The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Crime

Obama's proposed changes to the computer hacking statute: A deep dive

|

As part of the State of the Union rollout, President Obama has announced several new legislative proposals involving cybersecurity. One of the proposals is a set of amendments to the controversial Computer Fraud and Abuse Act ("CFAA"), the federal computer hacking statute. This post takes a close look at the main CFAA proposal. It starts with a summary of existing law; it then considers how the Administration's proposal would change the law; and it concludes with my views on whether Congress should enact the changes.

My bottom line: My views are somewhat mixed, but on the whole I'm skeptical of the Administration's proposal. On the downside, the proposal would make some punishments too severe, and it could expand liability in some undesirable ways. On the upside, there are some notable compromises in the Administration's position. They're giving up more than they would have a few years ago, and there are some promising ideas in there. If the House or Senate Judiciary Committees decides to work with this proposal, there's room for a more promising approach if some language gets much-needed attention. On the other hand, if Congress does nothing with this proposal and just sits on it, letting the courts struggle with the current language, that wouldn't necessarily be a bad thing.

I. Current Law

First, some background. The CFAA is a computer trespass statute. The key provision, and the one I'll focus on here, is 18 U.S.C. 1030(a)(2). This section broadly prohibits unauthorized access to a computer. To understand the current CFAA, we need to understand that there are three different ways that access to a computer might or might not be considered unauthorized and therefore illegal. Here they are, together with how the current statute treats them.

Code-Based Liability: First, the access might circumvent a technological access barrier, or what I have called circumventing a code-based restriction. This is what we might think of as "breaking in" or "hacking in" to a computer, such as exploiting a security hole or guessing another person's password. The lower courts agree that such access is prohibited under the CFAA because it is an illegal act of "access without authorization." The basic violation is a misdemeanor, but it becomes a felony if done for profit, if the information obtained is worth more than $5,000, or if the act is done in furtherance of a state or federal crime or tort.

Contract-Based Liability: Second, access might breach a written prohibition such as a term of service of a website or an employment agreement regulating access to an employer's computer. In these circumstances, the user encounters language explaining what the user is allowed to do or not do on the computer, and the user may not follow those directions. I have called this the "contract-based" approach, as the idea is that the written language is binding on the user like a contract. The circuit courts are divided on whether such access is prohibited under the statute. The Ninth Circuit says that access in violation of a written restriction is still authorized, while the Eleventh Circuit says that access in violation of a written restriction is an illegal act of "exceeding authorized access." In the circuits that see access in violation of a written restriction as a crime, the penalty is the same as for circumventing a technological access barrier: The basic violation is a misdemeanor, but it becomes a felony if done for profit, if the information obtained is worth more than $5,000, or if the act is done in furtherance of a state or federal crime or tort.

Norms-Based Liability: Third, use of a computer might be deemed an illegal act of unauthorized access if it is simply beyond the pale of accepted social practices. I have called this the norms-based approach, as it is based on social norms about what uses of computers are allowed or not allowed. Courts have mostly rejected this theory of CFAA liability as too murky, although the district courts are deeply divided on whether this theory should be allowed when a disloyal employee who is looking to start a competitor business looks through his employer's computer for valuable data before doing so. A bunch of district courts have said that doesn't violate the CFAA, although it may violate other laws; and a bunch of district courts have said that is illegal unauthorized access to the employer's computer. Again, where liability has been recognized, the basic violation is a misdemeanor, but it becomes a felony if done for profit, if the information obtained is worth more than $5,000, or if the act is done in furtherance of a state or federal crime or tort.

II. The Administration's New Proposal

Ok, now on to the Administration's proposal. Again, let's look at it step-by-step, tracking the three different theories of liability.

Code-Based Liability: The Administration's proposal would raise penalties for acts of circumventing technological access barriers. Instead of the current approach, which starts with a misdemeanor and becomes a 5-year-max felony if one of the enhancements applies, the Administration proposes that liability should start as a 3-year felony and become a 10-year-max felony if one of the enhancements applies. This part of the DOJ proposal is nothing new, to be clear. The Administration has been backing this proposal for years, but it has lacked the support to make it through Congress. On the whole, I think the current approach is better. A felony is a big deal, and I'm not convinced that every act of circumventing a technological access barrier should be such a serious offense. A misdemeanor, yes, and a felony in some circumstances. But I don't think the government has made the case that every such act needs to be a felony.

Contract-Based Liability: The Administration's proposal would resolve the current circuit split by saying that breaching a written restriction on computer use is indeed a crime, but that the scope of liability for such breaches is significantly more limited than it is now in jurisdictions that recognize this theory of CFAA liability. The basic idea is to recognize the theory of liability but then to cabin it. Some of the conditions of liability make sense, or are at least plausible, although there is one that I find troublesome depending on how an ambiguous phrase is construed.

Here are the details. First, the proposal adds language to the definition of "exceeds authorized access" stating that a user exceeds authorized access when he accesses information "for a purpose that the accesser knows is not authorized by the computer owner." The language here is awkward, in part because it uses a redundant mental state, but it seems to be designed to prohibit breaching a written condition, at least in some cases. For example, if your employer has a policy that "company computers can be accessed only for work-related purposes," and you access the computer for personal reasons, then you presumably would be accessing the computer for a purpose that you know the employer has not allowed.

With that said, I don't know how this proposed language would apply to other written restrictions. Some written restrictions are phrased as conditions on purpose, but others are not. I'm not sure if the proposal would prohibit all violations of written conditions or only those phrased as or substantially resembling conditions on purpose. For example, imagine the employer has a policy that company computers can only be accessed by company employees. If a non-employee accesses the computer, the written restriction is breached, but there isn't a breach of a purpose-based condition. It's not clear if the Administration proposal is an awkwardly drafted way to have liability for breaching written-restrictions generally, or if it was intended to only impose liability for violating purpose-based written restrictions. (If the latter, why should purpose-based limitations be treated differently from other limitations, and what should the test be for distinguishing them?)

As I mentioned earlier, the government's proposal would add a limitation to criminal liability for violating written restrictions by requiring one of three conditions to be satisfied. This is the government's key compromise, I gather. The government is willing to give up the uncertain question of liability for breaching written restrictions generally in exchange for more certain liability for doing so in only some situations. But what are the situations? First, breaching a written restriction could be a crime if it's a restriction on a government computer. The idea, I gather, is that the government often keeps sensitive databases and limits employee access to official purposes; a government employee who accesses the database for personal reasons would be guilty of a crime. This is a slightly awkward approach, as it's a proxy for a crime Congess should create (but hasn't) governing access to sensitive government databases. With that said, it's not a terrible proxy, and I don't have a big problem with it.

The second condition is that breaching a written restriction is a crime if the user obtains information worth more than $5,000. I assume this would impose criminal liability for employees who access valuable employer data for reasons outside the scope of their employment when the employer has a policy against it. That's the primary context in which someone would violate a written restriction and get such valuable information. Violating a random Term of Service on a website wouldn't be a crime, under this proposal, but violating a written restriction on the way to getting valuable information would be. What you think of this restriction largely depends on what you think the law should be governing disloyal employees: Should accessing the employer's computer to collect valuable information be left to civil law, or perhaps a trade secret crime if the info is a trade secret? Or should it be a criminal offense whenever the information is valuable? I think there are decent arguments that this should be a crime when the employee gathers valuable information. Given recent precedents limiting the interstate transportation of stolen property crime to physical property, it seems at least plausible that this should be handled under the CFAA.

The third condition is the one that I find the most worrisome. Under the proposal, breaching a written restriction is a crime if the user violated the written condition in furtherance of a state or federal felony crime, "unless such violation would be based solely on obtaining the information without authorization or in excess of authorization." On one hand, this might seem kind of harmless, or at least redundant: The proposal makes it a felony to break a promise on a computer in furtherance of a felony. One wonders what the point is: Why not just punish the underlying felony?

But the real problem is the double-counting issue. Federal and state law is filled with overlapping crimes. Congress might enact three crimes that do the same basic thing, giving prosecutors the choice of which to charge or allowing them to charge all three. State criminal codes often mirror the federal criminal code. That raises a question: If Congress makes it a crime to commit an act "in furtherance of" a different crime, does the existence of overlapping crimes mean that a person's conduct violates the first crime because it was "in furtherance of" the second? This is a particular problem because every state has unauthorized access crimes a lot like the CFAA. We saw this in the Auernheimer case, where prosecutors argued that the misdemeanor federal unauthorized access alleged in that case should be a felony because it was "in furtherance of" New Jersey's nearly identical state unauthorized access law.

The Administration's proposal deals with this double-counting problem through the exception that the condition is not met if "such violation would be based solely on obtaining the information without authorization or in excess of authorization. " But how do you read that language? There are two plausible interpretations, I think. The most natural reading is that the government is allowed to double-count so long as there is an element to the state unauthorized access law other than unauthorized access. If the state unauthorized access crime has just one element beyond unauthorized access such as "obtaining information," the thinking would run, the violation is not based "solely" on obtaining the information without authorization. That will usually be the case, though, which to my mind introduces a serious double counting problem. Because of the double-counting problem, this last condition may be satisfied much more often than you might first think, and it might be satisfied simply because of statutory overlap with the state criminal code. Given that the Administration's proposals would make liability for breaching a written condition a felony where the theory is allowed—mostly serious 10-year maximum felonies—the double-counting problem gives me some heartburn.

On the other hand, a second way to read the language is less troublesome, although a bit of a stretch. Perhaps that exception covers any kind of unauthorized access offense. If there's a state unauthorized access crime that has an added element beyond unauthorized access, the argument would be, then the violation is still "based solely" on a crime that is an unauthorized access offense. I think it's textually more difficult to arrive at that reading, but it doesn't strike me as completely implausible. If that's the correct reading, then I think the exception largely addresses the double-counting problem. It still leaves this condition redundant and unnecessary, and on the whole I would just eliminate it. But at least it's less likely to be overly broad under that reading.

Norms-Based Liability: Probably my biggest concern with the Administration's proposal is what it might do with norms-based liability. Exactly how the proposal would treat norms-based liability isn't entirely clear, but I think the proposal is best read as an expansion of it. The key problem is the expanded definition of "exceeds authorized acccess," which would make it an unauthorized access when a user accesses information "for a purpose that the accesser knows is not authorized by the computer owner." This is at least somewhat clear in the case of a written restriction: A person might know that a purpose is not authorized because the written restriction says so. But think about how this language would apply when the prosecution is based on a norms violation. The problem is, when it comes to norms, how do you know what a computer owner has authorized? Is that just a matter of what the computer owner would say if you asked them? Something else?

Think of the Auernheimer prosecution, which involved scraping data from an AT&T website. At trial, the government based its case largely on the idea that if Auernheimer had called up AT&T and asked if AT&T wanted him to collect the data from AT&T's website, AT&T would have said "no." In DOJ's view, that made the access necessarily unauthorized. In our representation of Auernheimer, we argued that this was irrelevant. By posting information on the Web, we argued, AT&T had authorized the world to access it. AT&T could not post information to the public but make access to it criminally unauthorized based on who you were or why you were collecting it. I read the Administration's proposal as adopting the prosecution's view in Auernheimer: By scraping data when AT&T did not want him to, and when he knew AT&T did not want them to, Auernheimer would have accessed the computer "for a purpose that the accesser knows is not authorized by the computer owner."

More broadly, the expansion of "exceeding authorized access" would seem to allow lots of prosecutions under a "you knew the computer owner wouldn't like that" theory. And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual's actual conduct. Granted, it would still be limited by the three conditions imposed on liability for breaching a written restriction. So it would need to be a government computer, or an effort to gather information worth more than $5,000, or an act in furtherance of another crime (with the double-counting problem or not). Still, it strikes me as troublesome.

III. My View of the Administration's Proposals

On the whole, I'm skeptical of the government's proposal, although I think it's more reasonable than a lot of past CFAA reform proposals we've seen. I'm not a fan of the general increase in punishments. I worry about the "in furtherance of" language and the possibly significant expansion of liability under a norms-based approach due to the awkward expansion of liability for "exceeding authorized access." At the same time, I think the Administration has done some thoughtful work in cabining liability for breaches of written restrictions, subject to the uncertain meaning of the "in furtherance of" language.

One difficulty with knowing whether Congress should pick up this proposal and work with it is the continuing evolution of the CFAA in the courts. The law is a mess, yes. And there are some frightening readings of the law that courts might adopt under the current text. At the same time, the trend has been towards narrower and (to my mind) more sensible readings of the statute, and I'm relatively optimistic that the narrower readings will prevail if and when the Supreme Court turns to the CFAA. Given that trend, the status quo mess isn't necessarily a bad mess. It might be better to do nothing than to open up the CFAA quagmire and see what results. There's a lot of uncertainty involved in either path.

Anyway, that's my general take. This reaction is just based on a first pass, and it's entirely possible that I'll have a very different reaction over time as I continue to study the language. As always, stay tuned.