How DOJ Can Use the CFAA to Try to Federalize State Crimes

I’ve blogged a lot about 18 U.S.C. 1030, the Computer Fraud and Abuse Act (CFAA), and how broad readings of the statute potentially criminalize a tremendous amount of entirely innocuous activity. The broad readings of the CFAA also have another important effect: They allow DOJ to try to turn any state crime that happens to involve computers into a federal crime. In that sense, the CFAA is being used as a catch-all to try to punish computer misconduct that otherwise would not be thought to be a federal offense. An interesting example is United States v. Nestor, a prosecution that is pending in the U.S. District Court for the District of Nevada.

Andrew Nestor learned of a programming flaw in certain video poker machines used in Las Vegas. By using a certain feature and playing a particular combination, a person could trick the poker machine into paying out winnings at a higher rate than it should have. Nestor played the combination, and he was able to receive winnings that he was not entitled to have. At this stage, it sounds like a state law offense of theft or fraud. Nestor stole the money from the machine by fraud.

But was a federal crime committed, as opposed to a state crime? Federal prosecutors love to charge fraud cases under the wire fraud statute, 18 U.S.C. 1343, but that wouldn’t work here. Liability under the wire fraud statute requires a crossing of state lines, while here all the action occurred in a single room. So instead the government charged Nestor with a CFAA violation, and specifically 18 U.S.C. 1030(a)(4), which punishes:

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period[.]

Note that there is no longer a requirement of crossing state lines, as there is in the case of the wire fraud statute. Instead, the only federal hook is that the computer be a “protected computer.” But that’s really no federal hook at all: Protected computers are defined as any computers that can be regulated under the Commerce Clause power, which paired with Gonzales v. Raich seems to be any computers, period. So voila, there is federal jurisdiction over the state law crime because a computer is involved.

Of course, whether the government can use 1030(a)(4) to federalize state law fraud schemes involving computers depends on the legal interpretation of “accesses . . . without authorization, or exceeds authorized access,” which is the main issue involved in cases like United States v. Nosal, currently pending before the en banc Ninth Circuit. In the Nestor case, I assume DOJ’s view is that it is implicitly unauthorized to exploit a programming error in a computer in order to commit a fraud. I think this reading essentially reads “without authorization, or exceeds authorized access” out of the statute, and instead treats 1030(a)(4) as punishing fraud committed using any computer, period. But we’ll see what the district court does with the motion to dismiss in Nestor, which may in turn depend on what the en banc Ninth Circuit does in Nosal.