The Obama Administration’s legislative proposals on cybersecurity are a distinctly mixed bag. But probably the worst ideas are those put forward by the Justice Department, which last week testified about the need to update the Computer Fraud and Abuse Act.
In fact, for the eleventh time since it was adopted in the 1980s. We’ve seen this movie. Every time Congress gets exercised about cybersecurity, the Justice Department claims that the CFAA needs to be updated. But “updated” almost always turns out to be a euphemism for “made more prosecutor-friendly.”
Justice’s latest proposals fit squarely into this mold. Justice wants to create a new crime, hacking a critical infrastructure computer, with a mandatory minimum sentence of three years. It wants to impose the same penalties on conspiracies and attempts as on successfully completed crimes. It would get rid of first-time offender provisions in sentencing, increase sentences in general, allow civil forfeiture of hackers’ real estate, and make violation of the CFAA a RICO predicate, which would allow heightened penalties and private civil suits against violators.
Well, you might ask, why not get tough with hackers? Surely we shouldn’t be playing pattycake with Anonymous and Lulzsec, let alone the foreign hackers endangering our national security. That’s true, but the problem we have with those hackers is not the weakness of our criminal penalties but the fact that, most of the time, we can’t find them. Until we do a better job of breaking the anonymity that protects them, increasing penalties for criminals we don’t catch will not make much difference.
Take a look at the website where Justice maintains a representative list of its most significant prosecutions. What’s striking is how few prosecutions it has to brag about – less than 50 – and how few of those (maybe half) represent cases in which we actually caught the kind of remote hackers we’re most threatened by. I’m willing to bet that there is no other federal criminal law that has been amended so often in prosecutors’ favor with so few successful prosecutions to show for it.
The latest amendments are more of the same: Shooting in the dark with a bigger gun. As protections against cyberattack, these amendments are useless. They are added to the administration’s package mainly to give it the appearance of heft.
They are the legislative equivalent of Hamburger Helper.
Actually, they’re worse than that. The RICO provision is far more dangerous than it first appears. To explain, I’ll need to repeat some of what Orin Kerr has been saying for years, so if you’re already familiar with that, you can skip the next ten paragraphs.
As I’ve said, the remarkable growth in cyberattacks over the last quarter century has enabled Justice to turn the CFAA into what may be the most prosecutor-friendly criminal statute on the books. What does “prosecutor-friendly” mean in practice? That any competent prosecutor can find a way to indict and convict anyone who does anything Really Bad with a computer.
With the CFAA, that’s mission accomplished: The law imposes harsh criminal penalties on anyone who accesses a protected computer “without” or “in excess of” authorization. The definition of a “protected computer” has been expanded until it covers any computer used in interstate or foreign communication, which in the Internet age is, well, every computer. As a practical matter, then, you can be indicted any time you do something on a computer that isn’t authorized. That term isn’t defined, but you can bet that if you do something Really Bad with a computer, it will turn out to be unauthorized.
Take Lori Drew, an overprotective, nasty mother who created a fake teenage-boy identity on MySpace in an effort to humiliate her daughter’s teenaged frenemy. The scheme worked so well that the teen killed herself. There’s no doubt that Lori Drew’s behavior was Really Bad, and it involved computers, so federal prosecutors decided it must violate the CFAA. And, mirabile dictu, it did. By using a fake identity, Drew had violated MySpace’s terms of service, which meant that she had accessed a MySpace computer “in excess of” authorization. Drew was convicted, although in the end, with Orin Kerr’s help, the guilty verdict was overturned.
If, for example, an employee photocopies an employer’s document to give to a friend without that employer’s permission, there is no federal crime (though there may be, for example, a contractual violation). However, if an employee emails that document, there may be a CFAA violation. If a person assumes a fictitious identity at a party, there is no federal crime. Yet if they assume that same identity on a social network that prohibits pseudonyms, there may again be a CFAA violation.
I don’t want to be too hard on the drafters of the CFAA; they faced a tough drafting problem. Hackers cause terrible harm, but the things they do aren’t all that different from the things legitimate users do. Legitimate users open files, modify code, install programs, and send data to remote sites. So do hackers. We know the difference between the two, but it’s not easy to express that difference without falling back on the notion that the good guys are authorized to do those things and the bad guys aren’t.
I think this means that any statute that criminalizes hacking is likely to be either too broad or not broad enough. Congress chose broad language to make sure that hackers couldn’t get off on a technicality, but in the process it gave Justice enormous prosecutorial discretion. Justice Department official James Baker gave a persuasive defense of the “authorization” test in last week’s testimony. But the Department’s misuse of its broad discretion in the Lori Drew case suggests a need for greater accountability and discipline within the Department. Requiring that the head of the Criminal Division sign off on all such cases — and take the blame if they turn out badly — may be a more workable solution than taking away the prosecutors’ discretion by changing the law.
Remarkably, though, that isn’t even the worst problem created by the CFAA. The law also creates a private cause of action, handing a big legal weapon to everyone from the RIAA to the Church of Scientology. And private parties aren’t exactly showing a lot of restraint. According to the Center for Democracy and Technology, at least one company has brought a CFAA counterclaim in a pregnancy discrimination case, seeking damages under the Act because its employee acted in excess of authorization on the corporate network. What did she do? She violated a corporate proscription on “excessive Internet use.” Equally abusive is a case that Orin Kerr has pointed out – Sony’s threat to sue PS3 hackers because they used their own computers in violation of Sony’s licensing restrictions.
Maybe back in the 1980s, Congress thought that creating a civil action would unleash the plaintiff’s bar on real hackers. If so, Congress was deluded.
Civil CFAA lawsuits have proliferated but by and large they aren’t being filed against people who hack into systems. Instead, they’re being brought by corporations against employees thought to have downloaded too much information from the corporate network before quitting. They’re being brought by websites to keep competitors from using “scraper” software to collect their pricing data. Maybe those are bad things. If so, they’re probably already torts under state law, and it’s hard to see why the cases should be in federal court. And if they aren’t torts under state law, well, it’s even harder to see why they should be in federal court. It’s the law of unintended consequences run amok.
OK, that’s the Gospel According to Orin Kerr. Now back to the latest proposal from Justice.
Justice wants to make the CFAA one of the federal crimes that qualify as “racketeering activity” under the Racketeer Influenced and Corrupt Organizations Act, or RICO. This would add RICO prosecutions to the long list of get-tough measures that Justice rarely uses against actual hackers because, well, because it can’t catch most actual hackers.
But that doesn’t mean the amendment would have no effect. Because, like the CFAA, RICO creates a private cause of action against RICO violators. Actually it’s not just a private cause of action. It’s a bonanza. Plaintiffs can recover treble damages plus attorney’s fees by bringing suit against “racketeers.” And what do you know, just like CFAA civil suits, it turns out that most RICO civil suits have been brought against ordinary businessmen, “rather than against the archetypal, intimidating mobster,” according to the Supreme Court.
The Supreme Court and Congress have struggled for decades to curb abuses of civil RICO. Now, almost casually, the Justice Department proposes to open another can of RICO liability for unintended defendants.
How would that happen? First, treble damages under civil RICO can be claimed by any person “injured in his business or property by reason of” a RICO violation. 18 U.S.C. § 1964(c). A violation of RICO occurs, inter alia, when a “person employed by or associated with any enterprise engaged in” interstate or foreign commerce participates, “directly or indirectly, in the conduct of such enterprise’s affairs through a pattern of racketeering activity.” (Sorry for the dense language; it may help to parse the language by thinking of a mobster who acquires partial ownership of a legitimate “enterprise” through threats of violence. He would be squarely covered by the provision, as long as he committed a pattern of racketeering activity –- that is, more than one predicate crime. But the words will sweep in far more conduct than classic mobster tactics, especially if Justice gets its way and violating the CFAA becomes a predicate offense.)
Pulling these elements together, let’s look at what the Justice Department’s proposal would mean for some of the unnecessary federal litigation now being brought under the CFAA. We can start with the employer lawsuits against departing employees. Employers who want to turn their CFAA claims into much more potent RICO claims would have to show that the departing employee committed two CFAA violations, which should be easy, since every unauthorized download is a new offense. And, they’d have to show that they were injured in their business by reason of the racketeering; this they can do by showing the same damages that supported the CFAA case. In short, on a quick look, the Justice Department seems to have created a massive incentive for companies to sue departing employees, and perhaps the companies they join, as racketeers. Anyone who has a plausible CFAA case today will have a plausible RICO case once Justice gets its amendment.
Okay, another one: How about CDT’s favorite case – the pregnant worker accused of a CFAA violation because of excessive Internet use? Well, she probably violated the rule on Internet use more than once, which makes for a pattern of racketeering, and she’s employed by an enterprise, in whose affairs she participated by misusing its computers. The enterprise has been injured, too, by virtue of not getting her full attention at work. What do you know? She sounds like a racketeer too! It would be malpractice not to hit her with a counterclaim for treble damages and attorneys’ fees.
(At this point, you may be wondering why the Obama administration, of all administrations, wants to give employers even heavier litigation weapons to use against their employees. Beats me. Maybe it has something to do with trial lawyers. Maybe it’s just prosecutorial myopia. James Baker’s testimony doesn’t even acknowledge the issue.)
OK, let’s try a harder problem. You’re a copyright holder — Jon Stewart, say — and you’d like faster takedowns and more respect from YouTube. Posting copyrighted material on YouTube is a violation of law and can lead to termination of your YouTube account. The Lori Drew case tells us that the people who post clips in violation of that policy are using YouTube’s computers “in excess of authorization.” That’s a CFAA violation. Do it twice and it becomes a pattern of racketeering, at least if Justice gets its way. Now, the people doing the posting aren’t employees of YouTube, but they are “associated with” the YouTube enterprise, and they are participating indirectly in the conduct of YouTube’s affairs by virtue of their shocking CFAA violations. What’s more, the Daily Show can claim injury in its business because it has lost viewers and ad revenue. Presto! Another racketeer takes the fall. Maybe they’ll name YouTube’s parent, Google, as a co-conspirator just to keep it on its toes.
I’m not a RICO lawyer, thank God, so maybe I’m oversimplifying what it takes to make out a civil RICO suit. But, what the hell, the lawyers representing departing or pregnant employees aren’t RICO lawyers either. If the claim against them is plausible on its face, they will face overwhelming pressure to settle, quite possibly by abandoning good claims, especially if their next employer is dragged in as a co-conspirator. Ditto for the YouTube uploaders.
And in exchange for all this uncertainty and injustice, what benefit can we expect in fighting actual criminals? About as much as we’ve gotten from the CFAA’s private right of action, which is nothing, and from RICO’s private right of action, which is less than nothing.
This is Hamburger Helper with a dose of cyanide.
UPDATE: Clarified with a reference to Google’s ownership of YouTube