cfaapic

Blog: The Overbroad Computer Fraud and Abuse Act: Its Implications and Why Its Scope Should be Narrowed

by Barry Gabay, Associate Staff

If you are at work and you are reading this, you may be subject to federal criminal sanctions.

The Computer Fraud and Abuse Act, the federal government’s key anti-hacking law, was originally enacted in 1986 to deter hackers from wrongfully obtaining confidential governmental and financial information, or inflicting “federal interest” computers with harmful viruses.  In passing the act, Congress sought to regulate only those computer crimes that were interstate in nature, particularly those involving large financial institutions and governmental organizations.[1]  However, the statute was amended several times to ultimately broaden the CFAA’s reach.  In the mid-90s, for example, Congress placed criminal misdemeanor liability upon individuals who acted merely “recklessly” in their computer use,[2] and later placed liability upon individuals who obtained and read “any information of any kind so long as the conduct involved an interstate or foreign communication.”[3]  But Congress went even further in 2008 when it most recently amended the CFAA.  For starters, Congress eliminated the $5,000 misappropriation threshold for CFAA liability.  But further, while previously a defendant must have stolen information through interstate commerce or foreign communication to be prosecuted under the CFAA, the statute was amended to now encompass all information obtained “from any protected computer.”[4]  

Today, liability under the CFAA can be proven by showing that a defendant (1) intentionally accessed a computer (2) without authorization or exceeding authorized access, and thereby (3) obtained information from a protected computer.[5]  The pertinent definition of “protected computer” is any computer “which is used in or affecting interstate or foreign commerce or communication.”[6]  Courts have found that the Internet is “an instrumentality and channel of interstate commerce,” thus within the realm of Congressional regulation, and for purposes of CFAA violations, the defining characteristic of a “protected computer.”[7]  To put it in perspective, this criminal statute was broadened from pertaining only to computers with direct “federal interest” to now any computer connected to the Internet.

Nevertheless, the main litigable issue has proven to be determining when an individual is “authorized” to use a computer.  Under the CFAA the phrase “exceeds authorized access” is “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.”[8]  Whereas an employee who uses a computer “without authorization” has “no rights, limited or otherwise, to access the computer in question,” an employee who “exceeds authorized access” had initial authorization to use the computer “for certain purposes but goes beyond those limitations.”[9]  However, the phrase, “without authorization” is not defined in the CFAA, and a circuit split has thus developed over the interpretation of the phrase.  

The majority broad view, adopted by the First, Fifth, Seventh and Eleventh Circuits, holds that an employee’s computer authorization is terminated the moment that an employee acts contrary to his employer’s interest.[10]  These circuits hold that any time an employee uses a company computer in a way not in direct benefit to his employer the Department of Justice has jurisdiction to prosecute.  As Justice Floyd noted in the summer of 2012, “[s]uch a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems.”[11]

However, in the two most recent federal appellate cases on the issue, the Fourth and Ninth Circuits both adopted a narrow interpretation of the statute.  Those circuits held that an employee is “authorized” to use a company computer when the employer gives that employee permission to use it.  An employee’s subsequent misuse of an employer’s computer would not be subject to federal sanctions, as that employee was “authorized” to use that computer under the CFAA. [12]

While a broad interpretation of the CFAA may deter some individuals from using computers in ways not intended by their employers, that deterrence derives from ludicrous sentencing for comparatively innocuous criminal actions.  Aaron Swartz, the well-documented Internet activist who allegedly downloaded millions of articles from MIT’s online library, faced a maximum sentence of 35 years incarceration before the 26-year-old took his own life. [13]  In comparison, the maximum federal sentence for a first-time felon guilty of attempted murder who left the victim with life-threatening bodily injury is 24 years.  A first-time child pornographer who distributes images of a child under the age of 12 engaged in explicit sexual acts would receive a maximum federal sentence of 30 years imprisonment.  If an employee merely getting fired by her employer is not enough deterrence for misusing a company computer, then state criminal statutes and tort and contract law surely provide adequate deterrence.  Thus, in practice, the broad interpretation of the CFAA merely serves to make ordinary working individuals, who, while perhaps distracted during the workday possess no real criminal intent whatsoever, into federal criminals. 

In the wake of Aaron Swartz’s suicide, the Justice Department and members of Congress have recently expressed their willingness to narrow the scope of the Computer Fraud and Abuse Act.[14]  The bipartisan Aaron’s Law was introduced in the House of Representatives to limit the scope of the CFAA.  That limitation is long overdue.  It is a well-established canon of statutory construction that courts must construe criminal statutes narrowly, so as to avoid over-criminalization.  But courts, obviously unable to define a crime, are relegated merely to the text, and hinge liability on the terms “without authorization” and “exceeding authorized access.”  With the firmly entrenched circuit split now in place, the Supreme Court may in the not too distant future weigh in on the issue if Congress does not first amend this overbroad statute.




[1] See Sarah A. Constant, The Computer Fraud and Abuse Act: A Prosecutor’s Dream and a Hacker’s Worst Nightmare—The Case Against Aaron Swartz and the Need to Reform the CFAA, 16 Tul. J. Tech. & Intell. Prop. 231, 233 (2013).  

[2] Computer Abuse Amendments Act, Pub. L. No. 103-322, tit. XXIX, 108 Stat. 2097 (1994).

[3] Economic Espionage Act, Pub. L. No. 104-294, tit. II, 110 Stat. 3488, 3491 (1996). 

[4] 18 U.S.C. §1030(a)(2)(C) (2008).

[5] Id.

[6] 18 U.S.C. § 1030(e)(2)(B). 

[7] United States v. Trotter, 478 F.3d 918, 920-21 (8th Cir. 2007) (internal citations omitted). 

[8] 18 U.S.C. § 1030(e)(6). 

[9] LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 33 (9th Cir. 2009). 

[10] See See E.F. Cultural Travel BV v. Explorica, 274 F.3d 577 (1st Cir. 2001); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420-21 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010).

[11] WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012).

[12] Brekka, supra note 10, at 1133.

[13] See generally David Amsden, The Brilliant Life and Tragic Death of Aaron Swartz, Rolling Stone (2013), available at http://www.rollingstone.com/culture/news/the-brilliant-life-and-tragic-death-of-aaron-swartz-20130215.

[14] Brian Fung, The Justice Department Used This Law to Pursue Aaron Swartz. Now It’s Open to Reforming It. Wash. Post. (Feb. 7, 2014 at 4:03 PM), http://www.washingtonpost.com/blogs/the-switch/wp/2014/02/07/the-justice-department-used-this-law-to-pursue-aaron-swartz-now-its-open-to-reforming-it/.

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>