Comments on DOJ’s Defense of The Broad View of “Exceeds Authorized Access” in the Computer Fraud and Abuse Act — And A Proposed Statutory Fix

In his post below, Stewart Baker writes that DOJ official James Baker “gave a persuasive defense” of the broad view of that the Computer Fraud and Abuse Act should apply to Terms of Service violations and employee restrictions on computers. In this post, I want to explain why I don’t find DOJ’s defense of existing law persuasive. I will then propose a statutory fix to reconcile DOJ’s concerns with the concerns of the CFAA’s critics — critics including myself.

Let’s start with James Baker’s written testimony, which I’ll refer to as “DOJ’s testimony” just to avoid confusing the Bakers. According to DOJ, applying the CFAA to Terms of Service violations and employee access restrictions is justified on the following grounds:

All types of employees in both the private and public sector – from credit card customer service representatives, to government employees processing tax returns, passports, and criminal records, to intelligence analysts handling sensitive material – require access to databases containing large amounts of highly personal and otherwise sensitive data. In most cases, employers communicate clear and reasonable restrictions on the purposes for which that data may be accessed. The Department has prosecuted numerous cases involving insiders in both the public and private sectors who have violated defined rules to access and obtain sensitive information. In many prosecutions involving insiders, the “terms of service” and similar rules in employment contexts define whether the individual charged was entitled to obtain or alter the information at issue. This is almost identical to prosecutions under other statutes, in which internal procedures, agreements, and communications must be examined by a fact-finder to determine, for example, whether a particular payment was authorized, or embezzlement or fraud.

Employers should be able to set and communicate access restrictions to employees and contractors with the confidence that the law will protect them when their employees or contractors exceed these restrictions to access data for a wrongful purpose. Limiting the use of such terms to define the scope of authorization would, in some instances, prevent prosecution of exactly the kind of serious insider cases the Department handles on a regular basis: situations where a government employee is given access to sensitive information stored by the State Department, Internal Revenue Service, or crime database systems subject to express access restrictions, and then violates those access restrictions to access the database for a prohibited purpose. Similarly, businesses should have confidence that they can allow customers to access certain information on the business’s servers, such as information about their own orders and customer information, but that customers who intentionally exceed those limitations and obtain access to the business’s proprietary information and the information of other customers can be prosecuted.

On one hand, DOJ is right that some specific circumstances justify punishment for a person who has violated a written restriction on access to a computer. If a written restriction protects extremely private or valuable information, then violating that written restriction inflicts a real privacy harm. The harm exists because the information is particularly sensitive, and the restrictions on the information are therefore important. Unsurprisingly, those are the cases DOJ likes to use as examples: The government employee who uses the sensitive database of private information for personal reasons, or the insider who accesses very valuable proprietary information. When a person violates these important restrictions on very sensitive data, a genuine privacy harm has occurred.

But here’s the problem. The Computer Fraud and Abuse Act does not only protect particularly sensitive or valuable information. Instead, the statute protects access to any information, no matter of what source or kind, protected by any restriction, no matter of how silly or serious, stored inside any computer, no matter of what nature or importance, located anywhere in the galaxy that the Commerce Clause can reach. It has no special rules for employers, or for customers, or for sensitive information, or for important access restrictions. It applies to everything. Any kind of information. Every computer and every access restriction, whether connected to a network or not. Perhaps .00000001% of the restrictions that the law covers are the kinds of cases that DOJ claims as cases it might prosecute. And that’s why it’s so easy to create completely absurd hyptheticals of silly ways that innoucous conduct is criminalized — and under the new proposal, made a felony — under DOJ’s view of the statute. Just have a silly computer owner set up a computer with no sensitive information on it, have him give everyone access, and then imagine an arbitrary restriction on that access that has nothing to do with privacy, money, or any real interest at all. Voila! It’s just as much of a CFAA violation as any of the examples DOJ uses.

I promised a way to reconcile DOJ’s concerns with the concerns of critics of the CFAA. So here it is: Congress should limit when the CFAA prohibits “exceed[ing] authorized access” to cases in which the information obtained is particularly sensitive or valuable. The law should continue to broadly prohibit actual hacking — that is, access “without authorization.” But if the prohibition on “exceed[ing] authorized access” is to be read to apply to Terms of Service violations and employee restrictions, Congress should specify what kinds of sensitive information federal law protects. For example, a list might look something like this:

(a) Information with a value of more than $5,000
(b) sensitive or private information involving an identifiable individual (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, financial records, or photographs of a sensitive or private nature;
(c) information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954.

Under this proposal, DOJ would get everything it says it wants. DOJ would still be able to prosecute the government employees who access sensitive databases, whether they are sensitive because they store personal information (b) or national security information (c). DOJ would also still be able to prosecute instances in which folks access very valuable proprietary information via (a). But critics would also get what they want. The limitations on the scope of information covered by the “exceeds authorized access” prong would ensure that the law only applied to important access restrictions that protect real privacy interests. The combination of this and the required mental state of “intentionally” would ensure that people who violated silly or arbitrary access restrictions that protected no genuine privacy interests were not covered by the law. That substantial narrowing would also cure the serious void-for-vagueness problems with DOJ’s preferred reading of the statute.