DOJ Finally Releases Its Internal, Mostly-Vague CFAA Prosecution Guidelines
from the DOJ-knows-'unauthorized-access'-when-it-sees-it,-apparently dept
The government often engages in very dubious CFAA prosecutions, but it takes a lawsuit to get it to talk about how it decides what cases are worth pursuing.
[T]hanks to a legal challenge to the CFAA, the Department of Justice is for the first time releasing its 2014 guidelines on how prosecutors should charge computer crimes — when someone exceeds “authorized” access on a computer. (First Look Media, the publisher of The Intercept, is a plaintiff in the case.)
The Department of Justice acknowledges that “laws addressing the misuse of computers have not kept pace uniformly with developments in technology and criminal schemes” though it maintains that the law remains “important” in prosecuting cybercrimes.
I'd imagine the DOJ is more concerned about crafty cybercriminals beating them in the tech arms race than it is about legislators' inability to reform the CFAA (something the DOJ routinely opposes). The "Intake and Charging Policy" memo [PDF] for the DOJ's prosecution of cybercrimes lists a number of factors to be considered before pursuing federal charges.
The first key is the sensitivity of the information or system accessed "without authorization," followed by national security considerations and economic impact. Public safety is also a factor. The document points out that information obtained without authorization can be deployed to stalk and harass officials and lower level members of the general public.
But the definition of "unauthorized access" isn't explored adequately in the legal memo, leaving this to be answered on a case-by-bad case basis. The prosecutions of Aaron Swartz and Andrew "Weev" Auernheimer suggest the DOJ allows this definition to be set by the complainant rather than by policy. When MIT or AT&T complain, the government listens.
Also of note is the DOJ's willingness to turf questionable cases to the local boys if that seems more likely to result in a conviction.
Where criminal activity risks these broad harms or has a substantial effect in several parts of the country, federal prosecution may be warranted. In other circumstances, if the effect of a violation is geographically focused and limited, deference to state or local authorities may be warranted, where they have the legal tools and resources to act.
The DOJ also reserves the right to take local prosecutions federal.
Where an offense causes particularly significant harm to a single District or community, federal prosecution may be warranted.
And then there's this part, which is what worries security researchers and white hat hackers:
[F]ederal prosecution may be warranted even where the offender did not actually obtain any such information; in other words, in certain aggravated circumstances, mere access to a computer system that stores these types of sensitive information may weigh in favor of prosecution.
On the plus side, the DOJ memo does make it clear that it would rather have evidence of malicious intent than mere "unauthorized access" to work with. It also states that it should take more than violations of Terms of Service or other "contracts" with websites/service providers to trigger federal prosecution.
Unfortunately, the law is still outdated (30 years old this month!) and "unauthorized access" prosecutions are still being handled inconsistently. The DOJ is prone to letting victims steer prosecutions, resulting in completely ridiculous outcomes like the two-year prison sentence handed to Matthew Keys for a 40-minute website defacement he didn't even perform.
The memo somewhat ominously concludes with the statement that this legal memo -- pried out of its hands by litigation -- isn't intended to be "all inclusive." Given the law hasn't aged terribly well and is predicated on a slippery term like "unauthorized access," the DOJ will likely be pursuing questionable edge cases for years to come.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, doj, guidelines, prosecution
Reader Comments
The First Word
“Which is exactly how it should be. Or do you somehow think that the DOJ has a better idea than the owner of private property regarding who is and who is not trespassing on that property without the authorization of the owner?
Are you seriously suggesting that laws wear out from old age and need to be done away with? How about throwing these ones out, then? They're even older!
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Defining laws
If this law is interpreted vaguely enough that violating the terms and conditions is enough to break the law, then it becomes useless for what most people think is the purpose of law. It becomes impossible to arrest someone for merely violating the law because almost everyone is guilty. A law that is vague can only be enforced selectively.
A vague law can only be used for two purposes. The first one is to add extra charges to someone who broke other laws. This appears to be how the CFAA is used a lot of the time. The other way a vague law can be used is to punish someone who broke no other laws, but the government doesn't like. To do this, they take the vague law and interpret it in a way that makes it sound less vague, instead of saying the law make almost everything illegal, the government only says that the law makes a few things, including the specific actions of the 'guilty' person illegal.
[ link to this | view in chronology ]
one more new law!
[ link to this | view in chronology ]
When MIT or AT&T complain, the government listens.
[ link to this | view in chronology ]
Which is exactly how it should be. Or do you somehow think that the DOJ has a better idea than the owner of private property regarding who is and who is not trespassing on that property without the authorization of the owner?
Are you seriously suggesting that laws wear out from old age and need to be done away with? How about throwing these ones out, then? They're even older!
[ link to this | view in chronology ]
Re:
Your first point primarily allows powerful people to use the law to pursue a vendetta against those they do not like. Also such an approach allows law enforcement to steer complainants towards modifying the complaint to allow them to take action not justified by the initial complaint.
[ link to this | view in chronology ]
Re:
Laws don't wear out, laws become stupid over time.
We still have laws on the books about telegraphs and carrier pigeons, because just bolting on new things and pretending the new works like the old is easier than actually having the laws reflect reality.
Weev found something that made ATT look completely stupid, and went to prison because ATT faces no law requiring them to secure their systems. So we punish people who stumble over something left exposed by a corp who saved some cash by not following security procedures.
Aaron had the entire weight of the government dropped on him to make an example of him... his 'crime' had no actual cash value and actually benefited society.
Laws should not be to allow corporations to save face for being stupid & shouldn't be used to send a message not to mess with the Feds or else. This law is flawed in the current structure, I mean where were the CFAA charges for the Smart Tv that went and scanned the entire home network it was connected to and send out file names to the mothership?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
This was stated at https://bsideslv2016.sched.org/event/7aPa/shall-we-play-a-game-30-years-of-the-cfaa.
https://youtu.be/NzDGJk8C5Fc around 56:30.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Steve Jobs and Steve Wozniak were phreakers. Steve Jobs got his start selling Woz's blue boxes used to hack the phone system to make toll-free calls in the '70s and stated in interviews that if not for the blue boxes, there would have been no Apple. Wozniak is now worth $100 million and Jobs died a multi-billionaire. Never prosecuted.
Aaron Swartz died in a jail cell at 26 years of age facing the threat of 50 years in prison and $1 million in fines for exploiting MIT's own policies and license agreements with JSTOR to download as many research articles (research mostly paid for with publicly funded grants) as he could to make available to the public that already paid for the research. CFAA used to prosecute despite no other laws or legal agreements broken. JSTOR, the "wronged" party, didn't even want to prosecute.
We will never know what Swartz could have created if not for the CFAA or his prosecution at the hands of the DOJ and MIT.
We do know that Apple, Macintosh, the iPod/iPad/iPhone, iTunes, Pixar, etc. would never have existed if Jobs and Wozniack had been prosecuted under the CFAA, which did not exist at the time, or any laws actually broken that did exist. Job even called his LSD experiences around that same decade "one of the two or three most important things [he had] done in [his] life."
This is the price we pay for the never ending pursuit of criminalization.
[ link to this | view in chronology ]