminal penalties for unauthorized access. The US Supreme Court has yet to rule on the issue.
This interpretive ambiguity has led to criticisms that the CFAA violates the Fifth Amendment's due process clause, which requires that a defendant be on notice that the actions they are engaging in are illegal and that a statute gives clear guidance to law enforcement to avoid arbitrary prosecutions. One of the primary complaints about the CFAA in the information security industry is that it criminalizes what many consider normal behavior,聽such as probing a publicly accessible server for vulnerabilities. And some DOJ CFAA prosecutions have alarming implications for all Americans, regardless of skill. For instance, Google searches that happen to take a computer user to an area of a website that the owner failed to secure could constitute criminal behavior in the eyes of the law. Indeed, the DOJ has prosecuted defendants for accessing and obtaining information from publicly facing servers with no password protection under the theory that it was聽done against the聽server owner鈥檚 wishes.
Government overreach
The DOJ has also used the CFAA to prosecute individuals whose activities were largely harmless, but whose views were politically unpalatable to them 鈥 even when the alleged 鈥渧ictims鈥 did not want a criminal prosecution. This happened most notably in the prosecution of the computer innovator and activist Aaron Swartz. Mr. Swartz was prosecuted for downloading, via a closet at the Massachusetts Institute of Technology (where hacking, at least in the US, was invented) academic articles from a company called JSTOR, under the theory that information should be free. But even though JSTOR didn鈥檛 believe he should be criminally prosecuted, the DOJ indicted Swartz.
Swartz鈥檚 suicide in the face of an egregious CFAA prosecution for essentially bulk downloading academic articles from a proprietary academic database brought calls for change. Part of what Swartz was accused of was violating the Terms of Service for the academic database, thereby making his access of it criminal.
A bill, known as 鈥溾 was first introduced in Congress after his death in 2013, and then again in 2015. The bill went nowhere both times. It sensibly seeks to stop Terms of Service violations from qualifying as unauthorized access. However, the bill leaves the loss and damage provisions largely untouched, leaving an opening for both frivolous civil suits and draconian criminal prosecutions. The proposed changes are, however, far better than the 鈥渞eforms鈥 the Obama administration proposed that would have result in an even harsher CFAA.
The most troubling aspect of the Obama administration鈥檚 2015 is the attempt to turn violations of the CFAA into what is known as a RICO predicate act. This proposal is currently stalled, but the thinking behind it is troubling and indicative of the DOJ鈥檚 thinking on the issue. It would have the practical effect of imposing CFAA criminal liability on individuals associated with groups that commit computer crimes, even though that individual has no knowledge of the illegal activity. For instance, if you are part of a political activist group and administer the group鈥檚 social media accounts with others, you may find yourself being prosecuted just by the mere fact that you are associated via the administration of the social media accounts to someone who engages in criminal activity without your knowledge. Expanding criminal liability under the CFAA in such a dramatic fashion will not only harm the interests of legitimate information security researchers and normal computer users but will chill political speech on the internet. Given the DOJ鈥檚 long, troubled, and of criminal activity against political groups it finds distasteful, this is not fanciful speculation.聽
To add insult to injury, the Obama administration鈥檚 proposal seeks to raise the maximum sentences under the CFAA dramatically. It should be rigorously opposed should it rear its ugly head again. Instead, the CFAA needs to be reformed in a manner that meets the concerns of legitimate computer researchers and users, prevents felony prosecutions for relatively harmless hacks, while at the same time providing law enforcement with the tools to prosecute computer crimes where the harm, or attempted harm, is real rather than fanciful hyperbole.
How to reform CFAA
First, the 鈥渓oss鈥 felony threshold is too low and needs to be revised. One of the ways that a CFAA hacking misdemeanor turns into a felony is if the value of information obtained, or the monetary loss that the computer intrusion causes, exceeds $5,000. As a practical matter, this threshold is extremely easy to meet, particularly when the 鈥渧ictim鈥 is a large corporation, as is often the case. Large meetings are called, expensive forensics firms are hired, and often a lot of unnecessary work is performed, all of which is often poorly documented or in the worst cases 鈥渃hurned鈥 to increase the bill. Most of the time a lot of the work involves the 鈥渧ictim鈥 realizing that its information security is atrocious because it was viewed as an expensive hassle. The hacker who exposes the negligent information security, often by publicly disclosing it, usually foots the bill for this. Judges and juries tend to accept companies鈥 self-serving estimates of time and money expended, no matter how shoddy. I鈥檝e seen spreadsheets with numerous blank entries, or filled with vague descriptions like 鈥渙pportunity cost鈥 or 鈥済ood will鈥 be offered by the government as proof of loss 鈥 even though those concepts were unrelated to any harm caused by the intrusion. In short, it is far too easy to meet the $5,000 felony threshold and this number needs to be dramatically raised to circumscribe the far too expansive criminal scope of the CFAA. A more practical number is $250,000. $5,000 still聽puts you in small claims court in New York State.
Second, there is a $5,000 threshold to bring a civil suit under the CFAA. This number should be raised as well, although perhaps not as high as the threshold for a felony prosecution. That鈥檚 because, if we have to live with a dual civil and criminal statute as poorly drafted as the CFAA, most of what is now prosecuted criminally should be civil. Rarely is there any other harm than monetary when it comes to hacking. This is not to say that monetary harm cannot be serious, or require criminal sanction, just that in most instances criminal sanctions are not warranted.聽
Consider the fact that every civil CFAA case is a potential criminal one. There are hundreds of civil CFAA cases between companies, and more will come since it has become a popular way for companies to attempt to enforce intellectual property rights and side step the more onerous burden of proof involved with bringing a trade secrets claim. It聽also allows companies to go after former employees who copy files on the way out the door (or after they鈥檝e walked through the door). Yet the DOJ has never criminally prosecuted a company for a CFAA violation. The DOJ has only prosecuted individuals.聽
This is purely an exercise of prosecutorial discretion on the DOJ鈥檚 part. And the exercise of prosecutorial discretion is not a legal exercise, but a moral one. There is no statute that directs a prosecutor whether or not to bring a criminal case as long as the elements of the crime are met. But the implicit message from this DOJ morality play in not prosecuting companies for CFAA violations is that the harm in the civil cases is not worth criminal prosecution and is just as well handled civilly. Yet the monetary harms in CFAA civil cases are just as great, if not greater, than those in criminal CFAA cases. Thus, most of what is prosecuted criminally under the CFAA should not be allowed, since the matters should be dealt with in civil court, if at all.
Third, the definition of damage should be circumscribed to only include real damage to data, or its method of access, on a computer. Innocuous instances of an employee deleting their emails on the way out the door, or the deletion of back up data for which there are multiple readily available copies, should be eliminated from the scope of CFAA damage. Otherwise CFAA criminal liability can attach for simple acts, such as editing a Word document without permission, or turning off someone鈥檚 computer without permission, as both these acts can be read as constituting CFAA damage under a broad reading of the statute.
Finally, unauthorized access should be strictly construed to only include instances where a technical, code-based barrier to access is by bypassed. Unauthorized access should not be based on agency, contractual, or any type of relationship between entities, individuals, or entities and individuals. This approach allows the courts to avoid debates over whether conduct was authorized from becoming mired in analysis of relationships developed in the physical world.
Additionally, there would be no risk of criminalizing password sharing, which is often done by Netflix and other streaming video subscribers. Although there are some instances where password sharing can lead to serious criminal and civil offenses, there are other provisions of the CFAA, such as the damage provisions, that provide for litigation against someone who harms a computer, as well as a number of other federal statutes dealing with identity theft, wire fraud, and the like, that are readily available to deal with any issues that may arise.
Tor Ekeland focuses on computer and business law, and on the increasing convergence of those two fields.聽He represents defendants charged with federal computer crimes in high profile cases nationwide.
