In a recently-filed amicus brief submitted by Oracle America Inc. before the en banc Ninth Circuit in United States v. Nosal, the important Computer Fraud and Abuse Act case I have blogged a lot about, Oracle makes the following argument about interpreting “access” and “authorization” in the context of the CFAA. The CFAA’s prohibition on exceeding authorized access and access without authorization is modeled on trespass principles, the brief reasons, so the scope of the CFAA should be interpreted by reference to the trespass principles articulated in the Restatement (Second) of Torts. According to the Oracle brief, this means that (a) computer owners can condition access to their computers using express restrictions like Terms of Service, but (b) express restrictions are only enforceable in some circumstances. The brief summarizes when express restrictions can be enforced under the tort of trespass as follows:
[Whether a written access restriction can be enforced by trespass law is a] fact-dependent conclusion drawn from the totality of the circumstances, and “it may be manifested by action or inaction and need not be communicated to the actor.” [Restatement (Second) Torts § 892(1) (1979).] see id. § 892 cmt. c. Accordingly, courts sometimes find that a written or posted access restriction has been overridden or lifted.
This common-law principle takes several forms. One is the doctrine of apparent or implied consent; another is estoppel or waiver. Courts are suspicious of posted access restrictions that by their terms apply to everyone but that in fact have been selectively enforced “against some members of the public as opposed to others”; when the signals conflict, courts may find a posted restriction ineffective. Winn, The Guilty Eye, 62 Bus. Law. at 1424. Similarly, a property owner who knowingly acquiesces in a person’s course of access may waive the right to
Many readers know that I am the author of a law school casebook on computer crime law: Computer Crime Law, published by West, now in its second edition.
I’m pleased to announce the publication of another casebook on computer crime law, Thomas K. Clancy’s Cyber Crime and Digital Evidence: Materials and Cases, published by Lexis-Nexis. Professor Clancy teaches at the University of Mississippi Law School (no, not that Tom Clancy), where he is the Director of the “National Center for Justice and the Rule of Law” — a center that among other things has a Cyber Crime initiative largely focused on state and local law enforcement and judicial training.
By my count, Professor Clancy’s book will become the third computer crime law casebook, although only the second that is updated regularly. In 2003, Carolina Academic Press published David Loundy’s casebook, Computer Crime, Information Warfare, & Economic Espionage, although I believe it has not been updated since its initial publication. [...]
Tomorrow morning at 10am, I will be testifying before the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security about the need to narrow the Computer Fraud and Abuse Act. I have submitted my written testimony, and it is available here. It begins:
The current version of the Computer Fraud and Abuse Act (CFAA) poses a threat to the civil liberties of the millions of Americans who use computers and the Internet. As interpreted by the Justice Department, many if not most computer users violate the CFAA on a regular basis. Any of them could face arrest and criminal prosecution.
In the Justice Department’s view, the CFAA criminalizes conduct as innocuous as using a fake name on Facebook or lying about your weight in an online dating profile. That situation is intolerable. Routine computer use should not be a crime. Any cybersecurity legislation that this Congress passes should reject the extraordinarily broad interpretations endorsed by the United States Department of Justice.
In my testimony, I want to explain why the CFAA presents a significant threat to civil liberties. I want to then offer two narrow and simple ways to amend the CFAA to respond to these problems. I will conclude by responding to arguments I anticipate the Justice Department officials might make in defense of the current statute.
The three other witnesses appearing at the hearing will be James Baker, the Associate Deputy Attorney General; my old friend and colleague Richard Downing, a Deputy Chief of the Computer Crime and Intellectual Property Section at DOJ; and Michael Chertoff, the former Secretary of Homeland Security. For those interested in attending, the hearing will be at 10 am in Room 2141 of the Rayburn House Office Building. [...]
As a specialist in computer crime law, I am occasionally asked how to find a good defense lawyer in a computer crime case. If you’re a defendant who has been charged in a computer crime case, or you know someone who has been so charged, how do you pick a lawyer? I get this question often enough that I figured I would blog it, in part because I suspect people googling around for a computer crime lawyer might stumble across the post in their search.
The problem with finding a good defense lawyer for a computer crime case is that most defense lawyers are generalists. Defense lawyers often have solo practices, or work in small firms, and they take a very wide range of cases. They specialize in defending individuals against criminal charges, not in particular types of crimes. As a result, it is very hard to find a criminal defense lawyer with genuine expertise and experience in litigating computer crime cases — someone who can handle the statutory issues, knows how to handle expert witnesses, can raise needed Fourth Amendment challenges, and the like. Jennifer Granick comes to mind as one, but there are few others. (Some defense lawyers have websites proclaiming themselves as expert computer crime lawyers, but I would be skeptical about those claims.)
As a result, I think the best path for many defendants is just to hire a good defense lawyer with a good reputation, regardless of expertise in computer issues, and then to consider supplementing that lawyer by discussing the case with a subject-matter expert who can flag some of the issues in the case that a generalist would likely miss. I’ve served as such a subject-matter expert before, and I think it has worked out pretty well. The basic idea is to [...]
I’ve just finished a longish piece on cyberwar and the role of lawyers, published in Foreign Policy magazine. Here’s how it begins:
Lawyers don’t win wars. But can they lose one?
We’re likely to find out, and soon. Lawyers across the U.S. government have raised so many show-stopping legal questions about cyberwar that they’ve left the military unable to fight or even plan for a war in cyberspace.
And here’s the part that inspired the title of this post:
By the 1930s, everyone saw that aerial bombing would have the capacity to reduce cities to rubble in the next war. Just a few years earlier, the hellish slaughter in the trenches of World War I had destroyed the Victorian world; now air power promised to bring the same carnage to soldiers’ homes, wives, and children.
In Britain, some leaders expressed hardheaded realism about this grim possibility. Former Prime Minister Stanley Baldwin, summing up his country’s strategic position in 1932, showed a candor no recent American leader has dared to match. “There is no power on Earth that can protect [British citizens] from being bombed,” he said. “The bomber will always get through…. The only defense is in offense, which means that you have got to kill more women and children more quickly than the enemy if you want to save yourselves.”
The Americans, however, still hoped to head off the nightmare. Their tool of choice was international law. (Some things never change.) When war broke out in Europe on Sept. 1, 1939, President Franklin D. Roosevelt sent a cable to all the combatants seeking express limits on the use of air power. Citing the potential horrors of aerial bombardment, he called on all combatants to publicly affirm that their armed forces “shall in no event, and under
Kashmir Hill writes at her Forbes blog on the good news from yesterday’s Senate Judiciary Committee hearing markup of amendments to the Computer Fraud and Abuse Act: No, Faking Your Name On Facebook Will Not Be A Felony.
Legal scholar Orin Kerr wrote an alarming op-ed in the Wall Street Journal yesterday, warning people that “faking your name on Facebook could be a felony” when the law is changed. But a lot changed since yesterday morning. An amendment was added to the bill during a Senate Judiciary Committee hearing Thursday morning, so that people who violate website’s terms of service are not considered felons.
Senators Al Franken and Chuck Grassley proposed new language for the bill (thanks in part to Kerr’s urging) to exempt those guilty only of TOS violations. Franken, in urging his fellow senators to adopt the amendment, said that without it, the following people would be felons: “A father who uses his son’s Facebook password to log into his Facebook account to check his messages and photos” (ed. note: Creepy and invasive but not criminal); “a 17 year-old who claims she is 18 in order to sell her knitted scarves on Etsy,” and “a struggling businessowner who secretly creates a Yelp account to give his restaurants favorable reviews” (ed. note: Again, uncool and deceptive, but not felony behavior).
The Committee then added an amendment to the bill that specifies that felony-level unauthorized access not “include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.” The bill will now move forward to be considered by the Senate.
The amendment [...]
The Obama Administration’s legislative proposals on cybersecurity are a distinctly mixed bag. But probably the worst ideas are those put forward by the Justice Department, which last week testified about the need to update the Computer Fraud and Abuse Act.
In fact, for the eleventh time since it was adopted in the 1980s. We’ve seen this movie. Every time Congress gets exercised about cybersecurity, the Justice Department claims that the CFAA needs to be updated. But “updated” almost always turns out to be a euphemism for “made more prosecutor-friendly.”
Justice’s latest proposals fit squarely into this mold. Justice wants to create a new crime, hacking a critical infrastructure computer, with a mandatory minimum sentence of three years. It wants to impose the same penalties on conspiracies and attempts as on successfully completed crimes. It would get rid of first-time offender provisions in sentencing, increase sentences in general, allow civil forfeiture of hackers’ real estate, and make violation of the CFAA a RICO predicate, which would allow heightened penalties and private civil suits against violators.
Well, you might ask, why not get tough with hackers? Surely we shouldn’t be playing pattycake with Anonymous and Lulzsec, let alone the foreign hackers endangering our national security. That’s true, but the problem we have with those hackers is not the weakness of our criminal penalties but the fact that, most of the time, we can’t find them. Until we do a better job of breaking the anonymity that protects them, increasing penalties for criminals we don’t catch will not make much difference.
Take a look at the website where Justice maintains a representative list of its most significant prosecutions. What’s striking is how few prosecutions it has to brag about – less than 50 – and how few of those (maybe half) [...]
I’m trying to identify the law schools that offer courses in Computer Crime Law — a course which may also be called “Cybercrime,” “Cybercrime Law,” or “Internet Crime Law.” It can be either a seminar or a full class, but I am looking for courses that are focused on the criminal law aspects of Internet/computer/cyber law rather than survey courses in computer law that dabble in some criminal-law issues. Just to start somewhere, I started off by looking at the Top 10 school according to the latest U.S. News. Of those ten, I identified seven schools that offer the course:
I also know that Yale once offered the course, when now-Acting Solicitor General Neal Katyal taught it as a visiting professor a few years ago, but I don’t know if it has been offered since. As far as I can tell from their websites, neither NYU nor Michigan offer the course.
Here’s the question for which I need your help: What other law schools offer the course, either regularly or semi-regularly? I can think of a few examples off the top of my head based on professors I know that teach it — such as Colorado, North Carolina, Georgetown, Dayton, Widener, and of course, GW — but I really need help identifying other schools that offer it. If you took such a class, or you know it is offered at your school, please post a comment or send me an e-mail (okerr at law.gwu.edu). Thanks!
Certainly a cell phone counts, the Eighth Circuit correctly concludes, at least when it comes to the definition of “computer” in 18 U.S.C. 1030(e)(1) of the Computer Fraud and Abuse Act. Hat tip: FourthAmendment.com [...]
Last week, the Eleventh Circuit decided an important case, United States v. Rodriguez, on the computer crime statute known as the Computer Fraud and Abuse Act, 18 U.S.C. 1030. The decision by Judge Pryor touches on the same issue that was in play in the Lori Drew case: When does violating express conditions on computer use constitute a crime? The court’s conclusion seems right on its specific facts, but I worry that it will be construed as adopting a very broad theory that would be quite troubling. So I want to introduce the legal issue, then talk about the Rodriguez case, and then return to the legal issue and talk about how it might apply going forward.
I. The Prohibition on Unauthorized Access
First, some context. Federal law makes it a crime to “exceed authorized access” to a “protected computer” and thereby obtain “information.” 18 U.S.C. 1030(a)(2)(C). Essentially everything on the planet Earth that contains a microchip is a “protected computer”; any data at all counts as “information”; and merely reading information counts as “obtaining” it. As a result, whenever you’re using a computer, the line between computer use that is legal and computer use that can have you arrested and thrown in jail hinges almost entirely on what makes computer use “exceed authorized access.”
The phrase “exceed authorized access” is a defined phrase, but unfortunately the definition is circular. According to 18 U.S.C. 1030(e)(6), “exceeds authorized access” means “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.” That’s not a very helpful definition, if you think about it. Entitlement and authorization mean the same thing. As a result, the definition just says that you exceed authorized access when [...]
From the Detroit Free Press:
Oakland County prosecutors, relying on a Michigan statute typically used to prosecute crimes such as identity theft or stealing trade secrets, have charged Leon Walker, 33, with a felony after he logged onto a laptop in the home he shared with his wife, Clara Walker.
Using her password, he accessed her Gmail account and learned she was having an affair. He now is facing a Feb. 7 trial. She filed for divorce, which was finalized earlier this month.
Legal experts say it’s the first time the statute has been used in a domestic case, and it might be hard to prove….
Frederick Lane, a Vermont attorney and nationally recognized expert who has published five books on electronic privacy[, said that t]he fact that the two still were living together, and that Leon Walker had routine access to the computer, may help him …..
“I would guess there is enough gray area to suggest that she could not have an absolute expectation of privacy,” he said.
The Michigan statute provides, in relevant part,
A person shall not intentionally and without authorization or by exceeding valid authorization … [a]ccess or cause access to be made to a computer program, computer, computer system, or computer network to acquire, alter, damage, delete, or destroy property or otherwise use the service of a computer program, computer, computer system, or computer network.
In principle, it’s just as illegal for a husband to access his wife’s e-mail without permission as it is for him to access someone else’s e-mail without permission. The question is whether the wife had expressly or implicitly authorized the husband to access her e-mail. If she hadn’t, then I suspect the husband’s behavior would violate the statute, because it involves access to Google’s computers in a way [...]
I’m going to leave it to Co-Conspirator Stewart and other cybersecurity legal experts to discuss the legal issues, but regarding the recent Stuxnet worm that Iran reports infected its computers and, we are told, particularly its nuclear program, the New York Times says …
Experts dissecting the computer worm suspected of being aimed at Iran’s nuclear program have determined that it was precisely calibrated in a way that could send nuclear centrifuges wildly out of control.
Their conclusion, while not definitive, begins to clear some of the fog around the Stuxnet worm, a malicious program detected earlier this year on computers, primarily in Iran but also India, Indonesia and other countries.
The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.
The new forensic work narrows the range of targets and deciphers the worm’s plan of attack. Computer analysts say Stuxnet does its damage by making quick changes in the rotational speed of motors, shifting them rapidly up and down.
The final version of my latest article, Ex Ante Regulation of Computer Search and Seizure, 96 Va. L. Rev. 1241 (2010), has now been posted on the Virginia Law Review‘s website. [...]