My Assessment of Senator Leahy’s Proposed Amendment to the CFAA

Senator Leahy recently proposed an amendment to the Computer Fraud and Abuse Act to try to address the overbreadth concerns that myself and others have raised about the current statute, and particularly DOJ’s controversial view that the statute presently allows the government to prosecute computer users for TOS violations. I wanted to blog my thoughts on Leahy’s proposed amendment. My basic take is that Leahy’s proposal is such a modest step that it doesn’t solve the problem it aims to solve. Its language appears to still allow DOJ to prosecute TOS violations, including the theory of the Lori Drew case that the statutory fixes are all designed to stop. For those reasons, explained in detail below, I can’t support the Leady Amendment. Instead I continue to support the Grassley/Franken amendment.


I. Introducton and the Leahy Amendment

First, some context, for those who are new to this debate or unfamiliar with the Leahy proposal. At its broadest, the CFAA prohibits exceeding authorized access to a computer and obtaining information. See 18 U.S.C. 1030(a)(2). This is overbroad for two related reasons: First, “exceeding authorized access” might mean anything, including violating TOS; and second, the statute applies to obtaining any kind of information, not just sensitive information, so it would include any kind of TOS violations, no matter how arbitrary or silly. As I explain in my House testimony, there are two basic ways to fix the overbreadth problems. First, you could limit the definition of “exceeds authorized access,” so it excludes TOS violations; and second, you could limit the kinds of information that could be obtained so that it only applies to violations involving particularly sensitive information.

The Grassley/Franken amendment agreed to by the Senate Judiciary Committee a few weeks ago was based on the first strategy; it amends the definition of “exceeds authorized access” to exclude TOS violations. Senator Leahy’s proposal is based on the second strategy, limiting the kind of information obtained. I have heard that Leahy’s proposal was based loosely on my blog post here in September, in which I suggested that you could amend the information obtained under the “exceeds authorized access” prong to the following categories of information:

(a) Information with a value of more than $5,000;
(b) sensitive or private information involving an identifiable individual (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, financial records, or photographs of a sensitive or private nature;
(c) information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954.

That brings us to Senator Leahy’s proposal. Leahy’s proposal would rewrite 1030(a)(2) so that it punishes whoever:

Intentionally accesses a computer —

(A) without authorization, and thereby obtains—
(i) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as
such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(ii) information from any department or agency of the United States; or
(iii) information from any protected computer;

or

(B) in excess of authorization, thereby obtains— (i) information defined in subparagraph (A) (i) through (iii); and (ii) the offense involves
(I) information that exceeds $5,000 in value;
(II) sensitive or private information involving an identifiable individual or entity (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, government-issued identification numbers, unique biometric data, financial records, photographs of a sensitive or private nature, trade secrets, commercial business information, or other similar information;
(III) information that has been properly classified by the United States Government pursuant to an Executive Order or statute, or determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national security, national defense, or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic
Energy Act of 1954; or
(IV) information obtained from a computer used by, or on behalf of a government entity.

The basic strategy here is as follows. First, the proposals leaves the current 1030(a)(2) in place for violations involving “access without authorization,” so that any information is covered when access was without authorization. (As an aside, note that the statute is written in a redundant fashion for mostly historical reasons; because any information in categories i and ii are already part of iii, it’s iii — “information from a protected computer” that really matters. I have no idea why they don’t modernize the language and just eliminate all the gibberish about financial records and the Fair Credit Reporting Act, but at least the extra gibberish is harmless in practice.)

Second, the proposal rewrites 1030(a)(2) for violations involving “exceeding authorized access,” but it only makes only one change: The offense has to somehow “involve” one of the listed categories of information. The listed categories of information start with the ones I proposed in my blog post, but then add the following:

1) government-issued identification numbers,
2) unique biometric data,
3) financial records,
4) trade secrets,
5) commercial business information,
6) other similar information;
7) information obtained from a computer used by, or on behalf of a government entity.

II. My Two Objections to the Leahy Amendment

I think there are two major problems with Senator Leahy’s amendment: first, the overbreadth of the information that qualifies; and second, the use of “involves” information rather than “obtains” information.

(a) The Overbreadth of the Categories of Information. The first major problem with the Leahy amendment is that the categories of information listed are incredibly broad. Unfortunately, the language is so broad that it wouldn’t substantially limit DOJ’s ability to prosecute exactly the kinds of Terms of Service cases that every one is worried about. That means that the Leahy amendment has the form of a “fix,” but in practice would simply endorse TOS prosecutions in a remarkably wide range of cases.

This is particularly clear in the case of TOS set up by businesses. DOJ could still prosecute TOS violations involving most businesses because violating a TOS with a business will almost always involve some kind of business information. Consider a fact-pattern from an actual CFAA civil case. Say I run a business and I have information about products on my website; I then set up a Term of Use saying that no competitors are allowed to visit my website. As I read the Leahy proposal, it is still a CFAA violation if the competitor violates the Term of Use. After all, the competitor violated the Term of Use and then obtained “commercial business information,” that is, information about the company’s products.

For that matter, I think Leahy’s amendment would endorse DOJ’s prosecution of Lori Drew. Drew helped set up a fake myspace account to try to contact her daughter’s friend with the goal of finding out what the friend was saying about her daughter; Drew helped violate the Terms of Service which said all profile information has to be accurate. As I read Leahy’s amendment, it would support the DOJ’s prosecution in that case: Drew violated the TOS in the course of obtaining personal information about her daughter held by the daughter’s friend. (To be clear, this is partly a problem with my own proposal for how to fix 1030(a)(2); now that I think about it, my own proposed language was too broad.)

Some of the other categories of information are particularly strange. Take the “trade secrets” provision. Not long ago, Congress worked hard to pass an entirely different statute on the theft of trade secrets, 18 U.S.C. 1832. Congress crafted that statute carefully, requiring intent to convert the trade secret. Including trade secrets in 1030(a)(2) just because they are trade secrets would reduce Section 1832 to a nullity, effectively allowing DOJ to prosecute theft of trade secrets without ever having to prove intent to convert the trade secret — the very element Congress went out of its way to require in passing Section 1832. If Congress wants to expand Section 1832, it should do it directly, but it seems strange to use the CFAA as a quiet way to dramatically expand the theft of trade secrets statute.

The category of “other similar information” is even more puzzling. Similar how? To what? In what way? It’s hard to know what that is supposed to mean.

And further, why does the amendment treat information from government computers as somehow special? If the law is going to carve out categories of particularly sensitive information, it’s not clear to me why information stored on a government computer (which would include public websites like whitehouse.gov) is inherently private or sensitive.

For all these reasons, I think the categories if information listed in the Leahy amendment are far too broad. They wouldn’t really limit DOJ’s power to prosecute Terms of Service violations.

(b) What Does it Mean to “Involve” Information? The second major problem with the Leahy amendment is that it still extends to obtaining any information, and merely requires that the offense somehow “involve” one of the new categories of listed information. That strikes me as at best tremendously vague and at worst terribly overbroad. What does it mean for an offense to merely “involve” a type of information, when that information is not the information actually obtained by the offense? How far removed from the actual information obtained can the information be while still being “involved” in the offense? I don’t know, but it seems to me that DOJ could plausibly interpret that language so broadly that it reduces the amendment to a nullity.

To see why, imagine a guy sets up a Match.com profile and fills it with information about himself. When asked to enter in his age, he says he is 32 years old when he is really 33. After setting up the profile, he stops. In such a case, he didn’t use the service to obtain any sensitive information of anyone else. But presumably his conduct “involved” private information belonging to an identifiable individual — namely, himself. More broadly, it’s hard to know when an offense “involves” information that is one of the sensitive categories of information; I don’t think I know what that means. And when you pair it with some of the other ambiguous language in the statute, the ambiguity is magnified: A statute that says it is a crime to exceed authorized access to a computer when the conduct “involves . . . similar information” is a statute with considerable vagueness problems in need of a clean-up.

III. Conclusion

To be clear, I think the Leahy proposal starts with a fair approach: The basic concept of limiting the CFAA by limiting the information obtained in 1030(a)(2) is sensible. But the categories of information in this particular proposal are too broad, and the limitation that the offense must merely “involve” such a category is too vague, for me to support it. I think the Grassley/Franken approach is much better, and I hope the Senate sticks with that approach rather than adopting the Leahy approach.