Recent Developments — Both in the Courts and in Congress — on the Scope of the Computer Fraud and Abuse Act

I’ve blogged a lot on the scope of the Computer Fraud and Abuse Act, and specifically on whether using a computer in violation of a computer use policy or Terms of Service is a federal crime. I’ve been banging the drum urging courts to adopt a narrow interpretations of the Act for a decade, and the question has recently reached several courts of appeals. A lot has been happening on this front recently, so I thought I would bring readers up to speed. To follow this issue, you need to watch all three branches. So let’s start with the pairing of Judiciary/Executive, and then cover the pairing of Legislature/Executive.

First, the Judicary/Executive. Last Thursday, the Fourth Circuit deepened the apparent circuit split by joining the Ninth Circuit in adopting a narrow interpretation of the CFAA in WEC Carolina Energy Solutions v. Miller. A day later, DOJ asked for another extension of the period in which a cert petition could be filed in United States v. Nosal, the Ninth Circuit en banc case. DOJ’s request for more time may have been at least in part a response to the Fourth Circuit’s decision the day before, although I haven’t seen the filing so I don’t actually know. It’s also possible that DOJ wasn’t planning on filing for cert in Nosal but might reconsider in light of WEC. It’s hard to know.

Next, the Legislature/Executive. The Senate Judiciary Committee is in the middle of its markup of The Cybersecurity Act of 2012, S3414, which you can read here. In its current version, it has no changes to the Computer Fraud and Abuse Act. However, Chairman Leahy has proposed an amendment to the Cybersecurity Act that would make two major changes. First, Leahy’s amendment would add a bunch of things DOJ wants, such as enhancing the CFAA’s penalties, adding an asset forfeiture provision, and creating a new extra-punitive 18 U.S.C. 1030A (see Sections 1-7 of the Amendment). Second, Leahy’s Amendment would add the statutory fix to the definition of “exceeds authorized access” that essentially adopts the narrow view of the circuit split on the scope of the CFAA (see Section 8 of the Amendment). This last Amendment is the Grassley/Franken/Lee Amendment that was supported by the Judiciary Committee back in September 2011. Meanwhile, DOJ is trying to get the best of both worlds: They support Sections 1-7, but they’re trying hard to block Section 8.

How this plays out is anyone’s guess. But it does prompt interesting questions of strategy for both sides. If you think the Supreme Court would adopt the narrow view of the CFAA — a view that has the momentum in the Court of Appeals — then the statutory fix doesn’t have much value either way. But if you’re not sure of that, and you want the narrow view of the CFAA, do you take the generally undesirable penalty enhancements to the CFAA to get Section 8 — assuming that is an option? Either way, if Congress enacts the statutory fix, then the issue is no longer certworthy and you’ll never know how the Supreme Court would have ruled. Stay tuned, as always.