Last year, I posted about a recently-filed criminal prosecution in which the federal government was charging a state fraud scheme involving poker machines under the Computer Fraud and Abuse Act:
Andrew Nestor learned of a programming flaw in certain video poker machines used in Las Vegas. By using a certain feature and playing a particular combination, a person could trick the poker machine into paying out winnings at a higher rate than it should have. Nestor played the combination, and he was able to receive winnings that he was not entitled to have. At this stage, it sounds like a state law offense of theft or fraud. Nestor stole the money from the machine by fraud.
But was a federal crime committed, as opposed to a state crime? Federal prosecutors love to charge fraud cases under the wire fraud statute, 18 U.S.C. 1343, but that wouldn’t work here. Liability under the wire fraud statute requires a crossing of state lines, while here all the action occurred in a single room. So instead the government charged Nestor with a CFAA violation, and specifically 18 U.S.C. 1030(a)(4), which punishes “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”
Note that there is no longer a requirement of crossing state lines, as there is in the case of the wire fraud statute. Instead, the only federal hook is that the computer be a “protected computer.” But that’s really no federal hook at all: Protected computers are defined as any computers that can be regulated under the Commerce Clause power, which paired with Gonzales v. Raich seems to be any computers, period. So voila, there is federal jurisdiction over the state law crime because a computer is involved.
Of course, whether the government can use 1030(a)(4) to federalize state law fraud schemes involving computers depends on the legal interpretation of “accesses . . . without authorization, or exceeds authorized access,” which is the main issue involved in cases like United States v. Nosal, currently pending before the en banc Ninth Circuit. In the Nestor case, I assume DOJ’s view is that it is implicitly unauthorized to exploit a programming error in a computer in order to commit a fraud. I think this reading essentially reads “without authorization, or exceeds authorized access” out of the statute, and instead treats 1030(a)(4) as punishing fraud committed using any computer, period. But we’ll see what the district court does with the motion to dismiss in Nestor, which may in turn depend on what the en banc Ninth Circuit does in Nosal.
This morning, Magistrate Judge Johnston filed his report and recommendation in the case recommending that the indictment be dismissed for two reasons. First, according to Magistrate Judge Johnston, the video poker machines are not protected computers because there is insufficient evidence that the machines had an impact on interstate commerce:
In order to be classified as a “protected computer,” a computer must be used in or affect interstate or foreign commerce or communication. 18 U.S.C. § 1030(e)(2)(B). The Government argues that video poker machines affect interstate commerce because “[c]ustomers from all over the country travel to Nevada to play Las Vegas’ gaming machines.” Response (#68) at 5. This argument fails for two reasons. First, this supposed effect on interstate commerce only holds up in the aggregate. While it may be true that the entire Las Vegas gambling industry attracts customers from all over the country, the Government cannot show that individual video poker machines have such an effect on interstate commerce. Second, to follow the Government’s interpretation of the term “protected computer” would divorce the function of the device, i.e. logical, arithmetic, or storage functions, from its supposed effects on interstate commerce. Computers connected to the internet are “protected computers” because this part of their designed function allows them to engage in interstate commerce. Likewise, the function of the radio system in Mitra was to connect with a federally regulated channel of interstate commerce. While any individual computer connected to the internet, or the Mitra radio system, can instantaneously engage in interstate commerce, an individual video poker machine has no such
connection to the wider world.
I have problems with broad theories of the Computer Fraud and Abuse Act, and especially its lack of statutory federalism limitations, but I think this position misunderstands the relevant law. As I pointed out in this post in 2009, the 2008 amendments to the definition of “protected computer” changed the scope of the protected computer in a critical way:
In 2008, Section 207 of the Former Vice President Protection Act, Pub.L. 110-326, expanded the definition of protected computer regulated by the statute to a computer that is “used in or affecting interstate or foreign commerce or communication” (new language in italics), and removed the requirement that information obtained had to be information that crossed state lines.
The switch from prohibiting conduct “in interstate commerce” to regulating conduct “affecting interstate commerce” is easy to overlook, but it turns out to be a critical change. When Congress uses the phrase “affecting interstate commerce,” that is generally understood to express Congress’s intent to regulate as far as the Commerce Clause will allow. See Russell v. United States, 471 U.S. 858, 849 (1985) (noting that prohibition regulating conduct “affecting interstate or foreign commerce” expresses “an intent by Congress to exercise its full power under the Commerce Clause”); Scarborough v. United States, 431 U.S. 563, 571 (1977) (“Congress is aware of the distinction between legislation limited to activities ‘in commerce’ and an assertion of its full Commerce Clause power so as to cover all activity substantially affecting interstate commerce.”). When Congress uses the jurisdictional hook of “affecting interstate commerce,” or its close cousin “affecting interstate or foreign commerce,” then the scope of the jurisdictional hook is generally understood to be defined by Commerce Clause jurisprudence.
But here’s the rub. Under Gonzales v. Raich, 545 U.S. 1 (2005), it seems awfully difficult to find any computer or any type of data that is actually beyond the scope of the federal commerce power. If you can aggregate the effect of all computers and all data, you’re going to identify a rational basis for identifying a substantial effect on interstate commerce. Maybe I’m just too much of a Commerce Clause pessimist — and if so, please let me know in the comment thread — but it seems to me that under Raich, if it’s a computer, it’s going to be a computer that Congress can regulate. See, e.g., United States v. Jeronimo-Bautista, 425 F.3d 1266 (10th Cir. 2005).
The end result: In the last two years, Congress has essentially gutted the idea of computer crimes that are beyond the reach of the federal government. If a computer is involved — any computer — it’s very likely to be a federal issue. The federal government can always decline to prosecute a case, and it can consider the fact that it’s just a local crime in the course of making that call. But that’s a matter of discretion, not law. For those of us who care about federalism, it’s a very sad state of affairs.
In light of this statutory change, Judge Johnston’s concern that the impact on interstate commerce “only holds up in the aggregate” misses the point. The only limit to the definition of “protected computer” is the Commerce Clause, and under Raich courts must consider the aggregate to determine the impact on interstate commerce. (Judge Johnston’s reliance on the Mitra precedent is problematic because Mitra was decided in 2005, three years before the statute was amendmed).
Second, Magistrate Judge Johnston concludes that use of the video poker machines to win money by exploiting the programming error did not “exceed authorized access” under the Ninth Circuit’s recent en banc decision in United States v. Nosal, 676 F.3d 854 (9th Cir. 2012):
[W]hen playing ordinary, non-video poker at a casino there is an intermediary, namely the dealer, who is employed by the casino and who upholds and enforces the rules. When playing video poker, on the other hand, the rules are upheld and enforced by the gambling software itself. The Defendants argue that they could not have possibly exceeded their authorized access, because the bounds of their authorized access were defined by what the gaming software would allow. Any selections that would have exceeded that authorization should have been regulated by the software and made unavailable. The software is designed to regulate what selections are allowed and what results may be produced. Like the human casino employee, the software acts as the gatekeeper, stopping any unauthorized access in the event that a player tries to do something that falls outside the rules.
The Ninth Circuit’s most recent opinion interpreting the meaning of “exceeds authorized access” makes clear that the Government’s proposed interpretation of the statute in the present case is untenable. In U.S. v. Nosal, 676 F.3d 854 (9th Cir. 2012), the government argued that “exceeds authorized access” should “refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information.” The government in Nosal asserted that the word “so” in the definition of “exceeds authorized access” should be read to mean “in that manner,” which it claimed referred to use restrictions. Nosal, 676 F.3d at 857. Writing for the court, Chief Judge Kozinski stated that “[t]he government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.” . . . .
Here, the Government has asserted that, although the Defendants were authorized to play the video poker machines and access information for that purpose, the way that they used the information exceeded their authorization. This argument is directly analogous to the government’s argument in Nosal and it fares no better here. As Nosal makes clear, the CFAA does not regulate the way individuals use the information which they are otherwise authorized to access. Here, the Defendants’ alleged actions did not exceed their authorized access.
I think this is a hard issue, and I find the question of exceeding authorized access trickier than the judge suggests. If you take seriously the notion that “the software acts as the gatekeeper,” then no one can ever violate the Computer Fraud and Abuse Act. That kind of reasoning leads to the bizarre result that if you can do it then it was necessarily authorized. On the other hand, the government’s reasoning in this case does seem to be the same reasoning that it relied on in Nosal. It’s also worth noting that in United States v. Morris, 926 F2d 504 (2d Cir. 1991), the Second Circuit held that using a command to gain access in a way contrary to its “intended function” makes that access “without authorization.” The idea was that exploiting a security flaw to gain access is not authorized because computer programs are implicitly limited to their generally intended use. Does exploiting a programming error to obtain money a user is not entitled to obtain implicitly “exceed authorized access” under the rationale of Morris? Or is Morris limited to controls on access on a computer, whereas here the issue was not access to the computer but rather obtaining funds from it?
I find this a hard case, but my very tentative conclusion is that the court was right on this issue. The first reason is the text of 1030(a)(4). That text requires two different elements to be proven: first, access without authorization or exceeding authorized access, and second, that “by means of such conduct” the defendant “furthers the intended fraud and obtains anything of value.” It seems to me that the government’s theory in this case appears to collapse the two elements: It treats the act of the fraud as implicitly exceeding authorized access. But that effectively eliminates the fraud requirement out of 1030(a)(4). Second, the notion of unauthorized access in 18 U.S.C. 1030 is focused on access to computers and access to data stored on them. Here the scheme was not to obtain data, but to obtain money: It was a fraud scheme, but not a scheme to trespass on to the machine or invade privacy. So on balance my tentative view is that the court was right on this issue, although I think it’s a tricky question.
UDPATE: For a related post, see this 2005 entry, Treating Machines Like People.