The Volokh Conspiracy

I’ve blogged a lot on the scope of the Computer Fraud and Abuse Act, and specifically on whether using a computer in violation of a computer use policy or Terms of Service is a federal crime. I’ve been banging the drum urging courts to adopt a narrow interpretations of the Act for a decade, and the question has recently reached several courts of appeals. A lot has been happening on this front recently, so I thought I would bring readers up to speed. To follow this issue, you need to watch all three branches. So let’s start with the pairing of Judiciary/Executive, and then cover the pairing of Legislature/Executive.

First, the Judicary/Executive. Last Thursday, the Fourth Circuit deepened the apparent circuit split by joining the Ninth Circuit in adopting a narrow interpretation of the CFAA in WEC Carolina Energy Solutions v. Miller. A day later, DOJ asked for another extension of the period in which a cert petition could be filed in United States v. Nosal, the Ninth Circuit en banc case. DOJ’s request for more time may have been at least in part a response to the Fourth Circuit’s decision the day before, although I haven’t seen the filing so I don’t actually know. It’s also possible that DOJ wasn’t planning on filing for cert in Nosal but might reconsider in light of WEC. It’s hard to know.

Next, the Legislature/Executive. The Senate Judiciary Committee is in the middle of its markup of The Cybersecurity Act of 2012, S3414, which you can read here. In its current version, it has no changes to the Computer Fraud and Abuse Act. However, Chairman Leahy has proposed an amendment to the Cybersecurity Act that would make two major changes. First, Leahy’s amendment would add a bunch of things DOJ wants, such as enhancing the CFAA’s penalties, adding an asset forfeiture provision, and creating a new extra-punitive 18 U.S.C. 1030A (see Sections 1-7 of the Amendment). Second, Leahy’s Amendment would add the statutory fix to the definition of “exceeds authorized access” that essentially adopts the narrow view of the circuit split on the scope of the CFAA (see Section 8 of the Amendment). This last Amendment is the Grassley/Franken/Lee Amendment that was supported by the Judiciary Committee back in September 2011. Meanwhile, DOJ is trying to get the best of both worlds: They support Sections 1-7, but they’re trying hard to block Section 8.

How this plays out is anyone’s guess. But it does prompt interesting questions of strategy for both sides. If you think the Supreme Court would adopt the narrow view of the CFAA — a view that has the momentum in the Court of Appeals — then the statutory fix doesn’t have much value either way. But if you’re not sure of that, and you want the narrow view of the CFAA, do you take the generally undesirable penalty enhancements to the CFAA to get Section 8 — assuming that is an option? Either way, if Congress enacts the statutory fix, then the issue is no longer certworthy and you’ll never know how the Supreme Court would have ruled. Stay tuned, as always.

The Ninth Circuit has just handed down its long-awaited en banc decision in United States v. Nosal, the case I’ve blogged a lot about involving the scope of the Computer Fraud and Abuse Act and whether violating employee restrictions on workplace computer use is a federal crime. The opinion by Chief Judge Kozinski is a huge victory for those of us who have urged the courts to adopt a narrow construction of the CFAA. Chief Judge Kozinski’s analysis essentially adopts the argument we made in the Lori Drew case (and that I pushed in two articles) that “exceeds authorized access” has to be interpreted narrowly to avoid turning the CFAA into the statute that inadvertently criminalizes a tremendous scope of innocuous activity. From the conclusion of the opinion:

[W]e hold that the phrase “exceeds authorized access” in the CFAA does not extend to violations of use restrictions. If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly. The rule of lenity requires “penal laws . . . to be construed strictly.” United States v. Wiltberger, 18 U.S. (5 Wheat.) 76, 95 (1820). “[W]hen choice has to be made between two readings of what conduct Congress has made a crime, it is appropriate, before we choose the harsher alternative, to require that Congress should have spoken in language that is clear and definite.” Jones, 529 U.S. at 858 (internal quotation marks and citation omitted).

The rule of lenity not only ensures that citizens will have fair notice of the criminal laws, but also that Congress will have fair notice of what conduct its laws criminalize. We construe criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals. “[B]ecause of the seriousness of criminal penalties, and because criminal punishment usually represents the moral condemnation of the community, legislatures and not courts should define criminal activity.” United States v. Bass, 404 U.S. 336, 348 (1971). “If there is any doubt about whether Congress intended [the CFAA] to prohibit the conduct in which [Nosal] engaged, then ‘we must choose the interpretation least likely to impose penalties unintended by Congress.’” United States v. Cabaccang, 332 F.3d 622, 635 n.22 (9th Cir. 2003) (quoting United States v. Arzate-Nunez, 18 F.3d 730, 736 (9th Cir. 1994)).

This narrower interpretation is also a more sensible reading of the text and legislative history of a statute whose general purpose is to punish hacking—the circumvention of technological access barriers—not misappropriation of trade secrets—a subject Congress has dealt with elsewhere. Therefore, we hold that “exceeds authorized access” in the CFAA is limited to violations of restrictions on access to information, and not restrictions on its use.

Given that I have been beating the drum for this view for about a decade now, I am happy to conclude that Kozinski’s opinion is superb and extremely insightful. Judge Kozinski also recognizes that the Ninth Circuit is creating disagreement among the circuits:

We remain unpersuaded by the decisions of our sister circuits that interpret the CFAA broadly to cover violations of corporate computer use restrictions or violations of a duty of loyalty. See United States v. Rodriguez, 628 F.3d 1258 (11th Cir. 2010); United States v. John, 597 F.3d 263 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006). These courts looked only at the culpable behavior of the defendants before them, and failed to consider the effect on millions of ordinary citizens caused by the statute’s unitary definition of “exceeds authorized access.” They therefore failed to apply the long-standing principle that we must construe ambiguous criminal statutes narrowly so as to avoid “making criminal law in Congress’s stead.” United States v. Santos, 553 U.S. 507, 514 (2008).

We therefore respectfully decline to follow our sister circuits and urge them to reconsider instead. For our part, we continue to follow in the path blazed by Brekka, 581 F.3d 1127, and the growing number of courts that have reached the same conclusion. These courts recognize that the plain language of the CFAA “target[s] the unauthorized procurement or alteration of information, not its misuse or misappropriation.” Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 965 (D. Ariz. 2008) (internal quotation marks omitted); see also Orbit One Commc’ns, Inc. v. Numerex Corp., 692 F. Supp. 2d 373, 385 (S.D.N.Y. 2010) (“The plain language of the CFAA supports a narrow reading. The CFAA expressly prohibits improper ‘access’ of computer information. It does not prohibit misuse or misappropriation.”); Diamond Power Int’l, Inc. v. Davidson, 540 F. Supp. 2d 1322, 1343 (N.D. Ga. 2007)(“[A] violation for ‘exceeding authorized access’ occurs where initial access is permitted but the access of certain information is not permitted.”); Int’l Ass’n of Machinists & Aerospace Workers v. Werner-Masuda, 390 F. Supp. 2d 479, 499 (D. Md. 2005) (“[T]he CFAA, however, do[es] not prohibit the unauthorized disclosure or use of information, but rather unauthorized access.”).

As always, stay tuned. For thoughts on whether the Supreme Court might be interested in this case, see the bottom of this post.

I’ve blogged a lot about the Ninth Circuit’s en banc case in United States v. Nosal, on the scope of the Computer Fraud and Abuse Act — and more specifically, on whether it’s a federal crime to violate an express written restriction on using a computer. You can watch last Thursday’s oral argument in the case here:

Chief Judge Kozinski presided, and he seemed pretty clearly on the side that I’ve been advocating here at the blog, in the Drew case, in my recent testimony, and in my law review articles. I was very pleased to see that, although I wasn’t surprised in light of Judge Kozinski’s libertarian streak. At the same time, I don’t think we have enough information to count votes accurately, as only about four judges spoke in ways that might have indicated their views (two for Nosal, two for the United States, I believe). I’m cautiously optimistic, but we’ll have to see how the votes shake out in the end.

I’ll hide my more detailed reactions below the break for the handful of CFAA nerds in the VC readership .....

Continue reading ‘Thoughts on the Oral Arguments in United States v. Nosal’ »

Law.com has reprinted this helpful story on the Ninth Circuit en banc arguments to be held later this week in United States v. Nosal.

In a recently-filed amicus brief submitted by Oracle America Inc. before the en banc Ninth Circuit in United States v. Nosal, the important Computer Fraud and Abuse Act case I have blogged a lot about, Oracle makes the following argument about interpreting “access” and “authorization” in the context of the CFAA. The CFAA’s prohibition on exceeding authorized access and access without authorization is modeled on trespass principles, the brief reasons, so the scope of the CFAA should be interpreted by reference to the trespass principles articulated in the Restatement (Second) of Torts. According to the Oracle brief, this means that (a) computer owners can condition access to their computers using express restrictions like Terms of Service, but (b) express restrictions are only enforceable in some circumstances. The brief summarizes when express restrictions can be enforced under the tort of trespass as follows:

[Whether a written access restriction can be enforced by trespass law is a] fact-dependent conclusion drawn from the totality of the circumstances, and “it may be manifested by action or inaction and need not be communicated to the actor.” [Restatement (Second) Torts § 892(1) (1979).] see id. § 892 cmt. c. Accordingly, courts sometimes find that a written or posted access restriction has been overridden or lifted.

This common-law principle takes several forms. One is the doctrine of apparent or implied consent; another is estoppel or waiver. Courts are suspicious of posted access restrictions that by their terms apply to everyone but that in fact have been selectively enforced “against some members of the public as opposed to others”; when the signals conflict, courts may find a posted restriction ineffective. Winn, The Guilty Eye, 62 Bus. Law. at 1424. Similarly, a property owner who knowingly acquiesces in a person’s course of access may waive the right to call it a trespass. See id.; see also 75 Am. Jur. 2d, Trespass § 67 (estoppel defense). When an owner has “actual knowledge” of repeated trespasses, the owner’s “habitual acquiescence … may constitute a license for persons to enter the land, if the tolerance is so pronounced as to be tantamount to permission.” 75 Am. Jur. 2d, Trespass § 73. Community custom is especially relevant in determining apparent consent. See Restatement (Second) Torts § 892 cmt. d; cf. McKee v. Gratz, 260 U.S. 127, 136 (1922) (“A license may be implied from the habits of the country.”). Above all, commonsense and reasonableness are the guides, as they are with all totality-of-the-circumstances inquiries.

Like other established doctrines of the common law of trespass, the reasonable approach to judging posted access restrictions applies to the CFAA. And it easily answers Nosal’s policy concerns. If, as Nosal posits, it is well known that millions of employees and Internet users actually violate posted restrictions on computer and information access every day, chances are good that those restrictions are not bona fide.

I considered this argument when I was writing my Cybercrime’s Scope article in 2003, but I concluded that it’s not persuasive. The problem is that the principles of interpreting common law torts are pretty different from the principles of interpreting criminal law statutes. The CFAA is a criminal statute: Although Congress later added some civil remedies to it, the statute is primarily a criminal statute and its basic prohibitions need to be interpreted accordingly. So while it’s true that the CFAA harnesses the basic concept of a trespass, I don’t see a good reason to adopt the details of the trespass tort when interpreting the CFAA.

The void for vagueness doctrine demonstrates the problem. The scope of common law tort liability is not subject to vagueness challenges. As a result, the scope of common law tort liability can be quite unclear. That’s fine in the tort context: It’s not a big deal if a person who may be trespassing isn’t entirely sure if the posted notice is enforceable. But the void for vagueness doctrine requires at least some degree of clarity in the criminal context. Hinging criminal liability on whether the term of service violated is one that is violated as a “habit[] of the country” and for which there is “habitual acquiescence ” is just too unclear. No one really knows how that would be applied.

The difference between trespass onto physical land and access into a computer is a significant part of the problem. In the case of a physical trespass, we can get a sense of social norms by observing what notices are enforced. We know where we are on physical land, and can only be in one place at a time. We visually observe enforcement, and we visually observe if notices are ignored. But it’s hard to obtain knowledge as to how seriously a particular computer provider takes each provision in the Terms of Service. Users can’t generally know what Terms are are meant to be taken seriously and which aren’t. Plus, a computer user might be accessing several different computers at the same time. Users don’t have obvious ways of determining which of the dozens or even hundreds of written restrictions that might apply to them at any given time are really intended to be taken seriously. How does a computer user know which terms are violated as a “habit of the country”?

Continue reading ‘The Trespass Tort Versus the CFAA: A Response to the Oracle Amicus Brief in Nosal’ »

Senator Leahy recently proposed an amendment to the Computer Fraud and Abuse Act to try to address the overbreadth concerns that myself and others have raised about the current statute, and particularly DOJ’s controversial view that the statute presently allows the government to prosecute computer users for TOS violations. I wanted to blog my thoughts on Leahy’s proposed amendment. My basic take is that Leahy’s proposal is such a modest step that it doesn’t solve the problem it aims to solve. Its language appears to still allow DOJ to prosecute TOS violations, including the theory of the Lori Drew case that the statutory fixes are all designed to stop. For those reasons, explained in detail below, I can’t support the Leady Amendment. Instead I continue to support the Grassley/Franken amendment.

I. Introducton and the Leahy Amendment

First, some context, for those who are new to this debate or unfamiliar with the Leahy proposal. At its broadest, the CFAA prohibits exceeding authorized access to a computer and obtaining information. See 18 U.S.C. 1030(a)(2). This is overbroad for two related reasons: First, “exceeding authorized access” might mean anything, including violating TOS; and second, the statute applies to obtaining any kind of information, not just sensitive information, so it would include any kind of TOS violations, no matter how arbitrary or silly. As I explain in my House testimony, there are two basic ways to fix the overbreadth problems. First, you could limit the definition of “exceeds authorized access,” so it excludes TOS violations; and second, you could limit the kinds of information that could be obtained so that it only applies to violations involving particularly sensitive information.

The Grassley/Franken amendment agreed to by the Senate Judiciary Committee a few weeks ago was based on the first strategy; it amends the definition of “exceeds authorized access” to exclude TOS violations. Senator Leahy’s proposal is based on the second strategy, limiting the kind of information obtained. I have heard that Leahy’s proposal was based loosely on my blog post here in September, in which I suggested that you could amend the information obtained under the “exceeds authorized access” prong to the following categories of information:

(a) Information with a value of more than $5,000;
(b) sensitive or private information involving an identifiable individual (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, financial records, or photographs of a sensitive or private nature;
(c) information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954.

That brings us to Senator Leahy’s proposal. Leahy’s proposal would rewrite 1030(a)(2) so that it punishes whoever:

Intentionally accesses a computer —

(A) without authorization, and thereby obtains—
(i) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as
such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(ii) information from any department or agency of the United States; or
(iii) information from any protected computer;

or

(B) in excess of authorization, thereby obtains— (i) information defined in subparagraph (A) (i) through (iii); and (ii) the offense involves
(I) information that exceeds $5,000 in value;
(II) sensitive or private information involving an identifiable individual or entity (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, government-issued identification numbers, unique biometric data, financial records, photographs of a sensitive or private nature, trade secrets, commercial business information, or other similar information;
(III) information that has been properly classified by the United States Government pursuant to an Executive Order or statute, or determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national security, national defense, or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic
Energy Act of 1954; or
(IV) information obtained from a computer used by, or on behalf of a government entity.

The basic strategy here is as follows. First, the proposals leaves the current 1030(a)(2) in place for violations involving “access without authorization,” so that any information is covered when access was without authorization. (As an aside, note that the statute is written in a redundant fashion for mostly historical reasons; because any information in categories i and ii are already part of iii, it’s iii — “information from a protected computer” that really matters. I have no idea why they don’t modernize the language and just eliminate all the gibberish about financial records and the Fair Credit Reporting Act, but at least the extra gibberish is harmless in practice.)

Second, the proposal rewrites 1030(a)(2) for violations involving “exceeding authorized access,” but it only makes only one change: The offense has to somehow “involve” one of the listed categories of information. The listed categories of information start with the ones I proposed in my blog post, but then add the following:

1) government-issued identification numbers,
2) unique biometric data,
3) financial records,
4) trade secrets,
5) commercial business information,
6) other similar information;
7) information obtained from a computer used by, or on behalf of a government entity.

II. My Two Objections to the Leahy Amendment

I think there are two major problems with Senator Leahy’s amendment: first, the overbreadth of the information that qualifies; and second, the use of “involves” information rather than “obtains” information.

(a) The Overbreadth of the Categories of Information. The first major problem with the Leahy amendment is that the categories of information listed are incredibly broad. Unfortunately, the language is so broad that it wouldn’t substantially limit DOJ’s ability to prosecute exactly the kinds of Terms of Service cases that every one is worried about. That means that the Leahy amendment has the form of a “fix,” but in practice would simply endorse TOS prosecutions in a remarkably wide range of cases.

This is particularly clear in the case of TOS set up by businesses. DOJ could still prosecute TOS violations involving most businesses because violating a TOS with a business will almost always involve some kind of business information. Consider a fact-pattern from an actual CFAA civil case. Say I run a business and I have information about products on my website; I then set up a Term of Use saying that no competitors are allowed to visit my website. As I read the Leahy proposal, it is still a CFAA violation if the competitor violates the Term of Use. After all, the competitor violated the Term of Use and then obtained “commercial business information,” that is, information about the company’s products.

For that matter, I think Leahy’s amendment would endorse DOJ’s prosecution of Lori Drew. Drew helped set up a fake myspace account to try to contact her daughter’s friend with the goal of finding out what the friend was saying about her daughter; Drew helped violate the Terms of Service which said all profile information has to be accurate. As I read Leahy’s amendment, it would support the DOJ’s prosecution in that case: Drew violated the TOS in the course of obtaining personal information about her daughter held by the daughter’s friend. (To be clear, this is partly a problem with my own proposal for how to fix 1030(a)(2); now that I think about it, my own proposed language was too broad.)

Some of the other categories of information are particularly strange. Take the “trade secrets” provision. Not long ago, Congress worked hard to pass an entirely different statute on the theft of trade secrets, 18 U.S.C. 1832. Congress crafted that statute carefully, requiring intent to convert the trade secret. Including trade secrets in 1030(a)(2) just because they are trade secrets would reduce Section 1832 to a nullity, effectively allowing DOJ to prosecute theft of trade secrets without ever having to prove intent to convert the trade secret — the very element Congress went out of its way to require in passing Section 1832. If Congress wants to expand Section 1832, it should do it directly, but it seems strange to use the CFAA as a quiet way to dramatically expand the theft of trade secrets statute.

The category of “other similar information” is even more puzzling. Similar how? To what? In what way? It’s hard to know what that is supposed to mean.

And further, why does the amendment treat information from government computers as somehow special? If the law is going to carve out categories of particularly sensitive information, it’s not clear to me why information stored on a government computer (which would include public websites like whitehouse.gov) is inherently private or sensitive.

For all these reasons, I think the categories if information listed in the Leahy amendment are far too broad. They wouldn’t really limit DOJ’s power to prosecute Terms of Service violations.

(b) What Does it Mean to “Involve” Information? The second major problem with the Leahy amendment is that it still extends to obtaining any information, and merely requires that the offense somehow “involve” one of the new categories of listed information. That strikes me as at best tremendously vague and at worst terribly overbroad. What does it mean for an offense to merely “involve” a type of information, when that information is not the information actually obtained by the offense? How far removed from the actual information obtained can the information be while still being “involved” in the offense? I don’t know, but it seems to me that DOJ could plausibly interpret that language so broadly that it reduces the amendment to a nullity.

To see why, imagine a guy sets up a Match.com profile and fills it with information about himself. When asked to enter in his age, he says he is 32 years old when he is really 33. After setting up the profile, he stops. In such a case, he didn’t use the service to obtain any sensitive information of anyone else. But presumably his conduct “involved” private information belonging to an identifiable individual — namely, himself. More broadly, it’s hard to know when an offense “involves” information that is one of the sensitive categories of information; I don’t think I know what that means. And when you pair it with some of the other ambiguous language in the statute, the ambiguity is magnified: A statute that says it is a crime to exceed authorized access to a computer when the conduct “involves . . . similar information” is a statute with considerable vagueness problems in need of a clean-up.

III. Conclusion

To be clear, I think the Leahy proposal starts with a fair approach: The basic concept of limiting the CFAA by limiting the information obtained in 1030(a)(2) is sensible. But the categories of information in this particular proposal are too broad, and the limitation that the offense must merely “involve” such a category is too vague, for me to support it. I think the Grassley/Franken approach is much better, and I hope the Senate sticks with that approach rather than adopting the Leahy approach.

The scope of the CFAA has been drawing some significant press attention today. Eric Felten takes on the issue in the Wall Street Journal; Judson Berger does so over at Fox News. I’ll be on NPR’s All Things Considered this weekend discussing the same issue.

I testified yesterday at a House Judiciary Committee hearing that focused in part on the need to narrow the Computer Fraud and Abuse Act, a drum I’ve been beating since 2003. You can watch the video of the hearing here; the CFAA parts were discussed mostly in the opening statements and in the last 15 minutes. For press coverage of the hearing, some of which focuses on my testimony, see Wired News, CBS News, Main Justice, The Register, and Talking Points Memo.

I thought the hearing went relatively well for those of us who believe the CFAA must be narrowed. There were only a handful of Representatives at the hearing at any given time, and at times the only members present were Mr. Gohmert (Vice Chairman of the subcommittee) and Mr. Scott (the ranking minority member). Further, most of the hearing considered other questions in the area of cybersecurity. So any conclusions must be tentative. But in the last 15 minutes or so of the hearing, Gohmert and Scott turned to the CFAA question, and both indicated their view that the CFAA needs to be narrowed so that it doesn’t apply to innocent conduct like TOS violations. I was also interested to see that the other witnesses also seemed to agree that that there was a problem with the overbreadth of the statute — the disagreement was only on what do about it. It was only a hearing, and only a few members were present, but I’m cautiously optimistic.

Perhaps the most promising sign is that after the hearing, DOJ struck a conciliatory note in response to press inquiries on its position. DOJ’s written testimony submitted before the hearing defended a very broad reading of the CFAA, and it expressed the view that it was important to be able to prosecute Terms of Service violations. That drew a lot of negative press stories, and raised eyebrows at the hearing. After the hearing, however, DOJ spokeswoman Alisa Finelli offered a Politico reporter what sounds to me like a different position:

“The only court to rule on this issue [whether TOS violations violate the CFAA] ruled that it was not a violation of the law. The Department did not appeal this decision, and it has not brought a similar case since,” said DOJ spokeswoman Alisa Finelli. “We understand the concern that is motivating these criticisms of the statute, and we are willing to work with Congress on legislative proposals in this area.”

Finelli characterized Downing’s testimony as meaning that “it is not a ‘DOJ position’ that such conduct would violate the Computer Fraud and Abuse Act.”

As I commented in the Politico story, Finelli’s comment leaves me unclear as to what DOJ’s position is: I don’t see how it’s consistent with DOJ’s written testimony. But if DOJ’s opposition has softened, that is very good news.

Tomorrow morning at 10am, I will be testifying before the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security about the need to narrow the Computer Fraud and Abuse Act. I have submitted my written testimony, and it is available here. It begins:

The current version of the Computer Fraud and Abuse Act (CFAA) poses a threat to the civil liberties of the millions of Americans who use computers and the Internet. As interpreted by the Justice Department, many if not most computer users violate the CFAA on a regular basis. Any of them could face arrest and criminal prosecution.

In the Justice Department’s view, the CFAA criminalizes conduct as innocuous as using a fake name on Facebook or lying about your weight in an online dating profile. That situation is intolerable. Routine computer use should not be a crime. Any cybersecurity legislation that this Congress passes should reject the extraordinarily broad interpretations endorsed by the United States Department of Justice.

In my testimony, I want to explain why the CFAA presents a significant threat to civil liberties. I want to then offer two narrow and simple ways to amend the CFAA to respond to these problems. I will conclude by responding to arguments I anticipate the Justice Department officials might make in defense of the current statute.

The three other witnesses appearing at the hearing will be James Baker, the Associate Deputy Attorney General; my old friend and colleague Richard Downing, a Deputy Chief of the Computer Crime and Intellectual Property Section at DOJ; and Michael Chertoff, the former Secretary of Homeland Security. For those interested in attending, the hearing will be at 10 am in Room 2141 of the Rayburn House Office Building.

I’ve blogged a lot about 18 U.S.C. 1030, the Computer Fraud and Abuse Act (CFAA), and how broad readings of the statute potentially criminalize a tremendous amount of entirely innocuous activity. The broad readings of the CFAA also have another important effect: They allow DOJ to try to turn any state crime that happens to involve computers into a federal crime. In that sense, the CFAA is being used as a catch-all to try to punish computer misconduct that otherwise would not be thought to be a federal offense. An interesting example is United States v. Nestor, a prosecution that is pending in the U.S. District Court for the District of Nevada.

Andrew Nestor learned of a programming flaw in certain video poker machines used in Las Vegas. By using a certain feature and playing a particular combination, a person could trick the poker machine into paying out winnings at a higher rate than it should have. Nestor played the combination, and he was able to receive winnings that he was not entitled to have. At this stage, it sounds like a state law offense of theft or fraud. Nestor stole the money from the machine by fraud.

But was a federal crime committed, as opposed to a state crime? Federal prosecutors love to charge fraud cases under the wire fraud statute, 18 U.S.C. 1343, but that wouldn’t work here. Liability under the wire fraud statute requires a crossing of state lines, while here all the action occurred in a single room. So instead the government charged Nestor with a CFAA violation, and specifically 18 U.S.C. 1030(a)(4), which punishes:

knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period[.]

Note that there is no longer a requirement of crossing state lines, as there is in the case of the wire fraud statute. Instead, the only federal hook is that the computer be a “protected computer.” But that’s really no federal hook at all: Protected computers are defined as any computers that can be regulated under the Commerce Clause power, which paired with Gonzales v. Raich seems to be any computers, period. So voila, there is federal jurisdiction over the state law crime because a computer is involved.

Of course, whether the government can use 1030(a)(4) to federalize state law fraud schemes involving computers depends on the legal interpretation of “accesses . . . without authorization, or exceeds authorized access,” which is the main issue involved in cases like United States v. Nosal, currently pending before the en banc Ninth Circuit. In the Nestor case, I assume DOJ’s view is that it is implicitly unauthorized to exploit a programming error in a computer in order to commit a fraud. I think this reading essentially reads “without authorization, or exceeds authorized access” out of the statute, and instead treats 1030(a)(4) as punishing fraud committed using any computer, period. But we’ll see what the district court does with the motion to dismiss in Nestor, which may in turn depend on what the en banc Ninth Circuit does in Nosal.

I’ve blogged a few times about the recent Ninth Circuit decision in United States v. Nosal, which held that “an employee accesses a computer in excess of his or her authorization [in violation of 18 U.S.C. 1030] when that access violates the employer’s access restrictions, which may include restrictions on the employee’s use of the computer or of the information contained in that computer.” My most recent post on Nosal linked to the petition for rehearing and expressed the hope that the Ninth Circuit would grant it.

I’m pleased to report that the Ninth Circuit today granted the petition for rehearing. This is promising news for those of us who have worried about the remarkable overbreadth of the Computer Fraud and Abuse Act. As always, stay tuned.

I’ve just finished a longish piece on cyberwar and the role of lawyers, published in Foreign Policy magazine.  Here’s how it begins:

Lawyers don’t win wars. But can they lose one?

We’re likely to find out, and soon. Lawyers across the U.S. government have raised so many show-stopping legal questions about cyberwar that they’ve left the military unable to fight or even plan for a war in cyberspace.

...

And here’s the part that inspired the title of this post:

By the 1930s, everyone saw that aerial bombing would have the capacity to reduce cities to rubble in the next war. Just a few years earlier, the hellish slaughter in the trenches of World War I had destroyed the Victorian world; now air power promised to bring the same carnage to soldiers’ homes, wives, and children.

In Britain, some leaders expressed hardheaded realism about this grim possibility. Former Prime Minister Stanley Baldwin, summing up his country’s strategic position in 1932, showed a candor no recent American leader has dared to match. “There is no power on Earth that can protect [British citizens] from being bombed,” he said. “The bomber will always get through.... The only defense is in offense, which means that you have got to kill more women and children more quickly than the enemy if you want to save yourselves.”

The Americans, however, still hoped to head off the nightmare. Their tool of choice was international law. (Some things never change.) When war broke out in Europe on Sept. 1, 1939, President Franklin D. Roosevelt sent a cable to all the combatants seeking express limits on the use of air power. Citing the potential horrors of aerial bombardment, he called on all combatants to publicly affirm that their armed forces “shall in no event, and under no circumstances, undertake the bombardment from the air of civilian populations or of unfortified cities.”

Roosevelt had a pretty good legal case. The 1899 Hague conventions on the laws of war, adopted just two years after the Wright brothers’ first flight, declared that in bombardments, “all necessary steps should be taken to spare as far as possible edifices devoted to religion, art, science, and charity, hospitals, and places where the sick and wounded are collected, provided they are not used at the same time for military purposes.” The League of Nations had also declared that in air war, “the intentional bombing of civilian populations is illegal.”

But FDR didn’t rely just on law. He asked for a public pledge that would bind all sides in the new war — and, remarkably, he got it. The horror at aerial bombardment of civilians ran so deep in that era that Britain, France, Germany, and Poland all agreed to FDR’s bargain, before nightfall on Sept. 1, 1939.

Nearly a year later, with the Battle of Britain raging in the air, the Luftwaffe was still threatening to discipline any pilot who bombed civilian targets. The deal had held. FDR’s accomplishment began to look like a great victory for the international law of war — exactly what the lawyers and diplomats now dealing with cyberwar hope to achieve.

But that’s not how this story ends.

...

Kashmir Hill writes at her Forbes blog on the good news from yesterday’s Senate Judiciary Committee hearing markup of amendments to the Computer Fraud and Abuse Act: No, Faking Your Name On Facebook Will Not Be A Felony.

Legal scholar Orin Kerr wrote an alarming op-ed in the Wall Street Journal yesterday, warning people that “faking your name on Facebook could be a felony” when the law is changed. But a lot changed since yesterday morning. An amendment was added to the bill during a Senate Judiciary Committee hearing Thursday morning, so that people who violate website’s terms of service are not considered felons.

Senators Al Franken and Chuck Grassley proposed new language for the bill (thanks in part to Kerr’s urging) to exempt those guilty only of TOS violations. Franken, in urging his fellow senators to adopt the amendment, said that without it, the following people would be felons: “A father who uses his son’s Facebook password to log into his Facebook account to check his messages and photos” (ed. note: Creepy and invasive but not criminal); “a 17 year-old who claims she is 18 in order to sell her knitted scarves on Etsy,” and “a struggling businessowner who secretly creates a Yelp account to give his restaurants favorable reviews” (ed. note: Again, uncool and deceptive, but not felony behavior).

The Committee then added an amendment to the bill that specifies that felony-level unauthorized access not “include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.” The bill will now move forward to be considered by the Senate.

The amendment it here. It would amend the definition of “exceeds authorized access” in the CFAA, to the following, with the new language in bold:

the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter, but does not include access in violation of a contractual obligation or agreement, such as an acceptable use policy or terms of service agreement, with an Internet service provider, Internet website, or non-government employer, if such violation constitutes the sole basis for determining that access to a protected computer is unauthorized.

I think this is a very good fix, and would be a very important addition to the CFAA. As I read this, the language says that mere breach of a contract or warning such as a Terms of Service cannot be the basis for liability in three instances: with websites, ISPs ,and non-government employers. So the government could still prosecute government employees who misused sensitive government databases, such as by accessing tax or social security databases for personal or nefarious reasons. On the other hand, the Government could not prosecute private sector employees for breaching private sector employer computer use restictions (as they’re trying to do in United States v. Nosal, still pending in the Ninth Circuit) and they could not prosecute Internet users for Terms of Service violations (as they tried to do in United States v. Drew). The language isn’t exactly perfect, as there are some minor definitional questions. But this is really a very strong effort, and I’m just delighted that the Judiciary Committee passed this.

Of course, the fact that it’s out of Committee doesn’t mean it has passed into law. DOJ may target this provision along the way, and there are still a number of hurdles to pass. But this is a very promising step.

Tomorrow’s Wall Street Journal is running an op-ed I authored on the proposed amendments to the Computer Fraud and Abuse Act. It begins:

Imagine that President Obama could order the arrest of anyone who broke a promise on the Internet. So you could be jailed for lying about your age or weight on an Internet dating site. Or you could be sent to federal prison if your boss told you to work but you used the company’s computer to check sports scores online. Imagine that Eric Holder’s Justice Department urged Congress to raise penalties for violations, making them felonies allowing three years in jail for each broken promise. Fanciful, right?

Think again. Congress is now poised to grant the Obama administration’s wishes in the name of “cybersecurity.”

The little-known law at issue is called the Computer Fraud and Abuse Act. It was enacted in 1986 to punish computer hacking. But Congress has broadened the law every few years, and today it extends far beyond hacking. The law now criminalizes computer use that “exceeds authorized access” to any computer. Today that violation is a misdemeanor, but the Senate Judiciary Committee is set to meet this morning to vote on making it a felony.

The problem is that a lot of routine computer use can exceed “authorized access.” Courts are still struggling to interpret this language. But the Justice Department believes that it applies incredibly broadly to include “terms of use” violations and breaches of workplace computer-use policies.

Breaching an agreement or ignoring your boss might be bad. But should it be a federal crime just because it involves a computer?

UPDATE: Via e-mail, a reader points out that I misdescribed one case near the end of the op-ed. The Ticketmaster case I mentioned involved alleged unauthorized access beyond the TOS violations. My apologies for the error, which was entirely mine.

In his post below, Stewart Baker writes that DOJ official James Baker “gave a persuasive defense” of the broad view of that the Computer Fraud and Abuse Act should apply to Terms of Service violations and employee restrictions on computers. In this post, I want to explain why I don’t find DOJ’s defense of existing law persuasive. I will then propose a statutory fix to reconcile DOJ’s concerns with the concerns of the CFAA’s critics — critics including myself.

Let’s start with James Baker’s written testimony, which I’ll refer to as “DOJ’s testimony” just to avoid confusing the Bakers. According to DOJ, applying the CFAA to Terms of Service violations and employee access restrictions is justified on the following grounds:

All types of employees in both the private and public sector – from credit card customer service representatives, to government employees processing tax returns, passports, and criminal records, to intelligence analysts handling sensitive material – require access to databases containing large amounts of highly personal and otherwise sensitive data. In most cases, employers communicate clear and reasonable restrictions on the purposes for which that data may be accessed. The Department has prosecuted numerous cases involving insiders in both the public and private sectors who have violated defined rules to access and obtain sensitive information. In many prosecutions involving insiders, the “terms of service” and similar rules in employment contexts define whether the individual charged was entitled to obtain or alter the information at issue. This is almost identical to prosecutions under other statutes, in which internal procedures, agreements, and communications must be examined by a fact-finder to determine, for example, whether a particular payment was authorized, or embezzlement or fraud.

Employers should be able to set and communicate access restrictions to employees and contractors with the confidence that the law will protect them when their employees or contractors exceed these restrictions to access data for a wrongful purpose. Limiting the use of such terms to define the scope of authorization would, in some instances, prevent prosecution of exactly the kind of serious insider cases the Department handles on a regular basis: situations where a government employee is given access to sensitive information stored by the State Department, Internal Revenue Service, or crime database systems subject to express access restrictions, and then violates those access restrictions to access the database for a prohibited purpose. Similarly, businesses should have confidence that they can allow customers to access certain information on the business’s servers, such as information about their own orders and customer information, but that customers who intentionally exceed those limitations and obtain access to the business’s proprietary information and the information of other customers can be prosecuted.

On one hand, DOJ is right that some specific circumstances justify punishment for a person who has violated a written restriction on access to a computer. If a written restriction protects extremely private or valuable information, then violating that written restriction inflicts a real privacy harm. The harm exists because the information is particularly sensitive, and the restrictions on the information are therefore important. Unsurprisingly, those are the cases DOJ likes to use as examples: The government employee who uses the sensitive database of private information for personal reasons, or the insider who accesses very valuable proprietary information. When a person violates these important restrictions on very sensitive data, a genuine privacy harm has occurred.

But here’s the problem. The Computer Fraud and Abuse Act does not only protect particularly sensitive or valuable information. Instead, the statute protects access to any information, no matter of what source or kind, protected by any restriction, no matter of how silly or serious, stored inside any computer, no matter of what nature or importance, located anywhere in the galaxy that the Commerce Clause can reach. It has no special rules for employers, or for customers, or for sensitive information, or for important access restrictions. It applies to everything. Any kind of information. Every computer and every access restriction, whether connected to a network or not. Perhaps .00000001% of the restrictions that the law covers are the kinds of cases that DOJ claims as cases it might prosecute. And that’s why it’s so easy to create completely absurd hyptheticals of silly ways that innoucous conduct is criminalized — and under the new proposal, made a felony — under DOJ’s view of the statute. Just have a silly computer owner set up a computer with no sensitive information on it, have him give everyone access, and then imagine an arbitrary restriction on that access that has nothing to do with privacy, money, or any real interest at all. Voila! It’s just as much of a CFAA violation as any of the examples DOJ uses.

I promised a way to reconcile DOJ’s concerns with the concerns of critics of the CFAA. So here it is: Congress should limit when the CFAA prohibits “exceed[ing] authorized access” to cases in which the information obtained is particularly sensitive or valuable. The law should continue to broadly prohibit actual hacking — that is, access “without authorization.” But if the prohibition on “exceed[ing] authorized access” is to be read to apply to Terms of Service violations and employee restrictions, Congress should specify what kinds of sensitive information federal law protects. For example, a list might look something like this:

(a) Information with a value of more than $5,000
(b) sensitive or private information involving an identifiable individual (including such information in the possession of a third party), including medical records, wills, diaries, private correspondence, financial records, or photographs of a sensitive or private nature;
(c) information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954.

Under this proposal, DOJ would get everything it says it wants. DOJ would still be able to prosecute the government employees who access sensitive databases, whether they are sensitive because they store personal information (b) or national security information (c). DOJ would also still be able to prosecute instances in which folks access very valuable proprietary information via (a). But critics would also get what they want. The limitations on the scope of information covered by the “exceeds authorized access” prong would ensure that the law only applied to important access restrictions that protect real privacy interests. The combination of this and the required mental state of “intentionally” would ensure that people who violated silly or arbitrary access restrictions that protected no genuine privacy interests were not covered by the law. That substantial narrowing would also cure the serious void-for-vagueness problems with DOJ’s preferred reading of the statute.