Archive | Computer Fraud and Abuse Act

The Legal Case Against Hack-Back: A Response to Stewart Baker

My co-blogger Stewart Baker recently argued that it is legal to hack into the computer of someone who has hacked into your computer. Stewart says his analysis is “surely” right. I think it’s obviously wrong. Here’s why.

The Computer Fraud and Abuse Act is a computer trespass statute. It prohibits accessing another person’s computer “without authorization” just like trespass laws prohibit walking on to someone else’s land without their consent. As with a traditional trespass statute, it is the owner/operator of the property that controls authorization. The basic idea is to give computer owners the ability to enforce rights on their own machines. There is lots of disagreement about how computer owner/operators can create rights on their machines that the law will enforce — I’ve blogged a lot about the role of Terms of Service in doing so — but everyone agrees that hacking into someone else’s machine is the quintessential example of the kind of conduct prohibited by the statute.

Stewart offers a novel way to get around this and read the statute allowing hacking back. He posits that rights to control authorization go with ownership of data stored on a particular machine. More specifically, Stewart argues that the CFAA is so vague as to whether it protects computer or data that the rule of lenity requires courts to adopt the view that any person pursuing their stolen data is authorized in their conduct. In his view, you can’t really rule out that the theft victim controls authorization — and if you can’t really rule it out, you must rule it in. Thus anything victims do must be authorized because they themselves have authorized it.

I think this view of the CFAA is clearly wrong. Contrary to Stewart’s claim, there is no genuine ambiguity over whether the statute protects […]

Continue Reading 0

Magistrate Judge Concludes That Fraud Scheme Using Video Poker Machine Falls Outside the Computer Fraud and Abuse Act

Last year, I posted about a recently-filed criminal prosecution in which the federal government was charging a state fraud scheme involving poker machines under the Computer Fraud and Abuse Act:

Andrew Nestor learned of a programming flaw in certain video poker machines used in Las Vegas. By using a certain feature and playing a particular combination, a person could trick the poker machine into paying out winnings at a higher rate than it should have. Nestor played the combination, and he was able to receive winnings that he was not entitled to have. At this stage, it sounds like a state law offense of theft or fraud. Nestor stole the money from the machine by fraud.

But was a federal crime committed, as opposed to a state crime? Federal prosecutors love to charge fraud cases under the wire fraud statute, 18 U.S.C. 1343, but that wouldn’t work here. Liability under the wire fraud statute requires a crossing of state lines, while here all the action occurred in a single room. So instead the government charged Nestor with a CFAA violation, and specifically 18 U.S.C. 1030(a)(4), which punishes “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”

Note that there is no longer a requirement of crossing state lines, as there is in the case of the wire fraud statute. Instead, the only federal hook is that the computer be a “protected computer.” But that’s really no federal hook at all: Protected computers are defined

[…]

Continue Reading 0

Recent Developments — Both in the Courts and in Congress — on the Scope of the Computer Fraud and Abuse Act

I’ve blogged a lot on the scope of the Computer Fraud and Abuse Act, and specifically on whether using a computer in violation of a computer use policy or Terms of Service is a federal crime. I’ve been banging the drum urging courts to adopt a narrow interpretations of the Act for a decade, and the question has recently reached several courts of appeals. A lot has been happening on this front recently, so I thought I would bring readers up to speed. To follow this issue, you need to watch all three branches. So let’s start with the pairing of Judiciary/Executive, and then cover the pairing of Legislature/Executive.

First, the Judicary/Executive. Last Thursday, the Fourth Circuit deepened the apparent circuit split by joining the Ninth Circuit in adopting a narrow interpretation of the CFAA in WEC Carolina Energy Solutions v. Miller. A day later, DOJ asked for another extension of the period in which a cert petition could be filed in United States v. Nosal, the Ninth Circuit en banc case. DOJ’s request for more time may have been at least in part a response to the Fourth Circuit’s decision the day before, although I haven’t seen the filing so I don’t actually know. It’s also possible that DOJ wasn’t planning on filing for cert in Nosal but might reconsider in light of WEC. It’s hard to know.

Next, the Legislature/Executive. The Senate Judiciary Committee is in the middle of its markup of The Cybersecurity Act of 2012, S3414, which you can read here. In its current version, it has no changes to the Computer Fraud and Abuse Act. However, Chairman Leahy has proposed an amendment to the Cybersecurity Act that would make two major changes. First, Leahy’s amendment would add a bunch of things […]

Continue Reading 0

Ninth Circuit Hands Down En Banc Decision in United States v. Nosal, Adopting Narrow Interpretation of Computer Fraud and Abuse Act

The Ninth Circuit has just handed down its long-awaited en banc decision in United States v. Nosal, the case I’ve blogged a lot about involving the scope of the Computer Fraud and Abuse Act and whether violating employee restrictions on workplace computer use is a federal crime. The opinion by Chief Judge Kozinski is a huge victory for those of us who have urged the courts to adopt a narrow construction of the CFAA. Chief Judge Kozinski’s analysis essentially adopts the argument we made in the Lori Drew case (and that I pushed in two articles) that “exceeds authorized access” has to be interpreted narrowly to avoid turning the CFAA into the statute that inadvertently criminalizes a tremendous scope of innocuous activity. From the conclusion of the opinion:

[W]e hold that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly. The rule of lenity requires “penal laws . . . to be construed strictly.” United States v. Wiltberger, 18 U.S. (5 Wheat.) 76, 95 (1820). “[W]hen choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” Jones, 529 U.S. at 858 (internal quotation marks and citation omitted).

The rule of lenity not only ensures that citizens will have fair notice of the criminal laws, but also that Congress will have fair notice of what conduct its laws criminalize. We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals. “[B]ecause of the seriousness of criminal penalties, and because criminal punishment usually represents

[…]

Continue Reading 0

Thoughts on the Oral Arguments in United States v. Nosal

I’ve blogged a lot about the Ninth Circuit’s en banc case in United States v. Nosal, on the scope of the Computer Fraud and Abuse Act — and more specifically, on whether it’s a federal crime to violate an express written restriction on using a computer. You can watch last Thursday’s oral argument in the case here:

Chief Judge Kozinski presided, and he seemed pretty clearly on the side that I’ve been advocating here at the blog, in the Drew case, in my recent testimony, and in my law review articles. I was very pleased to see that, although I wasn’t surprised in light of Judge Kozinski’s libertarian streak. At the same time, I don’t think we have enough information to count votes accurately, as only about four judges spoke in ways that might have indicated their views (two for Nosal, two for the United States, I believe). I’m cautiously optimistic, but we’ll have to see how the votes shake out in the end.

I’ll hide my more detailed reactions below the break for the handful of CFAA nerds in the VC readership ….. […]

Continue Reading 6

The Trespass Tort Versus the CFAA: A Response to the Oracle Amicus Brief in Nosal

In a recently-filed amicus brief submitted by Oracle America Inc. before the en banc Ninth Circuit in United States v. Nosal, the important Computer Fraud and Abuse Act case I have blogged a lot about, Oracle makes the following argument about interpreting “access” and “authorization” in the context of the CFAA. The CFAA’s prohibition on exceeding authorized access and access without authorization is modeled on trespass principles, the brief reasons, so the scope of the CFAA should be interpreted by reference to the trespass principles articulated in the Restatement (Second) of Torts. According to the Oracle brief, this means that (a) computer owners can condition access to their computers using express restrictions like Terms of Service, but (b) express restrictions are only enforceable in some circumstances. The brief summarizes when express restrictions can be enforced under the tort of trespass as follows:

[Whether a written access restriction can be enforced by trespass law is a] fact-dependent conclusion drawn from the totality of the circumstances, and “it may be manifested by action or inaction and need not be communicated to the actor.” [Restatement (Second) Torts § 892(1) (1979).] see id. § 892 cmt. c. Accordingly, courts sometimes find that a written or posted access restriction has been overridden or lifted.

This common-law principle takes several forms. One is the doctrine of apparent or implied consent; another is estoppel or waiver. Courts are suspicious of posted access restrictions that by their terms apply to everyone but that in fact have been selectively enforced “against some members of the public as opposed to others”; when the signals conflict, courts may find a posted restriction ineffective. Winn, The Guilty Eye, 62 Bus. Law. at 1424. Similarly, a property owner who knowingly acquiesces in a person’s course of access may waive the right to

[…]

Continue Reading 10

My Assessment of Senator Leahy’s Proposed Amendment to the CFAA

Senator Leahy recently proposed an amendment to the Computer Fraud and Abuse Act to try to address the overbreadth concerns that myself and others have raised about the current statute, and particularly DOJ’s controversial view that the statute presently allows the government to prosecute computer users for TOS violations. I wanted to blog my thoughts on Leahy’s proposed amendment. My basic take is that Leahy’s proposal is such a modest step that it doesn’t solve the problem it aims to solve. Its language appears to still allow DOJ to prosecute TOS violations, including the theory of the Lori Drew case that the statutory fixes are all designed to stop. For those reasons, explained in detail below, I can’t support the Leady Amendment. Instead I continue to support the Grassley/Franken amendment.


I. Introducton and the Leahy Amendment

First, some context, for those who are new to this debate or unfamiliar with the Leahy proposal. At its broadest, the CFAA prohibits exceeding authorized access to a computer and obtaining information. See 18 U.S.C. 1030(a)(2). This is overbroad for two related reasons: First, “exceeding authorized access” might mean anything, including violating TOS; and second, the statute applies to obtaining any kind of information, not just sensitive information, so it would include any kind of TOS violations, no matter how arbitrary or silly. As I explain in my House testimony, there are two basic ways to fix the overbreadth problems. First, you could limit the definition of “exceeds authorized access,” so it excludes TOS violations; and second, you could limit the kinds of information that could be obtained so that it only applies to violations involving particularly sensitive information.

The Grassley/Franken amendment agreed to by the Senate Judiciary Committee a few weeks ago was based on the first strategy; it amends the definition […]

Continue Reading 17

Cautiously Optimistic After the Judiciary Committee Hearing on the CFAA

I testified yesterday at a House Judiciary Committee hearing that focused in part on the need to narrow the Computer Fraud and Abuse Act, a drum I’ve been beating since 2003. You can watch the video of the hearing here; the CFAA parts were discussed mostly in the opening statements and in the last 15 minutes. For press coverage of the hearing, some of which focuses on my testimony, see Wired News, CBS News, Main Justice, The Register, and Talking Points Memo.

I thought the hearing went relatively well for those of us who believe the CFAA must be narrowed. There were only a handful of Representatives at the hearing at any given time, and at times the only members present were Mr. Gohmert (Vice Chairman of the subcommittee) and Mr. Scott (the ranking minority member). Further, most of the hearing considered other questions in the area of cybersecurity. So any conclusions must be tentative. But in the last 15 minutes or so of the hearing, Gohmert and Scott turned to the CFAA question, and both indicated their view that the CFAA needs to be narrowed so that it doesn’t apply to innocent conduct like TOS violations. I was also interested to see that the other witnesses also seemed to agree that that there was a problem with the overbreadth of the statute — the disagreement was only on what do about it. It was only a hearing, and only a few members were present, but I’m cautiously optimistic.

Perhaps the most promising sign is that after the hearing, DOJ struck a conciliatory note in response to press inquiries on its position. DOJ’s written testimony submitted before the hearing defended a very broad reading of the CFAA, and it expressed the view that it […]

Continue Reading 5

My Congressional Testimony on the Need to Narrow the Computer Fraud and Abuse Act

Tomorrow morning at 10am, I will be testifying before the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security about the need to narrow the Computer Fraud and Abuse Act. I have submitted my written testimony, and it is available here. It begins:

The current version of the Computer Fraud and Abuse Act (CFAA) poses a threat to the civil liberties of the millions of Americans who use computers and the Internet. As interpreted by the Justice Department, many if not most computer users violate the CFAA on a regular basis. Any of them could face arrest and criminal prosecution.

In the Justice Department’s view, the CFAA criminalizes conduct as innocuous as using a fake name on Facebook or lying about your weight in an online dating profile. That situation is intolerable. Routine computer use should not be a crime. Any cybersecurity legislation that this Congress passes should reject the extraordinarily broad interpretations endorsed by the United States Department of Justice.

In my testimony, I want to explain why the CFAA presents a significant threat to civil liberties. I want to then offer two narrow and simple ways to amend the CFAA to respond to these problems. I will conclude by responding to arguments I anticipate the Justice Department officials might make in defense of the current statute.

The three other witnesses appearing at the hearing will be James Baker, the Associate Deputy Attorney General; my old friend and colleague Richard Downing, a Deputy Chief of the Computer Crime and Intellectual Property Section at DOJ; and Michael Chertoff, the former Secretary of Homeland Security. For those interested in attending, the hearing will be at 10 am in Room 2141 of the Rayburn House Office Building. […]

Continue Reading 12

How DOJ Can Use the CFAA to Try to Federalize State Crimes

I’ve blogged a lot about 18 U.S.C. 1030, the Computer Fraud and Abuse Act (CFAA), and how broad readings of the statute potentially criminalize a tremendous amount of entirely innocuous activity. The broad readings of the CFAA also have another important effect: They allow DOJ to try to turn any state crime that happens to involve computers into a federal crime. In that sense, the CFAA is being used as a catch-all to try to punish computer misconduct that otherwise would not be thought to be a federal offense. An interesting example is United States v. Nestor, a prosecution that is pending in the U.S. District Court for the District of Nevada.

Andrew Nestor learned of a programming flaw in certain video poker machines used in Las Vegas. By using a certain feature and playing a particular combination, a person could trick the poker machine into paying out winnings at a higher rate than it should have. Nestor played the combination, and he was able to receive winnings that he was not entitled to have. At this stage, it sounds like a state law offense of theft or fraud. Nestor stole the money from the machine by fraud.

But was a federal crime committed, as opposed to a state crime? Federal prosecutors love to charge fraud cases under the wire fraud statute, 18 U.S.C. 1343, but that wouldn’t work here. Liability under the wire fraud statute requires a crossing of state lines, while here all the action occurred in a single room. So instead the government charged Nestor with a CFAA violation, and specifically 18 U.S.C. 1030(a)(4), which punishes:

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of

[…]

Continue Reading 35

Ninth Circuit Grants Rehearing En Banc in United States v. Nosal

I’ve blogged a few times about the recent Ninth Circuit decision in United States v. Nosal, which held that “an employee accesses a computer in excess of his or her authorization [in violation of 18 U.S.C. 1030] when that access violates the employer’s access restrictions, which may include restrictions on the employee’s use of the computer or of the information contained in that computer.” My most recent post on Nosal linked to the petition for rehearing and expressed the hope that the Ninth Circuit would grant it.

I’m pleased to report that the Ninth Circuit today granted the petition for rehearing. This is promising news for those of us who have worried about the remarkable overbreadth of the Computer Fraud and Abuse Act. As always, stay tuned. […]

Continue Reading 0

The Law of Cyberwar: What FDR, Hitler, and the Blitz Can Teach Us

I’ve just finished a longish piece on cyberwar and the role of lawyers, published in Foreign Policy magazine.  Here’s how it begins:

Lawyers don’t win wars. But can they lose one?

We’re likely to find out, and soon. Lawyers across the U.S. government have raised so many show-stopping legal questions about cyberwar that they’ve left the military unable to fight or even plan for a war in cyberspace.

And here’s the part that inspired the title of this post:

By the 1930s, everyone saw that aerial bombing would have the capacity to reduce cities to rubble in the next war. Just a few years earlier, the hellish slaughter in the trenches of World War I had destroyed the Victorian world; now air power promised to bring the same carnage to soldiers’ homes, wives, and children.

In Britain, some leaders expressed hardheaded realism about this grim possibility. Former Prime Minister Stanley Baldwin, summing up his country’s strategic position in 1932, showed a candor no recent American leader has dared to match. “There is no power on Earth that can protect [British citizens] from being bombed,” he said. “The bomber will always get through…. The only defense is in offense, which means that you have got to kill more women and children more quickly than the enemy if you want to save yourselves.”

The Americans, however, still hoped to head off the nightmare. Their tool of choice was international law. (Some things never change.) When war broke out in Europe on Sept. 1, 1939, President Franklin D. Roosevelt sent a cable to all the combatants seeking express limits on the use of air power. Citing the potential horrors of aerial bombardment, he called on all combatants to publicly affirm that their armed forces “shall in no event, and under

[…]

Continue Reading 64

Senate Judiciary Committee Passes Amendment to Prohibit Prosecutions for Terms-of-Service Violations

Kashmir Hill writes at her Forbes blog on the good news from yesterday’s Senate Judiciary Committee hearing markup of amendments to the Computer Fraud and Abuse Act: No, Faking Your Name On Facebook Will Not Be A Felony.

Legal scholar Orin Kerr wrote an alarming op-ed in the Wall Street Journal yesterday, warning people that “faking your name on Facebook could be a felony” when the law is changed. But a lot changed since yesterday morning. An amendment was added to the bill during a Senate Judiciary Committee hearing Thursday morning, so that people who violate website’s terms of service are not considered felons.

Senators Al Franken and Chuck Grassley proposed new language for the bill (thanks in part to Kerr’s urging) to exempt those guilty only of TOS violations. Franken, in urging his fellow senators to adopt the amendment, said that without it, the following people would be felons: “A father who uses his son’s Facebook password to log into his Facebook account to check his messages and photos” (ed. note: Creepy and invasive but not criminal); “a 17 year-old who claims she is 18 in order to sell her knitted scarves on Etsy,” and “a struggling businessowner who secretly creates a Yelp account to give his restaurants favorable reviews” (ed. note: Again, uncool and deceptive, but not felony behavior).

The Committee then added an amendment to the bill that specifies that felony-level unauthorized access not “include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.” The bill will now move forward to be considered by the Senate.

The amendment […]

Continue Reading 35