The Computer Fraud and Abuse Act (CFAA) is the federal government’s principal legal weapon in the battle to protect computer systems and electronically stored information from thieves and vandals. A criminal statute that can be enforced by the U.S. Department of Justice, the CFAA also authorizes private parties to bring a civil damages action against anyone who violates its terms. Two circuits have reasonably construed the CFAA in order to avoid an overbroad interpretation of its terms. Congress, however, may not be interested in clarifying the CFAA and instead may create new and needless ambiguity as to the meaning of its terms.
The Purpose of the CFAA
Congress enacted the original version of the CFAA in 1984 to keep hackers from obtaining confidential information maintained by the federal government in computer files or from infecting the government’s network of computer systems with a virus. Since then, Congress has amended the CFAA on several occasions, each time enlarging the reach of the statute. Today, the CFAA reaches any computer that is connected to the Internet or that a person or company uses that is “in” or “affects” interstate commerce, terms that enable the government to regulate a broad range of conduct.
The CFAA forbids someone from accessing information in a protected computer if he or she acts “without authorization” or “exceeds [his or her] authorized access.” Congress did not define those terms, however, and the lower federal courts have disagreed over their meaning.
Some courts have construed those terms quite broadly. For example, some courts have decided that a person violates the CFAA if he or she uses a computer to obtain information or for any other purpose not expressly permitted by the computer’s owner. An employee would violate the act if he uses his employer’s proprietary information for his own profit, even though he was entitled to access and use that information for his employer’s benefit; if his use of a computer violates a state-law duty of honesty; or if he violates any provision of an Internet service provider’s terms-of-service contract.
Other courts have read the CFAA far more narrowly. They have concluded that the statute is concerned with accessing information by means of a computer, not with the subsequent use to which the information is put. Those courts have held that a person does not violate the CFAA if he has permission to access information for any purpose, even if he later misuses whatever information he obtains. Under that interpretation of the CFAA, an employee would not act unlawfully by using his employer’s proprietary information for his own benefit as long as the employee was entitled to access that material in his job.
Each interpretation of the CFAA has obvious benefits but also creates equally obvious problems. The broad interpretation protects against the misuse of lawfully obtained information, but it also would make it a crime for an employee to use his work computer to access the Internet in order to check his standing in a fantasy football league or for any of the myriad other harmless reasons why a person would surf the net. The second, narrower interpretation avoids criminalizing harmless online Internet access but would not bar an employee from accessing his employer’s business plan for the purpose of selling it to a rival or from snooping around his coworkers’ electronic medical files.
The Decisions in Nosal and WEC
The United States Courts of Appeals for the Ninth and Fourth Circuits addressed this issue in similar contexts last year and reached the same conclusion. Each case involved a person who, acting by himself or with confederate insiders at a company, obtained a firm’s proprietary business information and used it for his own benefit. In each case, the circuit court rejected an expansive construction of the CFAA because of the fear that a broad interpretation would criminalize conduct that no one would characterize as blameworthy. Both courts ruled that the relevant inquiry is whether someone is permitted to access information by means of a computer. If the answer is “Yes,” the inquiry is over, regardless of the use that person later makes of the information.
The Ninth Circuit case involved David Nosal, a former senior official at Korn/Ferry International, an executive search firm. Nosal enticed company employees to supply him with valuable information that he used at his own rival firm. The federal government charged him with violating the CFAA, but the en banc Ninth Circuit rejected the government’s reading of the statute. In United States v. Nosal, the court held that Nosal did not violate the CFAA because his confederates had permission to access Korn/Ferry’s data base, even though they did not have permission to give that information to him.
WEC Carolina Energy Solutions v. Miller, a civil lawsuit, involved a comparable set of facts, the principal difference being that Mike Miller downloaded WEC’s proprietary information before he left the company and later used it to win a welding contract for one of WEC’s rivals. Relying heavily on the Ninth Circuit’s decision in Nosal, the Fourth Circuit affirmed the dismissal of WEC’s lawsuit against Miller.
The Ninth and Fourth Circuits were troubled by the breadth of the government’s interpretation of the CFAA. As Ninth Circuit Chief Judge Alex Kozinski feared, under the government’s reading of the CFAA, “millions of unsuspecting individuals would find that they are engaging in criminal conduct” simply because they have violated one of the “terms of service” adopted by their Internet service provider. As Judge Kozinski explained:
Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching Reason.TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement….
Employer-employee and company-consumer relationships are traditionally governed by tort and contract law; the government’s proposed interpretation of the CFAA allows private parties to manipulate their computer-use and personnel policies so as to turn these relationships into ones policed by the criminal law. Significant notice problems arise if we allow criminal liability to turn on the vagaries of private polices that are lengthy, opaque, subject to change and seldom read. Consider the typical corporate policy that computers can be used only for business purposes. What exactly is a “nonbusiness purpose”? If you use the computer to check the weather report for a business trip? For the company softball game? For your vacation to Hawaii? And if minor personal uses are tolerated, how can an employee be on notice of what constitutes a violation sufficient to trigger criminal liability?
Basing criminal liability on violations of private computer use polices can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved. Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they’d better not visit ESPN.com. And sudoku enthusiasts should stick to the printed puzzles, because visiting www.dailysudoku.com from their work computers might give them more than enough time to hone their sudoku skills behind bars.
In each case, the circuit court denied the complaining party relief under the CFAA but noted that state tort law—and possibly even state criminal law—might offer a remedy for unsavory conduct.
Were this problem a simple matter of selecting the appropriate tort remedy, the federal courts could weigh the competing interests and over time, using the incremental, case-by-case adjudication process characteristic of common-law decisionmaking, craft an answer that best accommodates competing societal and individual interests. The CFAA, however, is a criminal statute, which changes the nature of the resolution process. Courts must interpret its text rather than use it as a launching pad to create federal common law, since federal courts lack authority to define crimes. Courts also must construe the CFAA’s terms strictly, because whatever reading the courts adopt will be applied in Justice Department–initiated criminal prosecutions, not just in damages actions filed by injured private parties.
The Fourth and Ninth Circuits both correctly followed that approach. The CFAA uses the term “authorization” but does not define it. The ordinary dictionary meaning of “authorize” is to grant permission, to warrant, or to sanction. That interpretation focuses on the front end of the process at issue in cases like WEC and Nosal—that is, a party’s use of a computer to reach or retrieve information acquired for later use.
The private plaintiff and the government in WEC and Nosal, respectively, sought to expand the meaning of those terms to include a later, impermissible use of information that was permissibly obtained. The fundamental problem with that reading of the CFAA, as both circuits recognized, is that it would make criminals out of millions of people who use a government or private work computer to visit the Internet for purposes that no one would deem inappropriate, such as briefly reading the news at Fox, checking the baseball standings at ESPN, playing Sudoku, or looking for sales at L.L. Bean. Diversions like those have replaced coffee room chatter for many people today, and no one would consider sojourns to those websites inherently unlawful, immoral, or dangerous. Both courts correctly rejected an argument that would criminalize vast amounts of innocuous behavior. Indeed, that is one of the archetypical instances in which the criminal law rule of lenity should be applied.
The result in each case might seem harsh. The government cannot prosecute Nosal under the CFAA, and Miller’s former employer cannot sue him under that law. Injured parties—Korn/Ferry, WEC, and the public—are denied a remedy under a law that sought to protect the integrity of computer storage systems against misappropriation. But a federal criminal prosecution or a federal damages action is not the only available response. State law may make it a crime to engage in the same conduct involved in WEC and Nosal or may provide a tort remedy for an injured party. In any event, the federal courts ought not to construe ambiguous criminal law broadly for fear that an offender will escape.
The rule of lenity has been an important part of the Anglo–American law since the 18th century, and it is as valuable a feature of the penal law as are the statutes defining offenses. The rule of lenity has survived for more than two centuries for an eminently sensible and important reason: It protects morally blameless parties from the risk of being erroneously charged with a crime, the burden of defending themselves against a criminal accusation, the fear of being convicted of an offense, the public obloquy that always follows that event, and the pain of suffering a criminal punishment.
Those parties always will be offstage whenever a case like WEC or Nosal is litigated, so it can be easy to overlook them. But they always are present, and they, too, are entitled to the protection of the law. The decisions by the Ninth and Fourth Circuits correctly recognize that a properly limited criminal statute is as valuable to the innocent members of the public as is a vigorously prosecuted law.
Congress Does Not Get the Message
The circuit court decisions in Nosal and WEC gave rise to the hope that the courts would reject the government’s attempt to give an unduly broad interpretation to the CFAA’s terms. The tragic death of Aaron Swartz—a computer prodigy who committed suicide rather than stand trial for violating the CFAA by allegedly using MIT’s computers to download millions of scholarly articles from JSTOR, a website normally accessible by paying a fee—also led some people to believe that Congress might trim the reach of the CFAA. Unfortunately, it often takes such an event to generate the critical mass in Congress necessary to change the law.
It is not clear, however, that Congress will limit the reach of the CFAA. A draft bill circulating among the members and staff of the House Judiciary Committee could expand the potential for criminal liability under the CFAA. Yet, while some of the terms in the draft bill that are used to define a crime are quite broad, a critical term is left undefined.
Specifically, the draft bill would make it a crime for anyone “intentionally” to access “any protected computer” in a manner that “exceeds authorized access” and that enables that party to obtain “non-public information of an entity or another individual.” The first three elements of that proposal are quite broad. The term “intentionally” takes in everyone who uses a computer to access the Internet. A “protected computer” includes every Internet-connected computer. A manner that “exceeds authorized access” embraces a violation of any of the terms or conditions of a party’s Internet service provider’s contract.
The $64,000 question, therefore, is what does the draft bill mean by the term “non-public information of an entity or another individual”? The draft bill does not define that term. It could mean any information not published in the print edition of The New York Times. If so, that term is quite broad. Or it could mean only information that is not accessible via the Internet and that can be obtained only by “hacking” into someone else’s computer. If that latter interpretation were true, the draft bill would be far more limited. Indeed, it might limit the bill to conduct that is akin to breaking into a locked file cabinet or vault in order to obtain information that its owner certainly wanted to be unavailable to anyone not given a key. Regrettably, it is unclear whether the term “non-public information of an entity or another individual” should be given a broad, a narrow, or an intermediate-range construction because the draft bill does not define that term.
The Ninth Circuit’s decision in Nosal and the Fourth Circuit’s decision in WEC indicated that those courts were aware of the serious risk of overcriminalization that would follow from endorsing the government’s overly broad interpretation of the CFAA. Now it seems that there is a risk that Congress did not get the message that each decision seemed clearly to transmit.
The problem is twofold: First, it is unclear how far the draft bill would reach. That is unfortunate because a criminal statute ought to identify clearly whatever conduct it outlaws. That is a basic principle of criminal and constitutional law, and it is therefore irresponsible to leave important terms in a federal criminal statute undefined.
Second, there is no question that the Justice Department reads the current version of the CFAA as making it a crime to breach a term or condition of a party’s Internet service provider’s contract. That interpretation is flawed for the reasons given by the Ninth Circuit in Nosal and the Fourth Circuit in WEC. The government’s interpretation of the CFAA, for example, would make it a crime to lie about one’s age, height, weight, and so forth on an Internet dating site if that site, or if the telecommunications company connecting a visitor to that site, required everyone to be completely truthful about every fact, in which case lying to gain access to the site would be “unauthorized” and anyone who did so would be exceeding authorized access.
Further, the government’s interpretation of the CFAA also does not require that someone knowingly violate a term-of-service agreement, let alone that a person do so willfully—that is, intentionally flout. the law The Justice Department’s reading of the CFAA would hold someone strictly liable for violating a term or condition of an Internet service contract even though Anglo–American law generally treats strict liability offenses as unwanted stepchildren.
The federal government has a legitimate interest in protecting classified information, financial data, and the like, but it has no interest in using the criminal law to prohibit private parties from checking their March Madness selections on an employer’s computer, regardless of that employer’s computer use policy. Any statute that would make such conduct a crime is a classic example of overcriminalization and gives the criminal law a bad name. Nor does the government have an interest in using the federal criminal law to protect the secrecy of grandma’s recipe for apple pie. Civil law can adequately protect that interest. Moreover, it is unwise as a matter of policy for Congress not to make clear exactly what would be a crime.
The Ninth and Fourth Circuits correctly identified the problems that would follow from the Justice Department’s interpretation of the CFAA. The appropriate step for Congress to take is to say that those circuits were right and to narrow the reach of the CFAA, not to expand the reach of the statute or to leave new, ambiguous terms undefined.
—Paul J. Larkin Jr., is a Senior Legal Fellow and Manager of the Overcriminalization Project in the Edwin Meese III Center for Legal and Judicial Studies at The Heritage Foundation.