My co-blogger Stewart Baker recently argued that it is legal to hack into the computer of someone who has hacked into your computer. Stewart says his analysis is “surely” right. I think it’s obviously wrong. Here’s why.
The Computer Fraud and Abuse Act is a computer trespass statute. It prohibits accessing another person’s computer “without authorization” just like trespass laws prohibit walking on to someone else’s land without their consent. As with a traditional trespass statute, it is the owner/operator of the property that controls authorization. The basic idea is to give computer owners the ability to enforce rights on their own machines. There is lots of disagreement about how computer owner/operators can create rights on their machines that the law will enforce — I’ve blogged a lot about the role of Terms of Service in doing so — but everyone agrees that hacking into someone else’s machine is the quintessential example of the kind of conduct prohibited by the statute.
Stewart offers a novel way to get around this and read the statute allowing hacking back. He posits that rights to control authorization go with ownership of data stored on a particular machine. More specifically, Stewart argues that the CFAA is so vague as to whether it protects computer or data that the rule of lenity requires courts to adopt the view that any person pursuing their stolen data is authorized in their conduct. In his view, you can’t really rule out that the theft victim controls authorization — and if you can’t really rule it out, you must rule it in. Thus anything victims do must be authorized because they themselves have authorized it.
I think this view of the CFAA is clearly wrong. Contrary to Stewart’s claim, there is no genuine ambiguity over whether the statute protects the rights of computer owners or data owners. The statutory language expressly prohibits “intentionally access[ing] a computer without authorization” (emphasis added). It protects access to computers, not access to stolen data. The rule here is the same rule that is used in real property law: The owner/operator of the property controls who has access to it. The fact that your neighbor borrowed your baseball glove and you want it back doesn’t give you a right to break into everything your neighbor owns on the theory that you can authorize yourself to go anywhere to get your glove back. The same goes for computers.
Stewart also justifies his statutory interpretation on the ground that it creates results he likes. The victim can hack back, which Stewart thinks is a good idea. But even assuming his I-like-it-and-therefore-it-is-the-law argument were valid, I think the results it would produce would be terrible. For every one hypothetical you can devise in which such hacking back might seem like a good thing, you can come up with hundreds of examples in which it wouldn’t be. For example, wouldn’t Stewart’s theory allow copyright holders to hack into the computers of anyone suspected of having any infringing materials on their computers? That would be bad. More broadly, Stewart’s theory appears to have few limits. His test seems to boil down to good faith: As long as someone believes that they were a victim of a computer intrusion and has a good-faith belief that they can help figure out who did this or minimize the loss of the intrusion by hacking back, the hacking back is authorized. Given the well-known difficulty of locating the source of intrusions, that’s not a power that we want to give to every person in the U.S. who happens to own or control a computer.
UPDATE: Another problem with Stewart’s theory is that it would have the bizarre effect of allowing hacking victims to declare that the people who hacked into their machines can’t access their own computers. That is, if A hacks into B’s machine, B just has to announce that A now can’t use A’s own machine. If A uses his own computer, that is “without authorization” from B and therefore a crime. It’s a bizarre result, and even more bizarre given that Stewart uses the rule of lenity to justify it.