My co-blogger Stewart Baker recently argued that it is legal to hack into the computer of someone who has hacked into your computer. Stewart says his analysis is “surely” right. I think it’s obviously wrong. Here’s why.
The Computer Fraud and Abuse Act is a computer trespass statute. It prohibits accessing another person’s computer “without authorization” just like trespass laws prohibit walking on to someone else’s land without their consent. As with a traditional trespass statute, it is the owner/operator of the property that controls authorization. The basic idea is to give computer owners the ability to enforce rights on their own machines. There is lots of disagreement about how computer owner/operators can create rights on their machines that the law will enforce — I’ve blogged a lot about the role of Terms of Service in doing so — but everyone agrees that hacking into someone else’s machine is the quintessential example of the kind of conduct prohibited by the statute.
Stewart offers a novel way to get around this and read the statute allowing hacking back. He posits that rights to control authorization go with ownership of data stored on a particular machine. More specifically, Stewart argues that the CFAA is so vague as to whether it protects computer or data that the rule of lenity requires courts to adopt the view that any person pursuing their stolen data is authorized in their conduct. In his view, you can’t really rule out that the theft victim controls authorization — and if you can’t really rule it out, you must rule it in. Thus anything victims do must be authorized because they themselves have authorized it.
I think this view of the CFAA is clearly wrong. Contrary to Stewart’s claim, there is no genuine ambiguity over whether the statute protects [...]