The Champion

Sept-Oct 2013 , Page 44 

Search the Champion Looking for something specific?

Access to The Champion archive is restricted to NACDL members. However, this page and others deemed to serve the public interest - as opposed to a narrower benefit to the criminal defense profession - are left unprotected for access by all interested persons.

Digital Defense: Meeting the Challenges That the Computer Fraud And Abuse Act Poses

By Timothy P. O’Toole

In this digital age, computers are everywhere, from the time people wake up in the morning until the moment they fall asleep at night. And for defense lawyers, the predominance of computers has extended not only to their day-to-day practices but even to the cases they handle, which increasingly involve allegations brought under the Computer Fraud and Abuse Act (CFAA). This law, codified at 18 U.S.C. § 1030, was originally a narrow one, focused on the computer “hacking” that targeted important long-standing federal interests, such as national security, financial records, and government property.1 But Congress has broadened the statute five times in the past 30 years, with the result being an expansive and vague law that “potentially regulates every use of every computer in the United States and even many millions of computers abroad.”2 

The ever-broadening scope of this law has given rise to the two classic problems associated with vague statutes: (1) arbitrary and discriminatory enforcement; and (2) difficulty for ordinary people to understand what conduct the statute forbids.3 This article examines the ways in which these two issues often arise in CFAA prosecutions, and how a defense lawyer can prepare to address them.

The Computer Fraud and Abuse Act

On its face, the CFAA creates a variety of separate criminal offenses. Some of these seem relatively straightforward and obviously targeted at important federal interests — one provision makes it a felony, for example, to access a computer in order to obtain national security information or to trespass on a government computer.4 Other provisions of the statute, however, make it a federal offense to access any computer “without authorization” or to “exceed authorized access” to any computer.5 And still other provisions impose increased sentences — turning misdemeanors into felonies — when the unauthorized or excessive computer access creates a “loss” greater than a certain threshold6 or is committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any state.7 As the cases discussed in this article demonstrate, these latter, open-ended provisions have fostered a culture of arbitrary and discriminatory enforcement. Interpreting them has also posed significant challenges for the courts and defense lawyers alike.

A Culture of Arbitrary Enforcement

The Supreme Court has long identified the potential for arbitrary and discriminatory enforcement as the primary harm caused by vague statutes. The Court explained long ago:

The more important aspect of the vagueness doctrine [is] … the requirement that a legislature establish minimal guidelines to govern law enforcement. Where the legislature fails to provide such minimal guidelines, a criminal statute may permit “a standardless sweep that allows policemen, prosecutors, and juries to pursue their personal predilections.”8 

The CFAA has proved, repeatedly, the wisdom of this protection. Its vague terms have created a culture of arbitrary enforcement, in which prosecutors focus their resources on headline-grabbing cases that seem to bear no meaningful relationship to the harms the statute was designed to target. Moreover, frequently these cases involve foolish conduct that, but for the use of a computer, would have been dealt with in previous eras with warnings by police officers or, at most, by state misdemeanor courts, often through informal proceedings. Prosecutors also have often used the CFAA to target business and domestic conduct that would previously have been the exclusive realm of the civil law by attempting to criminalize violations of website user policies and using the open-ended “loss” provisions to turn what would have previously been civil lawsuits into felony prosecutions with potentially staggering sentences.

Some of the specifics of these prosecutions will be discussed below, but at the outset, it is important to note that this aggressive culture of arbitrary enforcement appears to be systemic. The manual the Department of Justice prepared to guide prosecutors in their application of the statute lists the following example of conduct as “illustrative” of what the law prohibits:

Prior to the annual football game between rival schools, an intruder from one high school gains access to the computer system of a rival school and defaces the football team’s website with graffiti announcing that the intruder’s school was going to win the game. In this example, the intruder has caused damage — the integrity of the information on the website has been impaired because viewers of the site will not see the information that the site’s designers put there.9 

In other words, the DOJ manual uses a prank by high school children to guide prosecutors in what conduct is prohibited by the federal criminal law. While it is hard to imagine that this is what Congress was targeting, as will be discussed more fully below, it explains a lot about the types of CFAA prosecutions the Department of Justice chooses to pursue.

The DOJ manual also sheds some light on one other feature of these cases, in which prosecutors take advantage of the sometimes overlapping provisions to pursue the harshest punishments — without regard to whether such conduct is warranted by the particular circumstances of the case. Thus, the DOJ manual explains:

Prosecutors rarely charge Section 1030(a)(3) (trespassing in a government computer) and few cases interpret it, probably because Section 1030(a)(2) applies in many of the same cases in which Section 1030(a)(3) could be charged. In such cases, Section 1030(a)(2) may be the preferred charge because statutory sentencing enhancements may allow Section 1030(a)(2) to be charged as a felony on the first offense. A violation of Section 1030(a)(3), on the other hand, is only a misdemeanor for a first offense.10 

Once again, it is hard to imagine that Congress created overlapping misdemeanor and felony provisions in the hopes that prosecutors would consider the felony provision to be the “preferred charge” in all instances. But, as discussed below, this statement seems to accurately summarize DOJ charging decisions — with often heart-rending outcomes for the individuals caught in the crosshairs.

Targeting Youthful Indiscretions With Draconian Sentences

Perhaps the most tragic and widely known recent CFAA prosecution involved Aaron Swartz. He was a childhood prodigy and Internet pioneer who, in 2010, was serving as a fellow in the Harvard School of Ethics. In September 2010, Swartz allegedly plugged his laptop into the MIT computer network, from a closet on campus, hiding the laptop under a box and running a script to discover and download articles continuously from JSTOR (Journal Storage), a database of academic articles. His purpose in doing so appears to have been to carry forward the agenda of the Open Access movement, which protested the locking away behind a paywall of academic articles. There was no dispute that the MIT computer network was open to all and that  Swartz had not “hacked” it, and there was also no dispute that once he gained access to the MIT network, any user would have full access to the JSTOR database. After the incident, Swartz made peace with JSTOR when he returned the data, and the organization publicly announced it had no wish to see him prosecuted.

Nonetheless, Swartz was prosecuted. On Jan. 6, 2011, two MIT police officers and a U.S. Secret Service agent arrested Swartz near the Harvard campus, and he was soon arraigned in state court on two charges of breaking and entering with intent to commit a felony. It has been reported that lawyers familiar with the original case expected these charges to be dismissed after a “‘continuance without a finding.’ … The charge [would be] held in abeyance … without any verdict … for a period of a few months up to maybe a couple of years.” But as Harvey Silverglate later wrote, “Tragedy intervened when [U.S. Attorney Carmen] Ortiz’s office took over the case to send ‘a message.’”11 

Federal authorities indicted Swartz in July 2011, charging him under the CFAA and wire fraud laws.12 “If convicted on these charges,” said U.S. Attorney Ortiz, “Swartz faces up to 35 years in prison, to be followed by three years of supervised release, restitution, forfeiture, and a fine of up to $1 million.”13 

As the trial approached, federal prosecutors demanded that any plea bargain include both jail time and a felony conviction. Federal prosecutors also are reported to have threatened that, if Swartz did not plead guilty and was convicted at trial, prosecutors would seek a seven-year jail sentence.14 Two days after these plea discussions, Swartz hanged himself in his apartment. Shortly before his death, JSTOR announced that it would make “more than 4.5 million articles” available to the public for free.15 

Another questionable use of the CFAA has arisen in the case of Andrew Aurenheimer, a widely known Internet “troll” whose nickname is “Weev.” In June 2010, Aurenheimer and a friend wrote a computer script that queried AT&T servers in a way that allowed them to find the email addresses of 110,000 iPad users. No passwords or firewalls were obtained or bypassed. After obtaining the addresses, Aurenheimer and his friend provided them to the Internet magazine Gawker, which then published them in redacted form. After it learned its website was leaking email addresses, AT&T closed the hole and sent an email to its customers, notifying them about what happened. That email notice was very effective; it reached 98 percent of all affected customers. But AT&T decided to also send the same notice through the postal mail at a cost of $73,000.

Although Aurenheimer’s actions helped motivate AT&T to fix the hole, he was indicted in New Jersey for violating the CFAA. Federal prosecutors in New Jersey claimed that Aurenheimer and his friend accessed data — the email addresses — without authorization under the CFAA despite the fact AT&T made the information publicly available over the Internet. In November 2012, he was convicted of these charges, and in March 2013, he was sentenced to 41 months in prison — a sentence premised in large part on the unnecessary $73,000 mailing. The case is currently on appeal to the U.S. Court of Appeals for the Third Circuit, where NACDL has filed a brief in support of Aurenheimer.16 

Apart from demonstrating just how far the CFAA has been used as a sledgehammer directed toward youthful indiscretions, the Swartz and Aurenheimer cases each demonstrate the manner in which prosecutors can exploit ambiguities in the statute. Each case involved individuals who accessed information that was either open to the public, was not behind a firewall, was not password protected, or (in the Swartz case) that the accused had permission to access. In each case, any direct harm from the access — whether authorized or not — was minimal, and in the Swartz case, the purported “victim” did not want prosecution at all. And yet, in each case, the government was able to argue that the accused committed a colorable violation of the CFAA’s felony provisions by arguing for expansive interpretations of the CFAA’s “without authorization” or “exceeded authorized access” provisions. To make matters worse, in each case the government was able to creatively count the “loss” caused by the violation to increase the penalty, and to take advantage of the CFAA’s expansive “in furtherance of” provision to argue that a felony occurred because the “unauthorized access” was “in furtherance of” state law violations that arose from precisely the same conduct.17 Unfortunately, the breadth of the CFAA has fostered precisely the sort of abuses that the vagueness doctrine was designed to prevent.

Using the Criminal Law to Pursue Civil Wrongs

Another consequence of the CFAA has been to expand the use of the criminal law toward conduct that had previously been the province of civil law. Perhaps the best example is the recent prosecution of David Nosal, which arose out of an employer-employee dispute that would, in earlier times, have likely been the subject of a civil action. The dispute arose in 2004, when Nosal left his employer, executive search firm Korn/Ferry. Shortly afterwards, he convinced some of his former colleagues who were still working for Korn/Ferry to help him start a competing business. The employees used their log-in credentials to download source lists, names and contact information from a confidential database on the company’s computer, and then transferred that information to Nosal. The employees were authorized to access the database, but Korn/Ferry had a policy that forbade disclosing confidential information. The government indicted Nosal on 20 counts, including a number of CFAA counts charging him with violations of 18 U.S.C. § 1030(a)(4), for aiding and abetting the Korn/Ferry employees in “exceed[ing their] authorized access” with intent to defraud.18 

The district court dismissed a number of the CFAA charges, finding that an employee did not “exceed authorized access” by visiting a computer site they were authorized to visit, but then using that site in violation of corporate policies governing use of information. The government appealed.

Sitting en banc, the Ninth Circuit affirmed the dismissal. Writing for the majority, Chief Judge Kozinski’s opinion examined at length what it meant, within the meaning of the CFAA, for a user to “exceed authorized access.” As the court of appeals observed, the statutory phrase could be read in two ways. First, “it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files –what is colloquially known as “hacking.” Or, the court continued, “The language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information.”

Applying the rule of lenity, the court of appeals adopted the former interpretation. In so ruling, the court explained:

Employer-employee and company-consumer relationships are traditionally governed by tort and contract law; the government’s proposed interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law. Significant notice problems arise if we allow criminal liability to turn on the vagaries of private polices that are lengthy, opaque, subject to change, and seldom read.

***

Basing criminal liability on violations of private computer-use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And Sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their Sudoku skills behind bars.19 

The court then went on to note that the consequences of the government’s broad construction were even more far reaching, as they would likely impose criminal liability on individuals who used a computer website in violation of the site’s terms of use. The use of these sites, however, is governed by user agreements that are constantly changing and “that most people are only dimly aware of and virtually no one reads or understands.” Attaching criminal consequences to the violations of these polices would mean that “behavior that wasn’t criminal yesterday can become criminal today without an act of Congress, and without any notice whatsoever.”

In rejecting the government’s proposed interpretation of the statute, the court also rejected its assurances that “whatever the scope of the CFAA, it won’t prosecute minor violations.”20 After first noting that “we shouldn’t have to live at the mercy of our local prosecutor,” the court explained:

It’s not clear we can trust the government when a tempting target comes along. Take the case of the mom who posed as a 17-year-old boy and cyber-bullied her daughter’s classmate. The Justice Department prosecuted her under 18 U.S.C. § 1030(a)(2)(C) for violating MySpace’s terms of service, which prohibited lying about identifying information, including age. See United States v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009). Lying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight. The difference between puffery and prosecution may depend on whether you happen to be someone an AUSA has reason to go after.21 

Meeting the Challenges Of a CFAA Case

What does all this mean in terms of defending a CFAA case? Perhaps the most important lesson is that, as Nosal shows, it is important to challenge the government’s expansive interpretation of this vague statute. These challenges are important to make, even if they will not always be successful. Although the trend of authority is moving in the direction of the Ninth Circuit’s opinion on the “exceeding authorized access” issue,22Nosal cites (and expressly disagrees with) a number of federal decisions that have adopted the government’s interpretation of that provision.23 But even when they are not successful in individual cases, these challenges to the ever-expanding reach of this law will likely be heard by the Supreme Court at some point, where it will be important to have as many examples of government overreach as possible.

The statutory interpretation challenged in Nosal is far from the only vulnerable CFAA section. The provisions of 18 U.S.C. § 1030(c)(2)(B)(ii), which transform a misdemeanor into a felony if “the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any state,” create expansive liability on their face, but particularly if the crime used to elevate the offense level results from the unauthorized access itself. The rule of lenity should be urged here as a means of preventing double-counting, especially since a broad interpretation renders the misdemeanor provision superfluous. Whether such arguments succeed or not,24 it is again important to raise and extensively litigate them.

Another important pressure point in these cases is the government’s loss figures. Experienced white collar defense lawyers are used to challenging the government’s claims of loss; these amounts are critical factors under the sentencing guidelines in white collar cases. Under the CFAA, the loss amount can itself transform a misdemeanor into a felony, and thus it is particularly important to challenge the government’s loss figures using both the language of the statute and other traditional means of disputed inflated loss numbers. The trend of authority is moving in the right direction on this issue.25 

Finally, the technology itself can pose a critical challenge in these cases, many of which will present significant factual disputes about whether access to a particular computer was “authorized.” Resolving these disputes will often require lay jurors to understand sophisticated technologies, and then determine whether their use violates provisions of the CFAA. Counsel litigating these cases will need to work hard to make the technology, as well as the legal principles that apply to it, as comprehensible as possible. This often makes these cases complicated and expensive to defend because they will involve the use of consulting and testifying expert witnesses. These witnesses can teach the jurors about what was being done with the technology as well as give case-specific, plain language instructions that will help lay jurors apply that technical knowledge to determine that the law has not been violated.

Notes 

  1. See 18 U.S.C. § 1030(a)(1)-(3) (Supp. II 1985).
  2. Orin S. Kerr, Vagueness Challenges to the Computer Fraud and Abuse Act, 94 Minn. L. Rev. 1561, 1561 (2010).
  3. Kolender v. Lawson, 461 U.S. 352, 357 (1983) (“the void-for-vagueness doctrine requires that a penal statute define the criminal offense with sufficient definiteness that ordinary people can understand what conduct is prohibited and in a manner that does not encourage arbitrary and discriminatory enforcement”).
  4. 18 U.S.C. § 1030(a)(1).
  5. See, e.g., 18 U.S.C. § 1030(a)(2)(C).
  6. 18 U.S.C. § 1030(c)(2)(B)(iii).
  7. 18 U.S.C. § 1030(c)(2)(B)(ii).
  8. Kolender v. Lawson, 461 U.S. at 358 (internal citations omitted).
  9. Department of Justice, ‘Prosecuting Computer Crimes’ Manual at 39, available at http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf.
  10. Id. at 23 (emphasis added).
  11. Harvey A. Silverglate, The Swartz Suicide and the Sick Culture of the Justice Department, Mass. L. Weekly (Jan. 23, 2013).
  12. United States v. Aaron Swartz, Case No. 1:11-cr-10260 (D. Mass. 2011)Indictment, Docket Entry 2.
  13. See Press Release, U.S. Attorney for the District of Massachusetts, Alleged Hacker Charged With Stealing Over Four Million Documents From MIT Network (July 19, 2011), available at http://www.justice.gov/usao/ma/news/2011/July/SwartzAaronPR.html.
  14. David Stout, Swartz’ Lawyer Accuses AUSA of Deceiving Court and Plea-Bargain Bullying, Main Justice (Mar. 14, 2013), available at http://www.mainjustice.com/2013/03/14/swartzs-lawyer-accuses-ausa-of-deceiving-court-and-plea-bargain-bullying/.
  15. Meredith Schwartz, Many JSTOR Journal Archives Now Free to Public, Library J. (Jan. 9, 2013), available at http://lj.libraryjournal.com/2013/01/academic-libraries/many-jstor-journal-archives-now-free-to-public/.
  16. These facts were gleaned from both the NACDL amicus brief, available at http://www.nacdl.org/Advocacy.aspx?id=26220&libID=26189, and the case-related materials available at the Electronic Frontier website page relating to the United States v. Aurenheimer case. https://www.eff.org/cases/us-v-auernheimer.
  17. 18 U.S.C. § 1030(c)(2)(B)(ii).
  18. United States v. Nosal, 676 F.3d 854, 856-57 (9th Cir. 2012) (en banc).
  19. Id. at 860.
  20. Id. at 862.
  21. Id.
  22. See, e.g., WEC v. Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 203 (4th Cir. 2012); Shamrock Foods v. Gast, 535 F. Supp. 2d 962, 965 (D. Ariz. 2008).
  23. United States v. Nosal, 676 F.3d at 862.
  24. See United States v. Cioni, 649 F.3d 276, 282-83 (4th Cir. 2011) (Stored Communication violation arising out of same conduct cannot be used to transform CFAA charge from misdemeanor to a felony).
  25. See, e.g.,Shirkov v. Dunlap, 2012 WL 1065578 (D. Mass. Mar. 27, 2012) (“loss” must be directly attributable to the defendants’ access of his computer); Patrick Patterson Custom Homes, Inc. v. Bach, 586 F. Supp. 2d 1026, 1036 (N.D. Ill. 2008) (similar).

In This Section

Advertisement Advertise with Us
ad