Update/Retraction: Upon further reflection, we have determined that portions of this blog post are not correct. We regret the error and are withdrawing the post in its entirety.
Specifically, the post suggested that Manning was double charged for access to classified material under the CFAA as well as under Section 793(e) of Espionage act. In fact, Manning was charged with two CFAA violations for access to particular sets of material that were not separately charged in the six Espionage act counts.
He was convicted of one, and pled guilty (with exceptions) to the other. Thus, Manning was not subject to additional potential jail time under both the Espionage act and the CFAA. It is true that, in one set of charges, Manning's was double charged under the CFAA for the same act. However, these charges were under 18 USC 1030(a)(1) and 18 USC 641, not the Espionage act. After this post was published, the Court merged these charges for sentencing purposes, however, so Manning will not be separately sentenced for the two charges. You can read the ruling.
Second, the post incorrectly asserted that Manning could be charged under CFAA section 1030(a)(1) merely for access by a computer to classified information. The isolated act of using a computer to access classified information is not a separate crime. To prove a violation of CFAA Section 1030(a)(1), the government has to prove more: It must also show unauthorized access to a computer goes beyond a terms of use violation. In June 2012, before the trial started, Manning's judge rejected the government's argument that merely violating a restriction on use of a computer that one is otherwise authorized to use transforms authorized use into unauthorized use for purposes of a CFAA violation. The ruling is here.
Instead, in Manning's case, the CFAA charges that went to trial stemmed from his access to State Dept. cables on the Secure Internet Protocol Routing Network. He was separately charged and convicted of bypassing security and installing unauthorized software on the SIPRNet. [End Update-Retraction]
We wrote yesterday about the dangerous “hacker madness” strategy used by the prosecution in the Bradley Manning trial, a tried-and-true tactic that attempts to scare judges into sustaining convictions based on a defendant’s knowledge of computers. However, another interesting fact of the Manning trial is being overlooked by the media: this is the first time we know of where the government has sustained a conviction under a controversial section of the Computer Fraud and Abuse Act (CFAA) known as (a)(1).
Manning’s conviction under this provision looks to be yet another example of prosecutors leveraging the CFAA to force more prison time on computer users while using other, almost identical laws to punish the same acts.
Though his ultimate sentence may be significantly shorter, Manning faces a maximum of 136 years in jail for the nineteen counts on which he would found guilty. Most significantly, he was found guilty of six counts under the Espionage Act and two counts under the CFAA. But when you read both of the statutes closely, they are completely redundant except for one aspect: computers.
In fact, as the Judiciary Committee Report on the 1996 amendment to the CFAA makes clear, Congress explicitly based (a)(1) of the CFAA off 793(e) of the Espionage Act. “The bill would bring the protection for classified national defense or foreign relations information maintained on computers in line with our other espionage laws,” the report says. The original CFAA, written in 1984 was modeled on another part of the Espionage Act, section 794, which has never been used in leak cases. But Congress wanted it tailored after 793(e), a statute that in recent years has been used to prosecute a record number of leakers. (Compare the text here and here.)
The statutes are so similar, in fact, it’s hard to tell them apart even when reading the Judiciary Committee’s explanation about how they differ:
Although there is considerable overlap between 18 U.S.C. 793(e) and section 1030(a)(1), as amended by the NII Protection Act, the two statutes would not reach exactly the same conduct. Section 1030(a)(1) would target those persons who deliberately break into a computer to obtain properly classified Government secrets then try to peddle those secrets to others, including foreign governments. In other words, unlike existing espionage laws prohibiting the theft and peddling of Government secrets to foreign agents, section 1030(a)(1) would require proof that the individual knowingly used a computer without authority, or in excess of authority, for the purpose of obtaining classified information. In this sense then, it is the use of the computer which is being proscribed, not the unauthorized possession of, access to, or control over the classified information itself.
Did you get all that? The Judiciary Committee basically copy-pasted the Espionage Act into the CFAA, but forbid "use of the computer" rather than accessing the documents. So there you have it: they specifically wanted to make the isolated act of using a computer a separate crime.
In the government’s mind, the Espionage Act can be used to punish a leaker of information, and if that person merely used a computer to get that information, they are guilty of an additional felony. So someone who emails documents to a journalists it got off a government computer will face ten more years per charge, than a government official who photocopied documents he got off a shelf and physically mailed them to the same journalist.
Of course, leaks to the press should never be equated with espionage, regardless of what statute is used. But this is yet another example of the government using knowledge of computers to unjustly ratchet up penalties on a crime that caused little or no harm.