As federal anti-hacking law turns 35, its meaning, reach and effectiveness are still murky
The year was 2012 and Mark Jaffe and Tor Ekeland had just started a law firm. Business was not exactly booming, and the two had decided to bet their fledgling firm on defending a highly controversial client pro bono.
“It got really bad at points,” recalls Jaffe, a partner at Tor Ekeland Law in Brooklyn. “It’s: ‘How are we paying rent? Literally, can I get to the courthouse? When’s it going to pay off?’ “
The client, Andrew Auernheimer, is a hacker who in 2010 had a small internet security company that got into hot water. Going by the online handle “weev,” he’s also “a neo-Nazi white supremacist infamous for his internet trolling and extremely violent rhetoric advocating genocide of non-whites,” according to the Southern Poverty Law Center.
Auernheimer was facing two counts under the Computer Fraud and Abuse Act—the federal government’s anti-hacking statute—after he and his business partner found a vulnerability on an AT&T website that left iPad users’ information public. Through an automated script, they slurped up 120,000 email addresses and SIM card identifiers. While his partner took a plea, Auernheimer faced 41 months in prison and decided to fight the case.
Auernheimer had been represented by a federal defender who wanted him to take a plea, but he wanted to fight. Ekeland and Jaffe decided to take on the case, even though neither was a technology expert nor had either been to trial before. However, they thought the case would bring the firm needed media attention, and, Jaffe says, the issues presented were fascinating.
Among other issues, the two attorneys argued that when Auernheimer visited the AT&T website and collected the data, he did not violate the CFAA’s prohibition against “unauthorized access”—the online version of trespass—because the site was public and unprotected. To consider this a crime, they said, would have significant consequences.
“It was such an overbroad interpretation of [the CFAA],” Jaffe recalls. “The particular offense that he was charged with could be used to prosecute many other types of people doing what we consider to be legitimate work that wasn’t meant to be prohibited by the act.” Ekeland and Jaffe lost at trial, but the U.S. Court of Appeals for the 3rd Circuit vacated the conviction on jurisdictional grounds in 2014 and freed Auernheimer.
Through representing Auernheimer, Ekeland and Jaffe had found what they described as an overly broad statute to mine that has led to other high- and low-profile work over the past seven years. That’s because the law, which was passed 35 years ago in October, is still, in Ekeland’s words, “the Wild Wild West.”
What had started as a pre-internet computer crime law affecting national security and finance has become a statute that prosecutors, plaintiff attorneys and defense counsels agree isn’t right for its time, and maybe never was. Even with broad agreement on the problem, however, the solution is less clear.
Flashback to WarGames
To many, this problem was baked in at the law’s inception. Partly informed by the 1983 Matthew Broderick teen drama WarGames, Congress created the first anti-hacking statute within the Comprehensive Crime Control Act of 1984. Not even three pages long, the novel law was interested in protecting national security and financial institutions from criminal computer access.
Then came the CFAA, which went into effect in 1986 and ballooned the scope of the law, adding extensive civil and criminal liabilities. Today, the law concerns itself with almost every digital device in the U.S.—except for calculators, notably—and millions more abroad.
As the scope of the law grew through eight subsequent updates, clarity has not improved. Foundational questions remain regarding the law’s anti-hacking provisions, which criminalizes attaining access “without authorization” and “exceeding authorized access” of a protected computer. The lack of specificity is one thing that prosecutors and defense counsels can agree on.
John Richter, who was acting assistant attorney general of the Criminal Division at the U.S. Department of Justice in 2005 and U.S. attorney for the Western District of Oklahoma from 2005 to 2009 before joining King & Spalding as a partner, says he understands why the broad language was originally attractive. For prosecutors, it provided flexibility as technology developed without requiring Congress to pass a new law.
However, as an unintended consequence, today the law “can be construed to cover—theoretically—all behavior on a computer, in almost every instance,” he says.
To Ekeland, managing partner at his eponymous firm, “the central problem with [the CFAA] is that it doesn’t define what it prohibits, which is unauthorized access.”
At issue isn’t the seedy underworld of black hat hacking that fills the plots of movies and TV shows, like Mr. Robot. This debate largely centers on whether the breach of terms of service or other contractual relationships “exceed authorized access” under the law.
In 2010, the U.S. Court of Appeals for the 11th Circuit heard arguments regarding Roberto Rodriguez, who worked for the Social Security Administration, which limited employee access to its databases for work purposes. At trial, the defendant conceded that he accessed SSA systems to gather personal information of women he knew and their relatives.
In a broad ruling, the court held that a person exceeds authorized access when an employee accesses information for nonbusiness purposes in breach of the employer’s policy. Rodriguez spent 12 months in prison.
The U.S. Courts of Appeals for the 1st, 5th and 7th circuits have a similar view.
Major crime or minor violation?
By contrast, the U.S. Court of Appeals for the 9th Circuit took a more narrow interpretation.
Like the SSA in Rodriguez, Korn/Ferry, an executive search firm, had an established policy that limited employee access to company data. David Nosal, an ex-employee of the firm, had stayed on for a year as a consultant under a noncompete contract. During that time, Nosal asked three, then-current employees to access proprietary information on the company’s computer system to help start a competing firm. The DOJ pressed charges.
Citing the rule of lenity, which says criminal law should be construed narrowly in favor of the defendant, Judge Alex Kozinski wrote in 2012 that the term “exceeds authorized access” in the CFAA does not extend to violations of user restrictions. To find as the 7th Circuit did in Rodriguez, he reasoned, would lead to absurd outcomes where “millions of unsuspecting individuals would find that they are engaging in criminal conduct.”
The 2nd and 4th circuits follow this line of reasoning.
The U.S. Supreme Court had an opportunity to resolve this split in 2016’s Musacchio v. United States, but declined to do so, leaving many run-of-the-mill online actions in legal limbo.
For example, it’s unclear if companies that use automated browsing, also called web scrapping, break the law when searching public websites. Nonmalicious security researchers operate under a cloud of uncertainty when they find a vulnerability in a website. Where sharing a password breaches a company’s terms of service, it is an open question if that is enough to qualify as a crime.
As uncertainty swirls around the law, those that do transgress this nearly invisible boundary can receive long jail sentences that many see as overly punitive.
Take, for example, Matthew Keyes, a journalist who gave a company user name and password to a member of the online group Anonymous. According to court documents, the individual with the log-in credentials wrote and published a nonsensical story on the Los Angeles Times website, which was taken down within an hour of posting.
Keyes was indicted in 2013 on three felonies under the CFAA and faced 25 years in prison. Ultimately, he spent two years incarcerated.
To Jamie Williams, a staff attorney at the Electronic Frontier Foundation, big punishments for small offenses is part and parcel of a larger problem: The CFAA tries to do too much.
“We have one very vague, and very serious, criminal law, which is today used to go after everything from serious computer break-ins to not-so-serious violations of computer use polices,” she says. “It simply should not be possible for a terms-of-service violation to give rise to criminal liability.”
She advocates for a separate law covering minor online infractions. She’s not alone; breaking up the law is also a popular idea for civil attorneys.
“[M]y personal view is that Congress should return to the drawing board and draft two separate laws,” says Ambrose McCall, who represents employers as a partner at Hinshaw & Culbertson in Peoria, Ill., “one for criminal prosecutions and a different one for civil cases.”
Until that occurs, he says, the rule of lenity may incorrectly be applied to civil cases, which creates confusion and could be one reason for the current circuit split.
To create needed clarity, Ric Simmons, a professor at Ohio State University’s Moritz College of Law, argues that a new administrative body could help define what unauthorized access looks like when applied to new technologies.
“It’s faster,” he says, “Also you’d have the expertise of administrative agencies,” as opposed to judges that dabble in this area of law occasionally.. The agency would operate similarly to how the Food and Drug Administration defines prohibited narcotics or the Securities and Exchange Commission oversees insider trading, which provides dexterity in the face of rapidly changing technologies and a supine Congress.
Regardless of the direction reform can take, adding clarity to the CFAA will mean limiting its scope and potentially missing some offenders. But that’s OK, says Richter, the ex-federal prosecutor.
“You’re never going to have a criminal justice system that captures and punishes everyone for every crime,” he says. “The republic will stand if something is missed.”