I have posted a draft new article online: Vagueness Challenges to the Computer Fraud and Abuse Act, forthcoming in a symposium issue of the Minnesota Law Review. Here’s the abstract:
This Article argues that the void for vagueness doctrine requires courts to adopt narrow interpretations of the Computer Fraud and Abuse Act. On its face, the CFAA has become extraordinarily broad. Recent amendments indicate that Congress has largely abandoned the job of identifying what conduct involving computers should or should not be a federal crime. Congress has broadened the statute so far that the courts must now narrowly construe the statute to save its constitutionality.This Article demonstrates how courts should narrowly construe the statute under the void for vagueness doctrine by focusing on two recent criminal prosecutions: United States v. Drew, which considered whether Terms of Service violations trigger CFAA liability, and United States v. Nosal, which asked whether it violates the CFAA for employees to access their employers’ computers in ways contrary to their employers’ interests. These two prosecutions show the critical role of vagueness doctrine in interpreting the CFAA, pointing to a future of judicial narrowing of the statute.
As you might guess from the abstract, the draft article builds on the basic arguments I used in the Lori Drew case. This article presents the broader context of the problem and the important role of the vagueness doctrine in construing the statute. (Unfortunately, the article will be published before the Supreme Court hands down the trio of vagueness cases presently on its docket; I suspect those decisions may give a considerable boost to the claims I make here.)
To download the article, click on the link above and then click on “download” and then hit the SSRN button.
Chris Travers says:
Prof. Kerr.
IANAL so I am probably missing something important, but didn’t Judge Wu’s order suggest that the vagueness analysis would have been very different if Drew was convicted of the felony counts? I almost read it as “the felony accounts had sufficient scienter requirements to avoid vagueness, but the included misdemeanor charges did not.”
Is this understanding wrong? Is Judge Wu wrong?
Quote
December 22, 2009, 3:35 pmtroll_dc2 says:
Prof. Kerr, you can say that Congress should be more specific, but how can it anticipate the misdeeds that a clever person will engage in using new technology? Take “United States v. Nosal, which asked whether it violates the CFAA for employees to access their employers’ computers in ways contrary to their employers’ interests.” There are vagueness issues all over the place, I agree, but how would you word a statute that gets at the things that ought to be gotten at with sufficient specificity, without going beyond that point?
{OK Chimes In: Congress passed exactly that law in 1996, actually. It is called the Economic Espionage Act, 18 U.S.C. 1831–38, and it prohibits theft of trade secrets. DOJ charged that crime along with the CFAA in the Nosal case; I gather their goal in adding the CFAA charge was to have an extra count just in case something else fell through. In any event, the fact that Congress actually did pass a statute in 1996 addressing that exact kind of conduct suggests that this isn’t so hard.]
Quote
December 22, 2009, 3:43 pmMark N. says:
This broad line of attack has chugging along as a gripe about the CFAA for quite some time, so it’s interesting to see it getting legal traction. In tech circles, it’s been widely viewed as overbroad, vague, and arbitrarily enforced at least since the late 1980s. In fact, CFAA overbreadth, especially the Steve Jackson Games raid, and subsequent harassment of hundreds of programmers (including folks at respectable business-software houses like Lotus) who were questioned for their links to “hacking groups”, is one of the main reasons the EFF was formed. For a generation of tech folks, Bruce Sterling’s generally unsympathetic to law enforcement Hacker Crackdown (1992) is where people got their first look at computer-crime law.
More recently, there’s I think a general feeling that a bunch of things have been bunched together under the heading of “computer crime” in an arbitrary fashion that includes plenty of things that ought to be not only legal but encouraged. In particular, the old tradition of reverse engineering—taking apart your radio to figure out how it works—seems to be under assault by CFAA-like laws, as anyone who peeks inside things to see how they work is under increasing threat of being labeled a “hacker”, depending on how you squint and whether you can pull up enough fuzzy character evidence to make them look like scary loners.
Quote
December 22, 2009, 3:57 pmOrin Kerr says:
Chris Travers writes
Excellent question. I don’t like criticizing an opinion that ruled in my favor, but now that the case is over — and imprtantly, with my professor’s hat on — I think Judge Wu was wrong about that. His suggestion that it would have made a difference doesn’t work because the legal question before him was how to construe “authorization.” That phrase must have the same meaning regardless of whether you’re talking about the misdemeanor or the felony.
This was a significant problem with Judge Wu’s opinion. He first concludes that the statute should be construed broadly because he can’t think of a reason to construe authorization narrowly. He then says that the statute is unconstitutional if construed broadly. But he didn’t strike down the statute as unconstitutional — rather, he only held that the motion to dismiss for lack of evidence should be granted. His opinion doesn’t tie the various strands together correctly, I think: It doesn’t fully grapple with the fact that vagueness doctrine requires narrow judicial construction.
As for why Judge Wu suggested that it would be a different case with the felony enhancement, note that Judge Wu had denied the motions to dismiss on the same arguments several months earlier when the government had charged the felony. He had also rejected the defense’s narrow jury instructions back when the felony charge was pending. By suggesting that it is a different case with or without the felony, Wu was indicating his view that he was right both times and that his views were consistent.
Maybe my view is quirky, but I don’t think that position really works. To get there, you need to construe the word “authorization” as having two distinct meanings depending on whether the jury is considering the misdemeanor or the felony. How would you give that to a jury if the jury has both charges before it as a lesser included offense? Do you have one instruction of “authorization” for a misdmeanor and another for a felony? I don’t think you can do that; the term has a legal meaning one way or the other, and the question before Judge Wu was whether there was sufficient evidence based on whatever the statute means. That’s my take, at least.
Quote
December 22, 2009, 3:57 pmDavid Schwartz says:
It can’t. However, if it tries to do so, it will wind up prohibiting lots of non-misdeeds that clever people will engage in. I believe the better trade-off is to avoid prohibiting legitimate conduct and wait until there are misdeeds to prohibit rather than trying to prospectively forecast every bad thing a person might do. Laws will necessarily be vague and have chilling effects if even the people drafting them don’t know what they’re supposed to prohibit!
This applies especially in these cases where the government is trying to prohibit misdeeds that can only occur in the context of a contract. Private parties are in a better position to anticipate what conduct should be prohibited in the context of that contract and what the punishments should be. Criminal sanctions are not fundamentally required to discourage the conduct.
{OK Chimes in: See my comment to Troll above. Not only can it, it has already.]
Quote
December 22, 2009, 4:10 pmChris Travers says:
Prof. Kerr:
I must be missing something in Wu’s order because my understanding of what Wu was saying was substantially different. Really what I saw Wu as saying is that authorization must be broadly interpreted (reasonable, given that given sufficient notice that a given individual is unwelcome on a server, it may be possible to suggest unauthorized access) but that this would be so broad, that one must have some scienter requirement sufficient to abate the vagueness.
Presumably if MySpace had been aware of the issue earlier and taken sufficiently clear steps to exclude Drew from continued access to the service which Drew would have either wilfully ignored taken steps to get around, Wu might have felt differently even for a misdemeanor charge.
Is this different than how you are reading it?
Quote
December 22, 2009, 5:51 pmChris Travers says:
How so? Even the extremely poorly considered portions of the DMCA don’t go that far.
Quote
December 22, 2009, 5:54 pmChris Travers says:
Well, you can outlaw behavior in a technologically neutral fashion. Last I checked if I invent a phased plasma gun and kill someone with it, murder statutes don’t care whether it is new technology or not.
You are overthinking the problem. (I do wonder whether the EEA that Orin cites has similar vagueness issue around what constitutes a trade secret. As an a person of at least average intelligence, would be surprised if it were interpreted to ban any sort of reverse engineering or similarly legitimate attempts to obtain information from products lawfully obtained.)
Quote
December 22, 2009, 6:03 pmChris Travers says:
Question for Prof. Kerr:
Do you think it is possible to criminally violate the CFAA without circumventing technological access control mechanisms? Or in your view would it be entirely limited to circumvention of access control mechanisms?
Quote
December 22, 2009, 7:16 pmTweets that mention The Volokh Conspiracy » Blog Archive » Vagueness Challenges to the Computer Fraud and Abuse Act -- Topsy.com says:
[...] This post was mentioned on Twitter by R. Richards, Eugene Volokh. Eugene Volokh said: Vagueness Challenges to the Computer Fraud and Abuse Act: I have posted a draft new article online: Vagueness C.. http://bit.ly/7acnCv [...]
Ken Arromdee says:
I would not be surprised at all. Companies tend not to like customers reverse-engineering their products and have a tendency to sue them (or get the government to prosecute them) based on flimsy pretexts. A law which can be interpreted to ban reverse-engineering, but only with a farfetched interpretation, can be a serious problem since those companies can use it.
Quote
December 22, 2009, 9:54 pmChris Travers says:
Ken:
What is a trade secret? What is improperly obtaining a trade secret? I would expect that it would be well settled that reverse engineering involves neither.
You have a point in that law suits could get filed and might get past a dismissal motion, and these end up being threats against smaller businesses whether they are won or lost. But that is unfortunately a separate issue and one which less can be done about.
For example, allegations of improperly obtaining trade secrets might create enough uncertainty to require at least discovery as to whether legitimate reverse engineering was the source of the information. As I say, though, this is a different problem.
Quote
December 23, 2009, 12:34 amThe Volokh Conspiracy » Blog Archive » Vagueness Challenges to the … | GA Publications says:
[...] the original post: The Volokh Conspiracy » Blog Archive » Vagueness Challenges to the … Tags: abuse, abuse-act-, adopt-narrow, amendments-indicate, [...]
Chris Travers says:
Prof Kerr;
As a software engineer, I am going to explain why I think that Judge Wu’s position can be relatively defensible from a vagueness perspective. I don’t expect to change your mind, but it might give you some things to think about.
One of my competitors (who is a laughingstock regarding competence at coding security controls for reasons that will become obvious) used to have an email contact form on his web site. The contact form was more or less just running formmail from Matt’s Scripting Archive (a collection of Perl scripts with a very dubious security reputation). The email form would accept information about about who the email was going to, etc. and then forward it on appropriately. In normal operation, this exchange would be hidden from the user, but the program fundamentally could not differentiate between material it sent the browser and material invented by the user. In essence, despite the fact that there was no ability to use the form in normal workflows to email random people, the program had no effective code-based controls for preventing such abuse of the software.
Under almost any definition of “authorization” under the CFAA, then, a random person forwarding spam through his formmail installation would be authorized and outside of the reach of the CFAA (unless agency theory is involved but I don’t think one can necessarily apply that outside of an employer/employee relationship).
After this became a problem, my competitor added a code-based control to stop the use of his system for relaying spam. Under a code-based view of “authorization” then the CFAA might kick in where jurisdiction was held by US courts.
So much for theory. The code-based control worked as follows: The web server sent out an HTML page consisting of a hidden input and a visible input. The visible input had no data to start with and the hidden input had a key. When the form was submitted the email would be sent only if the two matched. Sounds simple enough. It effectively controls access to the emailer.
However, the original automated scripts for emailing spam would be entirely unaffected by this because they would submit neither the hidden input nor the visible input. Consequently they would match and the email would be forwarded with no modifications necessary to circumvent the code-based controls and no knowledge that the code-based controls were added on the part of the spammer. I know this because I know of non-US persons who ran tests and were able to send themselves emails through his web page.
The problem if you see “authorization” as a simple matter of code-based access control is that it would become suddenly possible to inadvertantly violate the CFAA if a code-based control was added which was ineffective against some forms of abuse. Creating a standard where the court allows a defence regarding how ineffective the code-based controls are seems problematic regarding the general purpose of the act. At the same time, allowing patently ineffective controls to designate crimes creates the very problem that vagueness doctrine was designed to prevent– it makes it possible and even likely that individuals will inadvertently commit crimes with no knowledge that what they are doing is illegal.
The approach Judge Wu took solves this problem. Whether or not it creates other more serious problems is an open question. By reading authorization broadly but requiring specific knowledge that what one was doing was a violation under the CFAA, it prevents the case where a code-based access control measure might be accidently circumvented because it was designed by an idiot. Unfortunately I wouldn’t base my analysis on the assumption that access control measures will function as designed. They do in some cases, but there are a lot more idiot software developers out there than one might think.
What Judge Wu seems to require by my reading are:
1) An unauthorized use of a computer system, broadly defined
2) Proper and sufficient notice to the user that such use was unauthorized.
3) That the notice must be sufficiently clear to avoid vagueness issues in enforcement.
I think this is reasonable. I am interested in your critique.
Quote
December 23, 2009, 1:24 pmDavid Schwartz says:
But that’s only because the phased plasma gun still causes death in much the same way. Really new technology creates different kinds of questions. It’s not just a new way to do the same thing, it’s a new way to do something that may or may not be the same thing depending on how you look at it.
Quote
December 23, 2009, 3:34 pmOrin Kerr says:
Chris,
I don’t think that’s what Judge Wu was thinking. He was reasoning that if the only crime out there was “unauthorized access with the intent of furthering some other crime,” then it would not render that crime void for vagueness to construe lack of authorization as including TOS violations. The extra requirement of “intent to futher some other crime” sharply limits the circumstances in which the crime would apply, avoiding the vagueness problem.
This doesn’t work because it would make the misdemeanor “unauthorized access” crime — that is, the lesser included offense that does not require the extra intent — unconstitutional. Judge Wu would have to then strike the language from Section 1030 (or just rewrite the statute) to eliminate the misdemeanor while retaining the felony. He didn’t do that, though: He held that there was insufficient evidence of guilt based on a proper reading of “authorization.” And that statutory reading has to be the same whether it’s a misdemeanor or a felony.
Quote
December 23, 2009, 8:06 pmJeff Walden says:
At the top of page 4:
I think you meant the first “employer” to be “employee”. Perhaps you’ve seen and corrected this already, but better to point out redundantly than to miss entirely.
Quote
January 21, 2010, 2:23 pm