Old laws can cause confusion and unduly harsh consequences, particularly when courts confront situations Congress did not anticipate. This is particularly true for the Computer Fraud and Abuse Act, 18 U.S.C. § 1030—the federal "antihacking" statute prompted in part by fear generated by the 1983 technothriller "WarGames." The CFAA was enacted in 1986, and the government's current prosecution of journalist Matthew Keys—who faces sentencing on Jan. 20 for three counts of violating the CFAA—illustrates the 30-year-old statute's many problems.
The CFAA makes it illegal to intentionally access a "protected computer"—which includes any computer connected to the Internet—"without authorization" or in excess of authorization. But the CFAA does not define "without authorization." This has given overzealous prosecutors broad discretion to bring criminal charges against individuals for behavior that simply doesn't rise to the culpability Congress had in mind when it passed this serious criminal law, such as doing something on a computer network that the owner doesn't like. (There is currently a circuit split on whether violations of employerimposed use restrictions can give rise to CFAA liability, with the U.S. Courts of Appeal for the Second, Fourth and Ninth Circuits finding that they cannot, and the First, Fifth, Seventh and Eleventh finding that they can.)
The Keys case centers on behavior that essentially amounts to Internet vandalism. After being fired from the Tribune Company, Keys shared the username and password of the Tribune Company's content management system in an online chat room. Another individual then used the credentials to log into the CMS and make some juvenile but relatively innocuous changes to a Los Angeles Times article, including modifying the title of the article to read "Pressure builds in House to elect CHIPPY 1337" (from "Pressure builds in house to pass taxcut package"). The changes were live for only about 40 minutes, after which the Tribune Company restored the original article and effectively blocked outside access to its CMS.
The government charged Keys with three felony counts under the CFAA: (i) conspiracy to cause damage to a protected computer; (ii) transmission of computer code that resulted in unauthorized damage; and (iii) attempted transmission of malicious code to cause unauthorized damage. Keys was convicted on all three counts and now faces a maximum 25year prison sentence—10 years each for the first two offenses and 5 years for the third.
The case is a stark example of how prosecutors are using the CFAA to get harsher punishments than they could get for analogous crimes in the physical world. One reason the Second Circuit recently joined the Fourth and Ninth Circuits in holding that the CFAA does not apply to violations of employer-imposed use restrictions was the court's recognition that prosecutors should not have such broad discretion: "A court should not uphold a highly problematic interpretation of a statute merely because the government promises to use it responsibly." United States v. Valle, __ F.3d __, 2015 WL 7774548, *19 (2d Cir. Dec. 3, 2015).
To truly rein in prosecutorial discretion under the CFAA—and to avoid "transform[ing] the CFAA from an anti-hacking statute into an expansive misappropriation statute[,]" United States v. Nosal, 676 F.3d 854, 857 (9th Cir. 2012)—courts must observe the rule of lenity and limit application of the phrase "without authorization" in a way that captures Congress' "anti-hacking" intent.
Compounding the problem, the CFAA has a disproportionately harsh penalty scheme. First time offenses are currently punishable by up to five years in prison, plus fines. Other violations are punishable by up to ten years, twenty years, or even life in prison. Maximum punishments are sometimes just a ploy to induce a defendant into a plea bargain or capture the public's attention, as we saw in the government's tragic case against Aaron Swartz. Aaron, facing up to 35 years in prison pursuant to the CFAA's harsh penalty scheme, took his own life. But maximums also impact the ultimate sentence imposed, as they are viewed as a sign of the severity of the crime.
Here, Keys faces up to 25 years in federal prison, even while a prosecutor on the case publicly acknowledged that "[t]his is not the crime of the century." The government has in fact signaled—but not promised—that it will "likely" seek less than five years, but even that seems too much for a 40 minute prank. A recent public survey measuring people's beliefs about authorization and appropriate punishments for a variety of computer misuse activities confirms that the CFAA's penalties are drastically out of touch with lay instincts about the culpability of "unauthorized" computer access. While those surveyed generally thought of checking a weather report at work as "unauthorized," 60 percent nevertheless thought it should not be punished at all, while 32 percent thought it should be punished with the equivalent of a parking ticket. See Matthew Kugler, "Measuring Computer Use Norms," Geo. Wash. L. Rev. (forthcoming 2016). And without sensible judicial interpretations of the CFAA's broad language, the law will keep drifting further from how we use computers today.
Sadly, some courts have gone in the wrong direction, paving the way for exorbitant punishments. For example, certain provisions of the CFAA require a showing of loss or damage. The statute defines "damage" as "any impairment to the integrity or availability of data, a program, a system, or information," and "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.]" See 18 U.S.C. § 1030(e)(8), (11). Courts have interpreted "cost of responding to an offense" and "conducting a damage assessment" to include costs associated with investigation of an offense and subsequent remedial measures—with no requirement that these be reasonable or proportionate to the type of unauthorized access alleged. Both prosecutors and civil plaintiffs have taken advantage of this. And because the amount of damage or loss claimed can impact the severity of a sentence, the abusive use of trumped-up loss claims is particularly problematic when paired with the CFAA's already unduly harsh penalties.
In the Keys case, for instance, the government has argued that the Tribune Company incurred losses of $929,977.00. This includes fees for a lawyer who, according to WIRED magazine, was told by a Tribune Company manager, "if you bill $1,000 an hour, that would help us get this prosecuted." At trial, the manager claimed that this was just a joke about the lawyer's high billing rates. Either way, it seems dubious that it legitimately cost the Tribune Company almost a million dollars to deal with an article that was "defaced" for approximately 40 minutes.
Internet vandalism, while not commendable, should not give rise to charges that carry the potential of a 25-year prison sentence. The Keys case shows what many of us have known for years: it's time for courts to take serious steps to ensure that the CFAA is consistently interpreted narrowly, in line with the rule of lenity, and, if they do not, for Congress to take up the task of CFAA reform.
Update: Keys' sentencing hearing was moved to April 13, 2016.
Reprinted with permission from the January 11, 2016 edition of the Recorder © 2016 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.