WH Cybersecurity Proposal: CFAA Hack Goes Beyond Hackers
The White House recently released its long-awaited cybersecurity legislative proposal, finally adding its voice to the ongoing debate over government cybersecurity authorities. This is the third of a four-part analysis from CDT of various elements of the Administration's far-reaching package. Part I, Part II, Part IV
Part III: Revising the Computer Fraud and Abuse Act
This post will address the new law enforcement powers contemplated within the White House's proposed legislation. That set of provisions would extend the reach of the Computer Fraud and Abuse Act (CFAA), the federal anti-computer-fraud statute, in ways that give rise to some troubling issues.
The CFAA, as originally conceived, is an important component of the trust framework online. It gives the federal government the necessary authority to pursue cybercrime, and CDT fully supports law enforcement’s use of those powers to prosecute hackers, identity thieves and other cybercriminals. However, over time, the statute has been substantially broadened. Moreover, civil actions have distorted its intended meaning, expanding it well beyond traditional conceptions of cybercrime, and criminal cases have sometimes followed. In the absence of Congressional action to limit the statute to the type of hacking it was intended to penalize, so that it more closely focuses on conduct that threatens cybersecurity, CDT opposes the White House proposal to broaden the CFAA. That proposal includes eliminating its first time offender provisions, imposing mandatory minimum sentences for some violations, and adding real property to the assets that can be forfeited in civil or criminal proceedings for conduct prohibited in the CFAA – changes that would exacerbate concerns with an already worrisome statute.
Is It a Crime?
At the core of concerns with the CFAA and the Administration’s proposals is a single overarching problem: the breadth of the activity criminalized under certain broad interpretations of the CFAA. There are a number of separate offenses under the statute – accessing a government computer, removing information from a computer, committing fraud through the use of a computer, and so on – but the linchpin of the prohibited action in each case consists of obtaining “access” to a computer without (or in excess of) "authorization."
Judges have differed significantly on the definitions of “access” and “authorization.” Some prosecutors and courts have interpreted unauthorized access to include using a computer service in violation of terms of service set by the entity offering the service. This interpretation essentially allows service providers and system operators to define common behaviors as criminal. Thus, in the famous 2008 Lori Drew case, a Missouri mother who impersonated a teenage boy on MySpace in order to taunt her daughter’s teenage rival, was charged in California under the CFAA after the girl committed suicide. The prosecutor’s theory was that Drew exceeded authorized access because the MySpace Terms of Service did not allow users to create accounts under a false name. As a result, he said, all of Drew’s use of the service was “unauthorized” and was criminal. While the court ultimately ruled in Drew’s favor, she nevertheless was required to spend months defending herself, flying back and forth to a state whose only connection to the case was that it contained MySpace’s servers. While Drew’s actions were reprehensible, they hardly constituted “hacking” in any meaningful sense.
While the Lori Drew prosecution drew widespread criticism, the theory behind it survives. In a more recent case, the Ninth Circuit held that a company’s former employee, conspiring with a current employee, violated the CFAA by acquiring information from the firm’s computer network and repurposing it for his own use because the employer had not authorized that type of access to information on its network. Again, while such activity might be illegal as theft, it should not be considered “computer fraud.” It is certainly not the kind of conduct one imagines should be addressed in a cybersecurity statute. Giving that employee an extra penalty simply because he misused documents printed off of the network rather than photocopying them from a pre-printed page makes little sense.
Under the CFAA, then, users could be hauled into court for failing to comply with any of the fine print terms in their email provider’s Terms of Service. For that reason, it is troubling that the administration’s primary cybersecurity law enforcement initiative is to take this now-overbroad law and increase its reach. If anything, CFAA revisions should focus on narrowing the statute to more carefully define the behavior it aims to prohibit.
Working on the Chain Gang
The largest section of the Administration proposal relating to the CFAA is devoted to bulking up the Act’s penalties. Penalties for first-time offenders under the statute would be increased, and in some cases more than doubled. Given the uncertainty as to the reach of the law, this is a particularly difficult change to swallow – first-time offenders are the least likely to know that actions that are apparently permissible may in fact be subject to criminal sanction, and that violating terms of service that they haven’t even read could land them in prison. Penalties should not be increased while the continuing confusion over the extent of “access” and “authorization” remains unresolved.
The White House proposal would also add a mandatory minimum three-year sentence for those who, as a component of a felonious violation of the CFAA, damage or attempt to damage a critical infrastructure computer, as long as such damage would “substantially impair” the operation of that computer or the critical infrastructure associated with it. The bill would define a “critical infrastructure computer” as any computer that manages or controls “systems and assets vital” to national defense, economic security, public health, or safety, including telecommunications networks and finance and banking systems. Combining the broad category of activities that could be felony violations of the CFAA, the new broad definition of “critical infrastructure,” and the ambiguity of the term “substantial impairment” creates a towering pile of legal uncertainty, and adding a mandatory minimum sentence is a recipe for unfairness.
The White House proposal also makes the CFAA a RICO predicate – adding it to the list of crimes that can be used to demonstrate a “pattern of racketeering activity.” This both subjects CFAA violators to additional, even harsher penalties and makes them subject to additional civil suits, asset forfeiture, and other racketeering remedies.
Adding these two broad statutes – CFAA and RICO - together creates the possibility for even more legal mischief: In the Lori Drew case, if the mother and daughter in question had created false accounts on both MySpace and Facebook in a false name and used those fake accounts in a coordinated fashion, they could have been subject to racketeering charges under the Administration proposal.
Let the Right One In
One portion of the CFAA criminalizes the trafficking in passwords with the intent to defraud. The White House bill would expand this to include trafficking in “means of access,” and removes the requirement that the trafficking affect interstate commerce. This change has certain benefits – as authentication moves beyond passwords to include multiple components, the law should ensure that all are protected – but may be written too broadly.
For example, this provision may mean that a user who reverse-engineers his own personal device, such as an Apple iPad, in order to “jail break” that device and install software of his choosing, and who then shares with others the code that he used to gain access, is now subject to criminal penalty. Lawyers have already tried to bring civil actions against those who modify their own devices under the existing language; this provision will give them new ammunition. A second example might be a user who designs a piece of software to bypass “captchas,” the boxes of difficult-to-read text that some sites use to identify human users. Circulating that software could also constitute a CFAA violation under the new language. This does not seem to us the type of activity that cybersecurity legislation ought to aim to punish.
Give it Away Now
Finally, the proposal would add “real property” – land, as well as houses and other structures on that land – to the list of items subject to civil forfeiture, as long as that property was used or intended to have been used to commit or facilitate the crime. Until now, real property had been specifically excepted from both the criminal and civil forfeiture provisions of the CFAA. Under the Administration proposal, property could still be protected through the “innocent owner” defense in 18 U.S.C. § 983(d), which says that an owner who did not know of the violator’s conduct or who did all that could reasonably be expected cannot have his property confiscated. However, that would still leave some potential holes in the law.
Imagine, for example, a teenage hacker who has used his parents’ computer to attempt to break into a bank network. If his parents were aware of his attempts but failed to turn him in, not only would that computer be subject to forfeiture, but so would his parents’ house. Similarly, imagine an infected computer center that is the home of a botnet launching further attacks against additional network, and a manager of that center who is lax in addressing the botnet infestation. The government, as part of prosecuting the originator of the botnet, could seize that computer center. Because the CFAA has been interpreted so broadly, the expansion of the civil forfeiture provisions is particularly troubling.
The conduct constituting a violation of the CFAA must be narrowed before Congress considers legislation to extend the statute and enhance the penalties under it. As Professor Orin Kerr has suggested, clarifying the definition of “authorization” to state that only exceeding code-based authorization is sufficient to constitute a violation would improve the statute significantly. Clarifying the meaning of “access” and “damage” under the statute would help as well.
Even with such changes, however, some of the administration’s proposals, such as mandatory minimum sentences for certain CFAA violations, would continue to raise concerns.