The Legality of Counterhacking: Baker Replies to Kerr

Orin Kerr and I agree that “authorization” is the central, and undefined, key to criminal liability under the CFAA.  In Orin’s view, “authorization” can be determined by asking two questions:  First, does the CFAA protect computers or data? And, second, who controls a computer, the data owner or the computer owner?

It seems to me that the right answer to each question is “both.” The CFAA can and should protect both computers and data stored on computers. Similarly, more than one person can have rights to data on a computer.

In contrast, Orin insists that the CFAA forces a choice.  If it protects computers it can’t protect data.  And the authorization it describes must be binary – you either have full authorization or you have none. But he musters strikingly little support for a point that is so fundamental to his claim.

If anything the statute refutes that argument.  The only textual clue to what the statute means by “authorized” is found in a section that imposes liability on users who exceed their authorized access to a computer; that term is defined as follows: “[T]he term ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  Put another way, you exceed authorized access if you obtain or alter information you’re not entitled to obtain or alter.

This definition undercuts both of Orin’s assumptions about authority. It blurs his sharp line between machine and information by saying that a user’s access to the computer exceeds authorization if the user exceeds his authorized access to the information.

And it treats “authorized” and “entitled” as more or less synonymous, which isn’t exactly consistent with the idea that authorization is all-or-nothing.  If I’m attending a demonstration on the Mall, and the Park Police tell me to move on, I’m likely to say, “Sorry, but I’m entitled to be here.”  As I am.  But that doesn’t mean that I can then tell them to move on.  They’re entitled to be there too.  And what if I try to enforce my edict by taking a swing at one of them? He might say, “You’re entitled to be here, but you’re not entitled to do that here.” Quite right, too; it’s jail for me. It turns out my entitlement was real, but it was neither exclusive nor unlimited.

So too with computers under the CFAA.  I may be entitled to retrieve my stolen data stolen from a machine without being entitled to take the machine to a pawn shop and sell it, or to tell the innocent owner what he can and can’t do with it.

In real life, what I’m entitled to do on a piece of ground depends a lot on who owns it, but it depends also on a host of other rules that limit and define the rights of owners, visitors, trespassers, polluters, police, and even outraged victims in hot pursuit of thieves.   All those players are entitled to do some things but not others on that property.  There’s no sign in the CFAA that Congress intended to exclude that complexity from its definition of “authorization” and instead to decide criminal liability by simply asking, “Who owns this box?”

And what about policy?  Which reading of the statute produces better results (an argument that Orin, inexplicably channeling early 19th century jurisprudential style, derides as an “I-like-it-and-therefore-it-is-the-law argument”)?

To understand the policy consequences of the choice, let’s begin with a reminder of our strategic situation. Right now, every computer and network in the country is vulnerable to intrusion by authoritarian foreign governments if not criminals.  We live, or soon will, in Orwell’s world — surveilled in our homes, at work, and as we form our thoughts, keystroke by keystroke.

The intruders have one clear vulnerability; they collect this stolen data on command-and-control machines, which may in some cases belong to other innocent victims. Victims could gain access to these machines, could render the stolen information worthless, could gather clues about the attackers, and could even identify hundreds of other victims who probably don’t yet know they’ve been compromised. That would be a very good thing.

In Orin’s world, though, it’s illegal. Under his reading of the law, the hundreds of victims go unnotified, the evidence goes ungathered, the stolen data goes, well, to China, until law enforcement gets around to the cyber equivalent of stolen-bicycle paperwork.

Why? Because, he argues, any other rule would authorize Disney to hack everyone’s computers in pursuit of pirated videos and would license crime victims to hack any computer as long as they had a good faith belief that the hacking might turn up evidence. In full CCIPS Old Guard mode, he insists that because attribution is hard, the right to counterhack is “not a power that we want to give to every person in the U.S. who happens to own or control a computer.”

(I can’t help noticing in passing how determinedly Orin trivializes the threat we face:  The people I’d call victims of a society-altering intelligence campaign he calls people “who happen to own or control a computer.”  And the intruders I’d describe as foreign intelligence services trying to steal everything we have and know, he compares to a “neighbor [who] borrowed your baseball glove and you want it back.”)

And what of all those bad policy outcomes that Orin conjures – the crazed vigilantes and the RIAA rummaging in everyone’s computers?  The answer is that we, or at least the courts, don’t have to recognize their authority to do that. The courts don’t have to treat “good faith” as creating a counterhacking entitlement; they could as easily insist on a higher standard, such as probable cause.  They could recognize the counterhacker’s authority to gather evidence but not to harm innocent third parties, just as they distinguish today between demonstrators who are entitled to throw insults but not punches on park property. They could reject the notion that the copying of 99-cent music files justifies the same response as a campaign to compromise every network in the country. They could distinguish, in short, between baby and bathwater.

It’s true that my definition of authorization is more complicated than Orin’s, that it requires more line-drawing.  But so does life.  Orin’s alternative is as simple — and as unjust — as applying the murder laws equally to serial killers and to homeowners who shoot home invaders.  Nothing in law or policy requires that we adopt such a reading.