The Volokh Conspiracy

I’ve blogged a lot about the Ninth Circuit’s en banc case in United States v. Nosal, on the scope of the Computer Fraud and Abuse Act — and more specifically, on whether it’s a federal crime to violate an express written restriction on using a computer. You can watch last Thursday’s oral argument in the case here:

Chief Judge Kozinski presided, and he seemed pretty clearly on the side that I’ve been advocating here at the blog, in the Drew case, in my recent testimony, and in my law review articles. I was very pleased to see that, although I wasn’t surprised in light of Judge Kozinski’s libertarian streak. At the same time, I don’t think we have enough information to count votes accurately, as only about four judges spoke in ways that might have indicated their views (two for Nosal, two for the United States, I believe). I’m cautiously optimistic, but we’ll have to see how the votes shake out in the end.

I’ll hide my more detailed reactions below the break for the handful of CFAA nerds in the VC readership …..

Continue reading ‘Thoughts on the Oral Arguments in United States v. Nosal’ »

Law.com has reprinted this helpful story on the Ninth Circuit en banc arguments to be held later this week in United States v. Nosal.

In a recently-filed amicus brief submitted by Oracle America Inc. before the en banc Ninth Circuit in United States v. Nosal, the important Computer Fraud and Abuse Act case I have blogged a lot about, Oracle makes the following argument about interpreting “access” and “authorization” in the context of the CFAA. The CFAA’s prohibition on exceeding authorized access and access without authorization is modeled on trespass principles, the brief reasons, so the scope of the CFAA should be interpreted by reference to the trespass principles articulated in the Restatement (Second) of Torts. According to the Oracle brief, this means that (a) computer owners can condition access to their computers using express restrictions like Terms of Service, but (b) express restrictions are only enforceable in some circumstances. The brief summarizes when express restrictions can be enforced under the tort of trespass as follows:

[Whether a written access restriction can be enforced by trespass law is a] fact-dependent conclusion drawn from the totality of the circumstances, and “it may be manifested by action or inaction and need not be communicated to the actor.” [Restatement (Second) Torts § 892(1) (1979).] see id. § 892 cmt. c. Accordingly, courts sometimes find that a written or posted access restriction has been overridden or lifted.

This common-law principle takes several forms. One is the doctrine of apparent or implied consent; another is estoppel or waiver. Courts are suspicious of posted access restrictions that by their terms apply to everyone but that in fact have been selectively enforced “against some members of the public as opposed to others”; when the signals conflict, courts may find a posted restriction ineffective. Winn, The Guilty Eye, 62 Bus. Law. at 1424. Similarly, a property owner who knowingly acquiesces in a person’s course of access may waive the right to call it a trespass. See id.; see also 75 Am. Jur. 2d, Trespass § 67 (estoppel defense). When an owner has “actual knowledge” of repeated trespasses, the owner’s “habitual acquiescence … may constitute a license for persons to enter the land, if the tolerance is so pronounced as to be tantamount to permission.” 75 Am. Jur. 2d, Trespass § 73. Community custom is especially relevant in determining apparent consent. See Restatement (Second) Torts § 892 cmt. d; cf. McKee v. Gratz, 260 U.S. 127, 136 (1922) (“A license may be implied from the habits of the country.”). Above all, commonsense and reasonableness are the guides, as they are with all totality-of-the-circumstances inquiries.

Like other established doctrines of the common law of trespass, the reasonable approach to judging posted access restrictions applies to the CFAA. And it easily answers Nosal’s policy concerns. If, as Nosal posits, it is well known that millions of employees and Internet users actually violate posted restrictions on computer and information access every day, chances are good that those restrictions are not bona fide.

I considered this argument when I was writing my Cybercrime’s Scope article in 2003, but I concluded that it’s not persuasive. The problem is that the principles of interpreting common law torts are pretty different from the principles of interpreting criminal law statutes. The CFAA is a criminal statute: Although Congress later added some civil remedies to it, the statute is primarily a criminal statute and its basic prohibitions need to be interpreted accordingly. So while it’s true that the CFAA harnesses the basic concept of a trespass, I don’t see a good reason to adopt the details of the trespass tort when interpreting the CFAA.

The void for vagueness doctrine demonstrates the problem. The scope of common law tort liability is not subject to vagueness challenges. As a result, the scope of common law tort liability can be quite unclear. That’s fine in the tort context: It’s not a big deal if a person who may be trespassing isn’t entirely sure if the posted notice is enforceable. But the void for vagueness doctrine requires at least some degree of clarity in the criminal context. Hinging criminal liability on whether the term of service violated is one that is violated as a “habit[] of the country” and for which there is “habitual acquiescence ” is just too unclear. No one really knows how that would be applied.

The difference between trespass onto physical land and access into a computer is a significant part of the problem. In the case of a physical trespass, we can get a sense of social norms by observing what notices are enforced. We know where we are on physical land, and can only be in one place at a time. We visually observe enforcement, and we visually observe if notices are ignored. But it’s hard to obtain knowledge as to how seriously a particular computer provider takes each provision in the Terms of Service. Users can’t generally know what Terms are are meant to be taken seriously and which aren’t. Plus, a computer user might be accessing several different computers at the same time. Users don’t have obvious ways of determining which of the dozens or even hundreds of written restrictions that might apply to them at any given time are really intended to be taken seriously. How does a computer user know which terms are violated as a “habit of the country”?

Continue reading ‘The Trespass Tort Versus the CFAA: A Response to the Oracle Amicus Brief in Nosal’ »

Senator Leahy recently proposed an amendment to the Computer Fraud and Abuse Act to try to address the overbreadth concerns that myself and others have raised about the current statute, and particularly DOJ’s controversial view that the statute presently allows the government to prosecute computer users for TOS violations. I wanted to blog my thoughts on Leahy’s proposed amendment. My basic take is that Leahy’s proposal is such a modest step that it doesn’t solve the problem it aims to solve. Its language appears to still allow DOJ to prosecute TOS violations, including the theory of the Lori Drew case that the statutory fixes are all designed to stop. For those reasons, explained in detail below, I can’t support the Leady Amendment. Instead I continue to support the Grassley/Franken amendment.

I. Introducton and the Leahy Amendment

First, some context, for those who are new to this debate or unfamiliar with the Leahy proposal. At its broadest, the CFAA prohibits exceeding authorized access to a computer and obtaining information. See 18 U.S.C. 1030(a)(2). This is overbroad for two related reasons: First, “exceeding authorized access” might mean anything, including violating TOS; and second, the statute applies to obtaining any kind of information, not just sensitive information, so it would include any kind of TOS violations, no matter how arbitrary or silly. As I explain in my House testimony, there are two basic ways to fix the overbreadth problems. First, you could limit the definition of “exceeds authorized access,” so it excludes TOS violations; and second, you could limit the kinds of information that could be obtained so that it only applies to violations involving particularly sensitive information.

The Grassley/Franken amendment agreed to by the Senate Judiciary Committee a few weeks ago was based on the first strategy; it amends the definition of “exceeds authorized access” to exclude TOS violations. Senator Leahy’s proposal is based on the second strategy, limiting the kind of information obtained. I have heard that Leahy’s proposal was based loosely on my blog post here in September, in which I suggested that you could amend the information obtained under the “exceeds authorized access” prong to the following categories of information:

(a) Information with a value of more than $5,000;
(b) sensitive or private information involving an identifiable individual (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, financial records, or photographs of a sensitive or private nature;
(c) information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954.

That brings us to Senator Leahy’s proposal. Leahy’s proposal would rewrite 1030(a)(2) so that it punishes whoever:

Intentionally accesses a computer —

(A) without authorization, and thereby obtains—
(i) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as
such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(ii) information from any department or agency of the United States; or
(iii) information from any protected computer;

or

(B) in excess of authorization, thereby obtains— (i) information defined in subparagraph (A) (i) through (iii); and (ii) the offense involves
(I) information that exceeds $5,000 in value;
(II) sensitive or private information involving an identifiable individual or entity (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, government-issued identification numbers, unique biometric data, financial records, photographs of a sensitive or private nature, trade secrets, commercial business information, or other similar information;
(III) information that has been properly classified by the United States Government pursuant to an Executive Order or statute, or determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national security, national defense, or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic
Energy Act of 1954; or
(IV) information obtained from a computer used by, or on behalf of a government entity.

The basic strategy here is as follows. First, the proposals leaves the current 1030(a)(2) in place for violations involving “access without authorization,” so that any information is covered when access was without authorization. (As an aside, note that the statute is written in a redundant fashion for mostly historical reasons; because any information in categories i and ii are already part of iii, it’s iii — “information from a protected computer” that really matters. I have no idea why they don’t modernize the language and just eliminate all the gibberish about financial records and the Fair Credit Reporting Act, but at least the extra gibberish is harmless in practice.)

Second, the proposal rewrites 1030(a)(2) for violations involving “exceeding authorized access,” but it only makes only one change: The offense has to somehow “involve” one of the listed categories of information. The listed categories of information start with the ones I proposed in my blog post, but then add the following:

1) government-issued identification numbers,
2) unique biometric data,
3) financial records,
4) trade secrets,
5) commercial business information,
6) other similar information;
7) information obtained from a computer used by, or on behalf of a government entity.

II. My Two Objections to the Leahy Amendment

I think there are two major problems with Senator Leahy’s amendment: first, the overbreadth of the information that qualifies; and second, the use of “involves” information rather than “obtains” information.

(a) The Overbreadth of the Categories of Information. The first major problem with the Leahy amendment is that the categories of information listed are incredibly broad. Unfortunately, the language is so broad that it wouldn’t substantially limit DOJ’s ability to prosecute exactly the kinds of Terms of Service cases that every one is worried about. That means that the Leahy amendment has the form of a “fix,” but in practice would simply endorse TOS prosecutions in a remarkably wide range of cases.

This is particularly clear in the case of TOS set up by businesses. DOJ could still prosecute TOS violations involving most businesses because violating a TOS with a business will almost always involve some kind of business information. Consider a fact-pattern from an actual CFAA civil case. Say I run a business and I have information about products on my website; I then set up a Term of Use saying that no competitors are allowed to visit my website. As I read the Leahy proposal, it is still a CFAA violation if the competitor violates the Term of Use. After all, the competitor violated the Term of Use and then obtained “commercial business information,” that is, information about the company’s products.

For that matter, I think Leahy’s amendment would endorse DOJ’s prosecution of Lori Drew. Drew helped set up a fake myspace account to try to contact her daughter’s friend with the goal of finding out what the friend was saying about her daughter; Drew helped violate the Terms of Service which said all profile information has to be accurate. As I read Leahy’s amendment, it would support the DOJ’s prosecution in that case: Drew violated the TOS in the course of obtaining personal information about her daughter held by the daughter’s friend. (To be clear, this is partly a problem with my own proposal for how to fix 1030(a)(2); now that I think about it, my own proposed language was too broad.)

Some of the other categories of information are particularly strange. Take the “trade secrets” provision. Not long ago, Congress worked hard to pass an entirely different statute on the theft of trade secrets, 18 U.S.C. 1832. Congress crafted that statute carefully, requiring intent to convert the trade secret. Including trade secrets in 1030(a)(2) just because they are trade secrets would reduce Section 1832 to a nullity, effectively allowing DOJ to prosecute theft of trade secrets without ever having to prove intent to convert the trade secret — the very element Congress went out of its way to require in passing Section 1832. If Congress wants to expand Section 1832, it should do it directly, but it seems strange to use the CFAA as a quiet way to dramatically expand the theft of trade secrets statute.

The category of “other similar information” is even more puzzling. Similar how? To what? In what way? It’s hard to know what that is supposed to mean.

And further, why does the amendment treat information from government computers as somehow special? If the law is going to carve out categories of particularly sensitive information, it’s not clear to me why information stored on a government computer (which would include public websites like whitehouse.gov) is inherently private or sensitive.

For all these reasons, I think the categories if information listed in the Leahy amendment are far too broad. They wouldn’t really limit DOJ’s power to prosecute Terms of Service violations.

(b) What Does it Mean to “Involve” Information? The second major problem with the Leahy amendment is that it still extends to obtaining any information, and merely requires that the offense somehow “involve” one of the new categories of listed information. That strikes me as at best tremendously vague and at worst terribly overbroad. What does it mean for an offense to merely “involve” a type of information, when that information is not the information actually obtained by the offense? How far removed from the actual information obtained can the information be while still being “involved” in the offense? I don’t know, but it seems to me that DOJ could plausibly interpret that language so broadly that it reduces the amendment to a nullity.

To see why, imagine a guy sets up a Match.com profile and fills it with information about himself. When asked to enter in his age, he says he is 32 years old when he is really 33. After setting up the profile, he stops. In such a case, he didn’t use the service to obtain any sensitive information of anyone else. But presumably his conduct “involved” private information belonging to an identifiable individual — namely, himself. More broadly, it’s hard to know when an offense “involves” information that is one of the sensitive categories of information; I don’t think I know what that means. And when you pair it with some of the other ambiguous language in the statute, the ambiguity is magnified: A statute that says it is a crime to exceed authorized access to a computer when the conduct “involves . . . similar information” is a statute with considerable vagueness problems in need of a clean-up.

III. Conclusion

To be clear, I think the Leahy proposal starts with a fair approach: The basic concept of limiting the CFAA by limiting the information obtained in 1030(a)(2) is sensible. But the categories of information in this particular proposal are too broad, and the limitation that the offense must merely “involve” such a category is too vague, for me to support it. I think the Grassley/Franken approach is much better, and I hope the Senate sticks with that approach rather than adopting the Leahy approach.

The scope of the CFAA has been drawing some significant press attention today. Eric Felten takes on the issue in the Wall Street Journal; Judson Berger does so over at Fox News. I’ll be on NPR’s All Things Considered this weekend discussing the same issue.

I testified yesterday at a House Judiciary Committee hearing that focused in part on the need to narrow the Computer Fraud and Abuse Act, a drum I’ve been beating since 2003. You can watch the video of the hearing here; the CFAA parts were discussed mostly in the opening statements and in the last 15 minutes. For press coverage of the hearing, some of which focuses on my testimony, see Wired News, CBS News, Main Justice, The Register, and Talking Points Memo.

I thought the hearing went relatively well for those of us who believe the CFAA must be narrowed. There were only a handful of Representatives at the hearing at any given time, and at times the only members present were Mr. Gohmert (Vice Chairman of the subcommittee) and Mr. Scott (the ranking minority member). Further, most of the hearing considered other questions in the area of cybersecurity. So any conclusions must be tentative. But in the last 15 minutes or so of the hearing, Gohmert and Scott turned to the CFAA question, and both indicated their view that the CFAA needs to be narrowed so that it doesn’t apply to innocent conduct like TOS violations. I was also interested to see that the other witnesses also seemed to agree that that there was a problem with the overbreadth of the statute — the disagreement was only on what do about it. It was only a hearing, and only a few members were present, but I’m cautiously optimistic.

Perhaps the most promising sign is that after the hearing, DOJ struck a conciliatory note in response to press inquiries on its position. DOJ’s written testimony submitted before the hearing defended a very broad reading of the CFAA, and it expressed the view that it was important to be able to prosecute Terms of Service violations. That drew a lot of negative press stories, and raised eyebrows at the hearing. After the hearing, however, DOJ spokeswoman Alisa Finelli offered a Politico reporter what sounds to me like a different position:

“The only court to rule on this issue [whether TOS violations violate the CFAA] ruled that it was not a violation of the law. The Department did not appeal this decision, and it has not brought a similar case since,” said DOJ spokeswoman Alisa Finelli. “We understand the concern that is motivating these criticisms of the statute, and we are willing to work with Congress on legislative proposals in this area.”

Finelli characterized Downing’s testimony as meaning that “it is not a ‘DOJ position’ that such conduct would violate the Computer Fraud and Abuse Act.”

As I commented in the Politico story, Finelli’s comment leaves me unclear as to what DOJ’s position is: I don’t see how it’s consistent with DOJ’s written testimony. But if DOJ’s opposition has softened, that is very good news.

Tomorrow morning at 10am, I will be testifying before the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security about the need to narrow the Computer Fraud and Abuse Act. I have submitted my written testimony, and it is available here. It begins:

The current version of the Computer Fraud and Abuse Act (CFAA) poses a threat to the civil liberties of the millions of Americans who use computers and the Internet. As interpreted by the Justice Department, many if not most computer users violate the CFAA on a regular basis. Any of them could face arrest and criminal prosecution.

In the Justice Department’s view, the CFAA criminalizes conduct as innocuous as using a fake name on Facebook or lying about your weight in an online dating profile. That situation is intolerable. Routine computer use should not be a crime. Any cybersecurity legislation that this Congress passes should reject the extraordinarily broad interpretations endorsed by the United States Department of Justice.

In my testimony, I want to explain why the CFAA presents a significant threat to civil liberties. I want to then offer two narrow and simple ways to amend the CFAA to respond to these problems. I will conclude by responding to arguments I anticipate the Justice Department officials might make in defense of the current statute.

The three other witnesses appearing at the hearing will be James Baker, the Associate Deputy Attorney General; my old friend and colleague Richard Downing, a Deputy Chief of the Computer Crime and Intellectual Property Section at DOJ; and Michael Chertoff, the former Secretary of Homeland Security. For those interested in attending, the hearing will be at 10 am in Room 2141 of the Rayburn House Office Building.

I’ve blogged a lot about 18 U.S.C. 1030, the Computer Fraud and Abuse Act (CFAA), and how broad readings of the statute potentially criminalize a tremendous amount of entirely innocuous activity. The broad readings of the CFAA also have another important effect: They allow DOJ to try to turn any state crime that happens to involve computers into a federal crime. In that sense, the CFAA is being used as a catch-all to try to punish computer misconduct that otherwise would not be thought to be a federal offense. An interesting example is United States v. Nestor, a prosecution that is pending in the U.S. District Court for the District of Nevada.

Andrew Nestor learned of a programming flaw in certain video poker machines used in Las Vegas. By using a certain feature and playing a particular combination, a person could trick the poker machine into paying out winnings at a higher rate than it should have. Nestor played the combination, and he was able to receive winnings that he was not entitled to have. At this stage, it sounds like a state law offense of theft or fraud. Nestor stole the money from the machine by fraud.

But was a federal crime committed, as opposed to a state crime? Federal prosecutors love to charge fraud cases under the wire fraud statute, 18 U.S.C. 1343, but that wouldn’t work here. Liability under the wire fraud statute requires a crossing of state lines, while here all the action occurred in a single room. So instead the government charged Nestor with a CFAA violation, and specifically 18 U.S.C. 1030(a)(4), which punishes:

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period[.]

Note that there is no longer a requirement of crossing state lines, as there is in the case of the wire fraud statute. Instead, the only federal hook is that the computer be a “protected computer.” But that’s really no federal hook at all: Protected computers are defined as any computers that can be regulated under the Commerce Clause power, which paired with Gonzales v. Raich seems to be any computers, period. So voila, there is federal jurisdiction over the state law crime because a computer is involved.

Of course, whether the government can use 1030(a)(4) to federalize state law fraud schemes involving computers depends on the legal interpretation of “accesses . . . without authorization, or exceeds authorized access,” which is the main issue involved in cases like United States v. Nosal, currently pending before the en banc Ninth Circuit. In the Nestor case, I assume DOJ’s view is that it is implicitly unauthorized to exploit a programming error in a computer in order to commit a fraud. I think this reading essentially reads “without authorization, or exceeds authorized access” out of the statute, and instead treats 1030(a)(4) as punishing fraud committed using any computer, period. But we’ll see what the district court does with the motion to dismiss in Nestor, which may in turn depend on what the en banc Ninth Circuit does in Nosal.

I’ve blogged a few times about the recent Ninth Circuit decision in United States v. Nosal, which held that “an employee accesses a computer in excess of his or her authorization [in violation of 18 U.S.C. 1030] when that access violates the employer’s access restrictions, which may include restrictions on the employee’s use of the computer or of the information contained in that computer.” My most recent post on Nosal linked to the petition for rehearing and expressed the hope that the Ninth Circuit would grant it.

I’m pleased to report that the Ninth Circuit today granted the petition for rehearing. This is promising news for those of us who have worried about the remarkable overbreadth of the Computer Fraud and Abuse Act. As always, stay tuned.

I’ve just finished a longish piece on cyberwar and the role of lawyers, published in Foreign Policy magazine.  Here’s how it begins:

Lawyers don’t win wars. But can they lose one?

We’re likely to find out, and soon. Lawyers across the U.S. government have raised so many show-stopping legal questions about cyberwar that they’ve left the military unable to fight or even plan for a war in cyberspace.

…

And here’s the part that inspired the title of this post:

By the 1930s, everyone saw that aerial bombing would have the capacity to reduce cities to rubble in the next war. Just a few years earlier, the hellish slaughter in the trenches of World War I had destroyed the Victorian world; now air power promised to bring the same carnage to soldiers’ homes, wives, and children.

In Britain, some leaders expressed hardheaded realism about this grim possibility. Former Prime Minister Stanley Baldwin, summing up his country’s strategic position in 1932, showed a candor no recent American leader has dared to match. “There is no power on Earth that can protect [British citizens] from being bombed,” he said. “The bomber will always get through…. The only defense is in offense, which means that you have got to kill more women and children more quickly than the enemy if you want to save yourselves.”

The Americans, however, still hoped to head off the nightmare. Their tool of choice was international law. (Some things never change.) When war broke out in Europe on Sept. 1, 1939, President Franklin D. Roosevelt sent a cable to all the combatants seeking express limits on the use of air power. Citing the potential horrors of aerial bombardment, he called on all combatants to publicly affirm that their armed forces “shall in no event, and under no circumstances, undertake the bombardment from the air of civilian populations or of unfortified cities.”

Roosevelt had a pretty good legal case. The 1899 Hague conventions on the laws of war, adopted just two years after the Wright brothers’ first flight, declared that in bombardments, “all necessary steps should be taken to spare as far as possible edifices devoted to religion, art, science, and charity, hospitals, and places where the sick and wounded are collected, provided they are not used at the same time for military purposes.” The League of Nations had also declared that in air war, “the intentional bombing of civilian populations is illegal.”

But FDR didn’t rely just on law. He asked for a public pledge that would bind all sides in the new war — and, remarkably, he got it. The horror at aerial bombardment of civilians ran so deep in that era that Britain, France, Germany, and Poland all agreed to FDR’s bargain, before nightfall on Sept. 1, 1939.

Nearly a year later, with the Battle of Britain raging in the air, the Luftwaffe was still threatening to discipline any pilot who bombed civilian targets. The deal had held. FDR’s accomplishment began to look like a great victory for the international law of war — exactly what the lawyers and diplomats now dealing with cyberwar hope to achieve.

But that’s not how this story ends.

…

Kashmir Hill writes at her Forbes blog on the good news from yesterday’s Senate Judiciary Committee hearing markup of amendments to the Computer Fraud and Abuse Act: No, Faking Your Name On Facebook Will Not Be A Felony.

Legal scholar Orin Kerr wrote an alarming op-ed in the Wall Street Journal yesterday, warning people that “faking your name on Facebook could be a felony” when the law is changed. But a lot changed since yesterday morning. An amendment was added to the bill during a Senate Judiciary Committee hearing Thursday morning, so that people who violate website’s terms of service are not considered felons.

Senators Al Franken and Chuck Grassley proposed new language for the bill (thanks in part to Kerr’s urging) to exempt those guilty only of TOS violations. Franken, in urging his fellow senators to adopt the amendment, said that without it, the following people would be felons: “A father who uses his son’s Facebook password to log into his Facebook account to check his messages and photos” (ed. note: Creepy and invasive but not criminal); “a 17 year-old who claims she is 18 in order to sell her knitted scarves on Etsy,” and “a struggling businessowner who secretly creates a Yelp account to give his restaurants favorable reviews” (ed. note: Again, uncool and deceptive, but not felony behavior).

The Committee then added an amendment to the bill that specifies that felony-level unauthorized access not “include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.” The bill will now move forward to be considered by the Senate.

The amendment it here. It would amend the definition of “exceeds authorized access” in the CFAA, to the following, with the new language in bold:

the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.

I think this is a very good fix, and would be a very important addition to the CFAA. As I read this, the language says that mere breach of a contract or warning such as a Terms of Service cannot be the basis for liability in three instances: with websites, ISPs ,and non-government employers. So the government could still prosecute government employees who misused sensitive government databases, such as by accessing tax or social security databases for personal or nefarious reasons. On the other hand, the Government could not prosecute private sector employees for breaching private sector employer computer use restictions (as they’re trying to do in United States v. Nosal, still pending in the Ninth Circuit) and they could not prosecute Internet users for Terms of Service violations (as they tried to do in United States v. Drew). The language isn’t exactly perfect, as there are some minor definitional questions. But this is really a very strong effort, and I’m just delighted that the Judiciary Committee passed this.

Of course, the fact that it’s out of Committee doesn’t mean it has passed into law. DOJ may target this provision along the way, and there are still a number of hurdles to pass. But this is a very promising step.

Tomorrow’s Wall Street Journal is running an op-ed I authored on the proposed amendments to the Computer Fraud and Abuse Act. It begins:

Imagine that President Obama could order the arrest of anyone who broke a promise on the Internet. So you could be jailed for lying about your age or weight on an Internet dating site. Or you could be sent to federal prison if your boss told you to work but you used the company’s computer to check sports scores online. Imagine that Eric Holder’s Justice Department urged Congress to raise penalties for violations, making them felonies allowing three years in jail for each broken promise. Fanciful, right?

Think again. Congress is now poised to grant the Obama administration’s wishes in the name of “cybersecurity.”

The little-known law at issue is called the Computer Fraud and Abuse Act. It was enacted in 1986 to punish computer hacking. But Congress has broadened the law every few years, and today it extends far beyond hacking. The law now criminalizes computer use that “exceeds authorized access” to any computer. Today that violation is a misdemeanor, but the Senate Judiciary Committee is set to meet this morning to vote on making it a felony.

The problem is that a lot of routine computer use can exceed “authorized access.” Courts are still struggling to interpret this language. But the Justice Department believes that it applies incredibly broadly to include “terms of use” violations and breaches of workplace computer-use policies.

Breaching an agreement or ignoring your boss might be bad. But should it be a federal crime just because it involves a computer?

UPDATE: Via e-mail, a reader points out that I misdescribed one case near the end of the op-ed. The Ticketmaster case I mentioned involved alleged unauthorized access beyond the TOS violations. My apologies for the error, which was entirely mine.

In his post below, Stewart Baker writes that DOJ official James Baker “gave a persuasive defense” of the broad view of that the Computer Fraud and Abuse Act should apply to Terms of Service violations and employee restrictions on computers. In this post, I want to explain why I don’t find DOJ’s defense of existing law persuasive. I will then propose a statutory fix to reconcile DOJ’s concerns with the concerns of the CFAA’s critics — critics including myself.

Let’s start with James Baker’s written testimony, which I’ll refer to as “DOJ’s testimony” just to avoid confusing the Bakers. According to DOJ, applying the CFAA to Terms of Service violations and employee access restrictions is justified on the following grounds:

All types of employees in both the private and public sector – from credit card customer service representatives, to government employees processing tax returns, passports, and criminal records, to intelligence analysts handling sensitive material – require access to databases containing large amounts of highly personal and otherwise sensitive data. In most cases, employers communicate clear and reasonable restrictions on the purposes for which that data may be accessed. The Department has prosecuted numerous cases involving insiders in both the public and private sectors who have violated defined rules to access and obtain sensitive information. In many prosecutions involving insiders, the “terms of service” and similar rules in employment contexts define whether the individual charged was entitled to obtain or alter the information at issue. This is almost identical to prosecutions under other statutes, in which internal procedures, agreements, and communications must be examined by a fact-finder to determine, for example, whether a particular payment was authorized, or embezzlement or fraud.

Employers should be able to set and communicate access restrictions to employees and contractors with the confidence that the law will protect them when their employees or contractors exceed these restrictions to access data for a wrongful purpose. Limiting the use of such terms to define the scope of authorization would, in some instances, prevent prosecution of exactly the kind of serious insider cases the Department handles on a regular basis: situations where a government employee is given access to sensitive information stored by the State Department, Internal Revenue Service, or crime database systems subject to express access restrictions, and then violates those access restrictions to access the database for a prohibited purpose. Similarly, businesses should have confidence that they can allow customers to access certain information on the business’s servers, such as information about their own orders and customer information, but that customers who intentionally exceed those limitations and obtain access to the business’s proprietary information and the information of other customers can be prosecuted.

On one hand, DOJ is right that some specific circumstances justify punishment for a person who has violated a written restriction on access to a computer. If a written restriction protects extremely private or valuable information, then violating that written restriction inflicts a real privacy harm. The harm exists because the information is particularly sensitive, and the restrictions on the information are therefore important. Unsurprisingly, those are the cases DOJ likes to use as examples: The government employee who uses the sensitive database of private information for personal reasons, or the insider who accesses very valuable proprietary information. When a person violates these important restrictions on very sensitive data, a genuine privacy harm has occurred.

But here’s the problem. The Computer Fraud and Abuse Act does not only protect particularly sensitive or valuable information. Instead, the statute protects access to any information, no matter of what source or kind, protected by any restriction, no matter of how silly or serious, stored inside any computer, no matter of what nature or importance, located anywhere in the galaxy that the Commerce Clause can reach. It has no special rules for employers, or for customers, or for sensitive information, or for important access restrictions. It applies to everything. Any kind of information. Every computer and every access restriction, whether connected to a network or not. Perhaps .00000001% of the restrictions that the law covers are the kinds of cases that DOJ claims as cases it might prosecute. And that’s why it’s so easy to create completely absurd hyptheticals of silly ways that innoucous conduct is criminalized — and under the new proposal, made a felony — under DOJ’s view of the statute. Just have a silly computer owner set up a computer with no sensitive information on it, have him give everyone access, and then imagine an arbitrary restriction on that access that has nothing to do with privacy, money, or any real interest at all. Voila! It’s just as much of a CFAA violation as any of the examples DOJ uses.

I promised a way to reconcile DOJ’s concerns with the concerns of critics of the CFAA. So here it is: Congress should limit when the CFAA prohibits “exceed[ing] authorized access” to cases in which the information obtained is particularly sensitive or valuable. The law should continue to broadly prohibit actual hacking — that is, access “without authorization.” But if the prohibition on “exceed[ing] authorized access” is to be read to apply to Terms of Service violations and employee restrictions, Congress should specify what kinds of sensitive information federal law protects. For example, a list might look something like this:

(a) Information with a value of more than $5,000
(b) sensitive or private information involving an identifiable individual (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, financial records, or photographs of a sensitive or private nature;
(c) information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954.

Under this proposal, DOJ would get everything it says it wants. DOJ would still be able to prosecute the government employees who access sensitive databases, whether they are sensitive because they store personal information (b) or national security information (c). DOJ would also still be able to prosecute instances in which folks access very valuable proprietary information via (a). But critics would also get what they want. The limitations on the scope of information covered by the “exceeds authorized access” prong would ensure that the law only applied to important access restrictions that protect real privacy interests. The combination of this and the required mental state of “intentionally” would ensure that people who violated silly or arbitrary access restrictions that protected no genuine privacy interests were not covered by the law. That substantial narrowing would also cure the serious void-for-vagueness problems with DOJ’s preferred reading of the statute.

The Obama Administration’s legislative proposals on cybersecurity are a distinctly mixed bag.  But probably the worst ideas are those put forward by the Justice Department, which last week testified about the need to update the Computer Fraud and Abuse Act.

Again.

In fact, for the eleventh time since it was adopted in the 1980s.  We’ve seen this movie. Every time Congress gets exercised about cybersecurity, the Justice Department claims that the CFAA needs to be updated.  But “updated” almost always turns out to be a euphemism for “made more prosecutor-friendly.”

Justice’s latest proposals fit squarely into this mold.  Justice wants to create a new crime, hacking a critical infrastructure computer, with a mandatory minimum sentence of three years.  It wants to impose the same penalties on conspiracies and attempts as on successfully completed crimes.  It would get rid of first-time offender provisions in sentencing, increase sentences in general, allow civil forfeiture of hackers’ real estate, and make violation of the CFAA a RICO predicate, which would allow heightened penalties and private civil suits against violators.

Well, you might ask, why not get tough with hackers?  Surely we shouldn’t be playing pattycake with Anonymous and Lulzsec, let alone the foreign hackers endangering our national security.  That’s true, but the problem we have with those hackers is not the weakness of our criminal penalties but the fact that, most of the time, we can’t find them.  Until we do a better job of breaking the anonymity that protects them, increasing penalties for criminals we don’t catch will not make much difference.

Take a look at the website where Justice maintains a representative list of its most significant prosecutions.  What’s striking is how few prosecutions it has to brag about – less than 50 – and how few of those (maybe half) represent cases in which we actually caught the kind of remote hackers we’re most threatened by. I’m willing to bet that there is no other federal criminal law that has been amended so often in prosecutors’ favor with so few successful prosecutions to show for it.

The latest amendments are more of the same:  Shooting in the dark with a bigger gun. As protections against cyberattack, these amendments are useless.  They are added to the administration’s package mainly to give it the appearance of heft.

They are the legislative equivalent of Hamburger Helper.

Actually, they’re worse than that.  The RICO provision is far more dangerous than it first appears. To explain, I’ll need to repeat some of what Orin Kerr has been saying for years, so if you’re already familiar with that, you can skip the next ten paragraphs.

***

As I’ve said, the remarkable growth in cyberattacks over the last quarter century has enabled Justice to turn the CFAA into what may be the most prosecutor-friendly criminal statute on the books.  What does “prosecutor-friendly” mean in practice?  That any competent prosecutor can find a way to indict and convict anyone who does anything Really Bad with a computer.

With the CFAA, that’s mission accomplished:  The law imposes harsh criminal penalties on anyone who accesses a protected computer “without” or “in excess of” authorization.  The definition of a “protected computer” has been expanded until it covers any computer used in interstate or foreign communication, which in the Internet age is, well, every computer. As a practical matter, then, you can be indicted any time you do something on a computer that isn’t authorized. That term isn’t defined, but you can bet that if you do something Really Bad with a computer, it will turn out to be unauthorized.

Take Lori Drew, an overprotective, nasty mother who created a fake teenage-boy identity on MySpace in an effort to humiliate her daughter’s teenaged frenemy.  The scheme worked so well that the teen killed herself.  There’s no doubt that Lori Drew’s behavior was Really Bad, and it involved computers, so federal prosecutors decided it must violate the CFAA. And, mirabile dictu, it did.  By using a fake identity, Drew had violated MySpace’s terms of service, which meant that she had accessed a MySpace computer “in excess of” authorization. Drew was convicted, although in the end, with Orin Kerr’s help, the guilty verdict was overturned.

This kind of prosecutorial overreach is an inherent risk of the CFAA, given its reliance on the slippery concept of authorization.  As some civil liberties groups recently pointed out, the CFAA at its heart makes it a federal crime to violate a private contract, even a contract of adhesion like a social network’s terms of use:

If, for example, an employee photocopies an employer’s document to give to a friend without that employer’s permission, there is no federal crime (though there may be, for example, a contractual violation).  However, if an employee emails that document, there may be a CFAA violation.  If a person assumes a fictitious identity at a party, there is no federal crime.  Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation.

I don’t want to be too hard on the drafters of the CFAA;  they faced a tough drafting problem.  Hackers cause terrible harm, but the things they do aren’t all that different from the things legitimate users do.  Legitimate users open files, modify code, install programs, and send data to remote sites.  So do hackers.  We know the difference between the two, but it’s not easy to express that difference without falling back on the notion that the good guys are authorized to do those things and the bad guys aren’t.

I think this means that any statute that criminalizes hacking is likely to be either too broad or not broad enough.  Congress chose broad language to make sure that hackers couldn’t get off on a technicality, but in the process it gave Justice enormous prosecutorial discretion. Justice Department official James Baker gave a persuasive defense of the “authorization” test in last week’s testimony.  But the Department’s misuse of its broad discretion in the Lori Drew case suggests a need for greater accountability and discipline within the Department.  Requiring that the head of the Criminal Division sign off on all such cases — and take the blame if they turn out badly — may be a more workable solution than taking away the prosecutors’ discretion by changing the law.

Remarkably, though, that isn’t even the worst problem created by the CFAA.  The law also creates a private cause of action, handing a big legal weapon to everyone from the RIAA to the Church of Scientology.  And private parties aren’t exactly showing a lot of restraint.  According to the Center for Democracy and Technology, at least one company has brought a CFAA counterclaim in a pregnancy discrimination case, seeking damages under the Act because its employee acted in excess of authorization on the corporate network.  What did she do?  She violated a corporate proscription on “excessive Internet use.”  Equally abusive is a case that Orin Kerr has pointed out – Sony’s threat to sue PS3 hackers because they used their own computers in violation of Sony’s licensing restrictions.

Maybe back in the 1980s, Congress thought that creating a civil action would unleash the plaintiff’s bar on real hackers.  If so, Congress was deluded.

Civil CFAA lawsuits have proliferated but by and large they aren’t being filed against people who hack into systems.  Instead, they’re being brought by corporations against employees thought to have downloaded too much information from the corporate network before quitting.  They’re being brought by websites to keep competitors from using “scraper” software to collect their pricing data. Maybe those are bad things.  If so, they’re probably already torts under state law, and it’s hard to see why the cases should be in federal court.  And if they aren’t torts under state law, well, it’s even harder to see why they should be in federal court.  It’s the law of unintended consequences run amok.

***

OK, that’s the Gospel According to Orin Kerr. Now back to the latest proposal from Justice.

Justice wants to make the CFAA one of the federal crimes that qualify as “racketeering activity” under the Racketeer Influenced and Corrupt Organizations Act, or RICO.  This would add RICO prosecutions to the long list of get-tough measures that Justice rarely uses against actual hackers because, well, because it can’t catch most actual hackers.

But that doesn’t mean the amendment would have no effect.  Because, like the CFAA, RICO creates a private cause of action against RICO violators.  Actually it’s not just a private cause of action.  It’s a bonanza. Plaintiffs can recover treble damages plus attorney’s fees by bringing suit against “racketeers.” And what do you know, just like CFAA civil suits, it turns out that most RICO civil suits have been brought against ordinary businessmen, “rather than against the archetypal, intimidating mobster,” according to the Supreme Court.

The Supreme Court and Congress have struggled for decades to curb abuses of civil RICO.  Now, almost casually, the Justice Department proposes to open another can of RICO liability for unintended defendants.

How would that happen?  First, treble damages under civil RICO can be claimed by any person “injured in his business or property by reason of” a RICO violation.  18 U.S.C. § 1964(c).    A violation of RICO occurs, inter alia, when a “person employed by or associated with any enterprise engaged in” interstate or foreign commerce participates, “directly or indirectly, in the conduct of such enterprise’s affairs through a pattern of racketeering activity.”  (Sorry for the dense language; it may help to parse the language by thinking of a mobster who acquires partial ownership of a legitimate “enterprise” through threats of violence. He would be squarely covered by the provision, as long as he committed a  pattern of racketeering activity –- that is, more than one predicate crime.  But the words will sweep in far more conduct than classic mobster tactics, especially if Justice gets its way and violating the CFAA becomes a predicate offense.)

Pulling these elements together, let’s look at what the Justice Department’s proposal would mean for some of the unnecessary federal litigation now being brought under the CFAA.  We can start with the employer lawsuits against departing employees.  Employers who want to turn their CFAA claims into much more potent RICO claims would have to show that the departing employee committed two CFAA violations, which should be easy, since every unauthorized download is a new offense.  And, they’d have to show that they were injured in their business by reason of the racketeering; this they can do by showing the same damages that supported the CFAA case.  In short, on a quick look, the Justice Department seems to have created a massive incentive for companies to sue departing employees, and perhaps the companies they join, as racketeers.  Anyone who has a plausible CFAA case today will have a plausible RICO case once Justice gets its amendment.

Okay, another one: How about CDT’s favorite case – the pregnant worker accused of a CFAA violation because of excessive Internet use?  Well, she probably violated the rule on Internet use more than once, which makes for a pattern of racketeering, and she’s employed by an enterprise, in whose affairs she participated by misusing its computers.  The enterprise has been injured, too, by virtue of not getting her full attention at work.  What do you know? She sounds like a racketeer too!  It would be malpractice not to hit her with a counterclaim for treble damages and attorneys’ fees.

(At this point, you may be wondering why the Obama administration, of all administrations, wants to give employers even heavier litigation weapons to use against their employees. Beats me.  Maybe it has something to do with trial lawyers.  Maybe it’s just prosecutorial myopia.  James Baker’s testimony doesn’t even acknowledge the issue.)

OK, let’s try a harder problem.  You’re a copyright holder — Jon Stewart, say — and you’d like faster takedowns and more respect from YouTube.  Posting copyrighted material on YouTube is a violation of law and can lead to termination of your YouTube account.  The Lori Drew case tells us that the people who post clips in violation of that policy are using YouTube’s computers “in excess of authorization.” That’s a CFAA violation.  Do it twice and it becomes a pattern of racketeering, at least if Justice gets its way.  Now, the people doing the posting aren’t employees of YouTube, but they are “associated with” the YouTube enterprise, and they are participating indirectly in the conduct of YouTube’s affairs by virtue of their shocking CFAA violations.  What’s more, the Daily Show can claim injury in its business because it has lost viewers and ad revenue.  Presto!  Another racketeer takes the fall.  Maybe they’ll name YouTube’s parent, Google, as a co-conspirator just to keep it on its toes.

Oh, and what about you, dear reader?  Have you ever violated the terms of service on a website?  Hell, have you ever read them?  C’mon, I’ve seen the comments on my privacy and TSA posts. Are you sure yours didn’t violate the site’s proscription on “abusive or denigrating comments”?  Cause if you did it twice, that’s a predicate, and VC is an interstate enterprise that you are associated with and in whose affairs you are participating by virtue of your appalling violations of the terms of use and thus of the CFAA.  Best of all, VC has what strikes me as a pretty upscale readership.  Treble damages and attorney’s fees would go a long way toward finally monetizing my blogging habit.

(Had you going there, huh?  Actually, as far as I know, VC doesn’t have any terms of use for commenters, so fire away. You’re safe.)

I’m not a RICO lawyer, thank God, so maybe I’m oversimplifying what it takes to make out a civil RICO suit.  But, what the hell, the lawyers representing departing or pregnant employees aren’t RICO lawyers either.  If the claim against them is plausible on its face, they will face overwhelming pressure to settle, quite possibly by abandoning good claims, especially if their next employer is dragged in as a co-conspirator.  Ditto for the YouTube uploaders.

And in exchange for all this uncertainty and injustice, what benefit can we expect in fighting actual criminals?  About as much as we’ve gotten from the CFAA’s private right of action, which is nothing, and from RICO’s private right of action, which is less than nothing.

This is Hamburger Helper with a dose of cyanide.

UPDATE: Clarified with a reference to Google’s ownership of YouTube

Photo credits:

http://www.flickr.com/photos/arkangl/with/4709166389/

http://www.flickr.com/photos/like_the_grand_canyon/3853938360/lightbox/

I’ve blogged a bunch about the dangerous scope of the Computer Fraud and Abuse Act (CFAA), and the remarkable fact that Congress seems poised to make the penalties in the act even higher. So here’s an update: The Senate Judiciary Committee held a hearing yesterday on the proposals to expand the CFAA. No one other than government officials were even invited to testify. When asked if they wanted to have more power, the government officials responded that yes, they did.

Senator Leahy touched on the incredible scope of the CFAA at around the 50-minute mark, and he asked DOJ official James Baker what assurances he can give that DOJ won’t abuse the incredible power the statute arguably confers over all computer users. Baker responded that DOJ is restrained by the fact that it has to answer to the Judiciary Committee to explain what it has been doing, and that on the whole DOJ has not abused its power in the past. The former answer is puzzling, given that I don’t think DOJ has ever actually explained its view of the CFAA or ever been asked to defend any of its individual prosecutions in the 27 years the statute has been on the books. And the latter answer amounts to “trust us,” which is rarely a heart-warming answer coming from the federal government.

I’ve co-signed a letter together with various liberal and conservative organizations urging the Senate to define the scope of the CFAA before enhancing its penalties yet again. You can read the letter here.

As most readers are aware, the English newspaper “News of the World” has recently been shut down over reports that the paper’s reporters regularly hacked into the voicemail boxes of celebrities and political figures to gather news for stories. The hacking has had huge ripple effects, ranging from its impact on UK politics to Rupert Murdoch. I wanted to blog about one angle to the story I haven’t seen covered elsewhere: Did these intrusions violate U.S. federal criminal law? Put another way, could the federal government prosecute individuals for the hacking in the U.K.?

We don’t know all the details yet, but I think it’s possible. I’ve blogged a lot about the Computer Fraud and Abuse Act, 18 U.S.C. 1030, which prohibits unauthorized access to protected computers. I’ve regularly pointed out that this statute is extraordinarily broad, and its breadth is relevant here. Some of the analysis is easy: Hacking in to another person’s voicemail box is clearly an unauthorized access, and the computers that host voicemail files are clearly “computers.” See, e.g., United States v. Kramer (8th Cir. 2010). But more interestingly, the fact that the hacking was probably all done outside the U.S. probably doesn’t matter, even if all the computers that were hacked are outside the U.S. The Computer Fraud and Abuse Act extends to computers outside the United States in most circumstances. Here’s the key statutory language:

the term “protected computer” means a computer . . . which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

18 U.S.C. 1030(e)(2)(B) (emphasis added). Notably, the statutory phrase “affects interstate or foreign commerce” is a term of art: In U.S. law, it means as far as the interstate or foreign commerce clauses will allow. See Russell v. United States, 471 U.S. 858, 849 (1985). As a result, a computer is a “protected computer” covered by the CFAA if the interstate or foreign commerce clauses permit them to be regulated under the Constitution, even if it is located outside the United States.

That brings us to the scope of the Foreign Commerce Clause, which under Article I, Section 8, Cl. 3 provides that Congress can “regulate Commerce with foreign Nations.” The scope of the foreign commerce clause is not often litigated, and its precise meaning remains somewhat unclear. See generally Anthony Colangelo, The Foreign Commerce Clause, 96 Va. L. Rev. 949 (2010). But, in general, the scope of the foreign commerce clause has been interpreted as more or less analogous to the scope of the interstate commerce clause. Communications networks such as the telephone network and the Internet are channels of interstate commerce that have long been subject to federal regulation under the Commerce Clause. See, e.g., United States v. Ho, 311 F.3d 589, 597 (5th Cir. 2002). As a result, such networks outside the United States are likely subject to regulation under the Foreign Commerce Clause, as well.

One significant uncertainty is how much if any nexus to the United States is required under the Foreign Commerce Clause to constitute a channel of foreign commerce: Does that mean a channel of commerce with the United States, or just among foreign nations? And in the case of an international network like the phone network or the Internet, is the relevant question whether the communications involved the United States at that time or whether the channels themselves interacted with United States networks more generally? These issues don’t come up often because prosecutions of foreign conduct are rare. And in the case of the “News of the World” hacks, we don’t know what role any U.S. networks or computers played. But depending on how the foreign commerce clause arguments are resolved, there’s a chance that the intrusions may be chargeable under United States criminal law in addition to under the law of the UK.

NPR’s All Things Considered had a segment today on computer hacking featuring an interview with computer security expert Hugh Thompson. NPR’s Robert Seigel started off by asking Thompson about the law of computer hacking. Thompson is a tech guy, not a law guy. But Thompson tried to wing it, and unfortunately he managed to bungle the legal issues pretty badly. I transcribed the exchange as follows, with Thompson’s answers in bold:

SIEGEL: Here’s a hypothetical case which happens to be not-so-hypothetical. Some hackers break in to the NPR computer system. First, for starts, is that a crime? If so, do we know what crime it is? And who is trying to investigate that crime?

THOMPSON: You bring up a fascinating question. I think the law is really trying to sort this out now. And cybercrime has moved so quickly. The laws move so slowly. But to your hypothetical, one of the laws that prosecutors may use in their arsenal is the Computer Fraud and Abuse Act, which is a relatively recent piece of legislation that targets and covers computers that are in the federal interest.

SIEGEL: So if the NPR computer were in the federal interest, someone could prosecute somebody for doing that. But what if they said, “You know, it’s just a radio network. It’s not in the federal interest, it’s not a .mil operation.” Is it a crime for somebody to poke around our computers?

THOMPSON: Then things get more complicated. So there are laws about stored communications. In many cases, prosecutors have had to get creative. But if you look at it from an individual perspective, obviously something wrong has happened. Someone has trespassed, someone has caused harm to the system. And I think what we’re dealing with is a big lag between the speed with which technology has moved and the lumbering speed of the legal process.

Umm, no. Absolutely it’s a crime, and it has been a crime for a pretty long time. Congress has criminalized computer hacking since the 1980s thanks to a law Thompson mentioned — 18 U.S.C. 1030, first enacted in 1984 and often called the Computer Fraud and Abuse Act. The law is incredibly broad, and it protects pretty much everything with a microchip on the Planet Earth. All fifty states have state criminal laws that this conduct would violate, too. In some circumstances poking around NPR’s computers would be a misdemeanor, and in some a felony, but it’s definitely and clearly a crime. In terms of who would investigate, the FBI and other federal agencies investigate these sorts of cases relatively frequently, and some state agencies do, as well. Of course, they may not catch the folks responsible: Computer intrusion investigations are very difficult for the government for both technical and legal reasons, and savvy intruders are caught only rarely. But the conduct is clearly criminal, and it has been for a long time.

A petition for rehearing was recently filed in United States v. Nosal, the Ninth Circuit decision holding that an employee who violates his employer’s computer use policy is guilty of “exceeding authorized access” to the employer’s computer. I have posted a copy here. I hope the Ninth Circuit grants rehearing, as I think the Nosal case is both wrong on the law and deeply troubling for civil liberties in the Internet age.

Overstatement? I don’t think so. It seems to me that if the federal government can arrest you and throw you in jail for violating a computer use policy — any computer use policy — then the government can arrest pretty much anyone who uses a computer. Most people who use computers routinely violate computer use policies: While we understand that such policies may have force from the standpoint of breach of contract, no one thinks that breaching a computer use policy is the same as hacking into the computer. The Nosal case would change that. Under its reasoning, breaching a written policy is treated the same way as hacking. And as computers become more and more ubiquitous, the power to arrest anyone who routinely uses a computer is the power to arrest anyone.

It’s true that the Nosal appeal happens to involve a prosecution under 18 U.S.C. 1030(a)(4), which requires more than just unauthorized access to a computer. But as the petition for rehearing notes, the unauthorized access “trigger” is common to several crimes in Section 1030(a), and other sections of 1030(a) don’t require much if anything beyond unauthorized access. The most obvious concern is 1030(a)(2), which makes it a crime to have any unauthorized access to anything on the planet with a microchip so long as some information is either seen or collected. For now it’s usually just a misdemeanor crime, so each breach of a policy would only mean you spend up to a year of your life in federal prison, but note that (1) Congress may make that crime a felony soon and (2) even the misdemeanors can be sentenced conseccutively (remember that DOJ wanted Lori Drew to be sentenced to a three year prison term for her three misdemeanor convictions of violating three MySpace terms of service).

You might think that as long as you avoid the Ninth Circuit, you’re probably okay. But that won’t help much: Lots of Internet communications go through the Ninth Circuit, meaning that the Ninth Circuit has venue over much of the rest of the country to prosecute computer use policy breaches elsewhere. Again, remember the Lori Drew case. Everything in the case happened in Missouri, and the Missouri state and federal authorities declined to prosecute because they thought no crime was committed, but the case was charged in Los Angeles because that’s where MySpace’s servers (and some extremely aggressive prosecutors) were located. It probably won’t help to move to Canada, either: Section 1030 covers all computers in the world that can be reached under the Constitution, even computers outside the United States, so the computer use policy breach doesn’t even need to be in the US for the feds to prosecute.

Given the stakes, I hope the Ninth Circuit will grant rehearing, revisit the panel decision, and come out the other way. Stay tuned.

The Ninth Circuit recently ruled that an employee “exceeds authorized access” to his employer’s computer when he violates the employer’s Internet use restrictions: Given that federal law criminalizes exceeding authorized access, see 18 U.S.C. 1030(a)(2)(C), that would mean that every employee who surfs the Internet, checks Facebook, or logs in to personal e-mail from work is guilty of a federal crime if the employer’s workplace Internet use policy prohibits it. But surely no employee would ever be subject to a CFAA action for that kind of innocuous conduct, right?

Wrong, in light of Lee v. PMSI, Inc., 2011 WL 1742028 (M.D.Fla. 2011), handed down May 6. After Wendi Lee sued her former employer PMSI, Inc. for pregnancy discrimination, PMSI Inc. filed a counterclaim against Lee arguing that she had violated the CFAA because she engaged in “excessive internet usage” at work and “visit[ed] personal websites such as Facebook and monitor[ed] and [sent] personal email through her Verizon web mail account.” District Judge Merryday concluded that such conduct does not exceed authorized access to the employer’s computer in violation of the CFAA:

The CFAA is a criminal statute originally designed to target hackers who access computers to steal information or to disrupt or destroy computer functionality, as well as criminals who possess the capacity to “access and control high technology processes vital to our everyday lives….” LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130–1131 (9th Cir.2009), citing 1131 H.R. Rep. 98–894, 1984 U.S.C.C.A.N. 3689, 3694 (July 24, 1984). Both the letter and the spirit of the CFAA convey that the statute is not intended to cover an employee who uses the internet instead of working. See, e.g., Intel Corp. v. Hamidi, 30 Cal.4th 1342, 1 Cal.Rptr.3d 32, 71 P.3d 296 (Cal.2003) (rejecting a claim of trespass to chattels after an employee used the company’s email system to transmit remarks disparaging the employer); Clarity Services v. Barney, 698 F.Supp.2d 1309, 1316 (M.D.Fla.2010) (expressing skepticism that an employee violates the CFAA by checking personal email at work).

. . . . PMSI fails to show that the plaintiff “exceeded authorized access” or obtained information from the computer. “Exceeds authorized access” is defined as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). The counterclaim alleges that the plaintiff visited only personal websites. (Doc. 12, Pages 6 and 7) Because the only information Lee allegedly accessed was on the personal websites, not PMSI’s computer system, Lee never “obtained or alter[ed] information in the computer.” Lee accessed her facebook, personal email, and news websites but did not access any information that she was “not entitled so to obtain or alter.”

LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir.2009), states that “for purposes of the CFAA, when an employer authorizes an employee to use a company computer subject to certain limitations, the employee remains authorized to use the computer even if the employee violates those limitations. It is the employer’s decision to allow or to terminate an employee’s authorization to access a computer that determines whether the employee is with or ‘without authorization.’ ” Because PMSI fails to allege that Lee’s authorization to use her work computer was terminated prior to her leaving the company, PMSI cannot show that Lee’s use of the computer was “without authorization.” Although Lee’s internet usage may violate company policy, 18 U.S.C. § 1030 is inapplicable.

. . . 18 U.S.C. § 1030 is a “criminal statute with a civil cause of action” and . . the rule of lenity “requires a restrained, narrow interpretation.” 698 F.Supp.2d at 1316. Extension of a federal criminal statute to employee misconduct in the private sector is a legislative responsibility and not a proper occasion for aggressive statutory interpretation by the judiciary. See, e.g., United States v. Rybicki, 354 F.3d 124, 135 (2d Cir.2003).

The case is Koch Industries, Inc. v. Does, 2011 WL 1775765 (D.Utah 2011), handed down May 9. In this case, a group called “Youth for Climate Truth” copied the Koch Industries website (kochind.com) and created a fake website designed to look just like it at koch-inc.com. The “Youth for Climate Truth” then issued a fake press release designed to look like it was coming from Koch Industries. Koch Industries sued, alleging (among other things) that copying the legitimate Koch Industries website vioalted the Terms of Use of the website and therefore “exceeded authorized access” to the the computer hosting the website in violation of the Computer Fraud and Abuse Act, 18 U.S.C. 1030. The District Court concluded that Section 1030 could not be stretched so far:

To state a plausible claim under 18 U.S.C. § 1030, one must be guilty of gaining “unauthorized access” or “exceeding authorized access” to a protected computer system. But in this case, Defendants created a mockup of Koch’s website using information that Koch made “publicly available on the Internet, without requiring any login, password, or other individualized grant of access.” Cvent, Inc. v. Eventbrite, Inc., 739 F.Supp.2d 927, 2010 WL 3732183, at *3 (E.D.Va.2010). “By definition, therefore, [the defendants] could not have ‘exceeded’ [their] authority to access that data.” Id.

In Cvent, a federal district court recently rejected a similar attempt to stretch the CFAA to the use of publicly available information on a website. There, as here, the plaintiff sought to premise CFAA liability on its website’s Terms of Use, which provided: “No competitors or future competitors are permitted to access our site or information.” Id. But, as with Koch’s website, the defendant took “no affirmative steps” to prevent such access. Id. The website was “not password-protected, nor [were] users of the website required to manifest assent to the Terms of Use, such as by clicking ‘I agree’ before gaining access to the database. Rather, anyone … [could] access and search [the] information at will.” Id. Like Koch’s website, the Terms of Use did “not appear in the body of the first page” of the website; instead “[t]he link to access the Terms [was] buried at the bottom of the first page.” Id. Accordingly, the site was “not protected in any meaningful sense by its Terms of Use or otherwise.” Id.

The Cvent court observed that the plaintiff’s claim was really a claim that a user with authorized access had used the information in an unwanted manner, not a claim of unauthorized access or of exceeding authorized access. Id. A majority of courts have concluded that such claims lie outside the scope of the CFAA. See id.; LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir.2009); Orbit One Communications, Inc. v. Numerex Corp., 692 F.Supp.2d 373, 383 (S.D.N.Y.2010); Lewis–Burke Assocs., LLC v. Widder, –––F.Supp.2d ––––, 2010 WL 2926161, at *5–6 (D.D.C.2010).

Similarly, in this case, Defendants were given unimpeded access to the information on Koch’s public website. Koch’s complaint is not that Defendants obtained the information without authorization, but rather that they ultimately used the information in an unwanted manner. The CFAA addresses only the act of trespassing or breaking into a protected computer system; it does not purport to regulate the various uses to which information may be put.

. . . In addition, “[a]lthough this case arises in a civil context,” the court’s conclusion as to the extent of conduct prohibited by the CFAA “is equally applicable in the criminal context” and must be interpreted consistent with the “rule of lenity,” avoiding “surprising and novel” interpretations that “impose unexpected burdens on defendants.” LVRC Holdings LLC, 581 F.3d 1127, 1134–35 (9th Cir.2009) (applying the rule in a civil CFAA case). If Koch’s legal theory is correct, then any violation of its Terms of Use—that is, any use of its website’s content of which Koch does not approve—could expose a political critic to criminal prosecution. Such a result is clearly beyond Congress’ intent in passing the CFAA.

Quite correct, in my view, and I think it’s correct regardless of whether users have to affirmatively assent to the Terms of Use. Although it’s only a district court decision, I’m glad to see that not every court is accepting extremely broad readings of the CFAA.

Certainly a cell phone counts, the Eighth Circuit correctly concludes, at least when it comes to the definition of “computer” in 18 U.S.C. 1030(e)(1) of the Computer Fraud and Abuse Act.   Hat tip: FourthAmendment.com

…goes to the arguments made by Sony’s lawyers in a complaint and motion for a TRO in a recently-filed civil case: Sony Sues PS3 Hackers. The argument: You’re guilty of felony computer hacking crimes if you access your own computer in a way that violates a contractual restriction found in the fine print of the licensing restriction of the product imposed by the manufacturer.

I realize the complaint characterizes the defendants as hackers, and the CFAA is supposed to be about hacking. But think for a moment about the nature of this claim. You bought the computer. You own it. You can sell it. You can light it on fire. You can bring it to the ocean, put it on a life raft, and push it out to sea. But if you dare do anything that violates the fine print of the license that the manufacturer is trying to impose, then you’re guilty of trespassing onto your own property. And it’s not just a civil wrong, it’s a crime. And according to the motion for a TRO, it’s not just a crime, it’s a serious felony crime.

I’ve seen a lot of civil cases trying to use the vague language of the Computer Fraud and Abuse Act in creative ways. But this is the first case I know of claiming that you can commit an unauthorized access of your own computer. And that claim justifies today’s award for the Silliest Theory of the Computer Fraud and Abuse Act.

Last week, the Eleventh Circuit decided an important case, United States v. Rodriguez, on the computer crime statute known as the Computer Fraud and Abuse Act, 18 U.S.C. 1030. The decision by Judge Pryor touches on the same issue that was in play in the Lori Drew case: When does violating express conditions on computer use constitute a crime? The court’s conclusion seems right on its specific facts, but I worry that it will be construed as adopting a very broad theory that would be quite troubling. So I want to introduce the legal issue, then talk about the Rodriguez case, and then return to the legal issue and talk about how it might apply going forward.

I. The Prohibition on Unauthorized Access

First, some context. Federal law makes it a crime to “exceed authorized access” to a “protected computer” and thereby obtain “information.” 18 U.S.C. 1030(a)(2)(C). Essentially everything on the planet Earth that contains a microchip is a “protected computer”; any data at all counts as “information”; and merely reading information counts as “obtaining” it. As a result, whenever you’re using a computer, the line between computer use that is legal and computer use that can have you arrested and thrown in jail hinges almost entirely on what makes computer use “exceed authorized access.”

The phrase “exceed authorized access” is a defined phrase, but unfortunately the definition is circular. According to 18 U.S.C. 1030(e)(6), “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.” That’s not a very helpful definition, if you think about it. Entitlement and authorization mean the same thing. As a result, the definition just says that you exceed authorized access when you have authorization but then you, well, exceed it, by doing something you’re not authorized to do. Gee, thanks. The missing aspect of the definition is what principle governs authorization (or entitlement, if you prefer). Is it just the computer owner’s say so? Does it require the computer owner to put up some sort of password gate that limits authorization? How do you know what you’re entitled to do for purposes of the criminal law?

This is a really hard question, I think. To see why it’s hard, consider the following eight scenarios. Specifically, consider which of the people in these scenarios “exceeded authorized access” to a computer in violation of federal law:

1) A government employee who has access to a sensitive national security database that he is only permitted to use for official reasons instead uses the database in order to collect private data and sell it to the Chinese government.
2) A Social Security Administration employee who has access to a Social Security database that he is only permitted to use for official reasons instead uses the database just to check out private information on friends and others for purely personal reasons.
3) An associate of a consulting company who is told that he can only access his employer’s computer files for work-related reasons instead looks through the employer’s files because he is thinking of leaving to start a competitor business and is looking for ideas of future clients and services.
4) A city employee who is told that he can only access the city’s computer for work-related reasons instead spends five minutes a day surfing the Internet for pornography.
5) A mother who signs up for a MySpace account that the Terms of Service condition on being entirely truthful in setting up a profile instead lies on the profile and uses the MySpace account anyway.
6) A law student who is forbidden by law school policy to access the law school network during class decides to do so anyway to check his e-mail during a particularly boring lecture.
7) The New York Times reports that there is a website set up at www.dontvisitthiswebsite.com that has some incredible pictures posted. But there’s a catch: The Terms of Service of the website clearly and unambiguously say that no one is allowed to visit the website. A reader of the Times wants to see the pictures anyway and visits the website from his home Internet connection.
8) The Volokh Conspiracy announces a new rule that you are only allowed to the visit the blog is your goal in doing so is to further libertarianism. Someone visits the blog to post comments criticizing libertarianism.

So which of these eight scenarios violate the federal criminal law prohibiting exceeding authorized access to a computer? In my experience, almost everyone says that the first scenario does. Most say that the second does, too. Scenarios #3, #4, and #5 draw a mixed reaction. Finally, most people think #6 isn’t a crime, and pretty much everyone agrees it would be utterly ridiculous for #7 or #8 to be a crime.

The problem is that the statute doesn’t provide an obvious way to get to these intuitive results. The intuitive results are based on intuitions of harm. We instinctively think that harmful things should be a crime, while entirely innocuous things shouldn’t be. But the prohibition on unauthorized access does not include a harm element. The statute prohibits exceeding authorized access in the model of a trespass statute, not exceeding authorized access in a way that is likely to cause a lot of harm. (Harm matters to get to the felony provisions, but not the misdemeanor provisions.) All eight scenarios listed above are variations on the same basic theme: In each case, the person was told by the owner/operator of the computer that they were not permitted to use the computer in that way or for that reason — but they did so anyway. All of which raises a profoundly important question: What principle governs when the announced restrictions on using a computer triggers criminal liability?

II. United States v. Rodriguez

The new case, United States v. Rodriguez, involved Scenario #2. Rodriguez was a Social Security Administration employee who used the SSA computers for purely personal reasons. The opinion explains:

From 1995 to 2009, Roberto Rodriguez worked as a TeleService representative for the Social Security Administration. Rodriguez’s duties included answering questions of the general public about social security benefits over the telephone. As a part of his duties, Rodriguez had access to Administration databases that contained sensitive personal information, including any person’s social security number, address, date of birth, father’s name, mother’s maiden name, amount and type of social security benefit received, and annual income.

The Administration established a policy that prohibits an employee from obtaining information from its databases without a business reason. The Administration informed its TeleService employees about its policy through mandatory training sessions, notices posted in the office, and a banner that appeared on every computer screen daily. The Administration also required TeleService employees annually to sign acknowledgment forms after receiving the policies in writing. The Administration warned employees that they faced criminal penalties if they violated policies on unauthorized use of databases. From 2006 to 2008, Rodriguez refused to sign the acknowledgment forms. He asked a supervisor rhetorically, “Why give the government rope to hang me?” To monitor access and prevent unauthorized use, the Administration issued unique personal identification numbers and passwords to each TeleService employee and reviewed usage of the databases.

Continue reading ‘Eleventh Circuit Holds That It is a Federal Crime For an Employee To Use His Employer’s Computer For “Non Business Reasons” After Receiving Clear Instruction From Employer Not to Do So’ »

The final version of my recent essay on the Computer Fraud and Abuse Act — aka the statute that swallowed the Internet — is here:  Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561 (2010).

Readers who were interested in the Lori Drew case, and the question of when computer use counts as criminal “unauthorized access” to a computer, will want to read this New Jersey state case from last fall: State v. Riley, 12 N.J.Super. 162, 988 A.2d 1252 (2009) (link to google cache version). It’s a case on the New Jersey computer crime statute, and only by a trial court, but it’s a good example of how courts could (and in my view should) narrowly construe unauthorized access statutes. According to the opinion, the court narrowly construes the statute by relying on “the statute’s plain language, legislative history, related case law, persuasive out-of-state authority, and scholarly commentaries” — the last of which is of course rather suspect.