DOJ Finally Releases Its Internal, Mostly-Vague CFAA Prosecution Guidelines

from the DOJ-knows-'unauthorized-access'-when-it-sees-it,-apparently dept

The government often engages in very dubious CFAA prosecutions, but it takes a lawsuit to get it to talk about how it decides what cases are worth pursuing.

[T]hanks to a legal challenge to the CFAA, the Department of Justice is for the first time releasing its 2014 guidelines on how prosecutors should charge computer crimes — when someone exceeds “authorized” access on a computer. (First Look Media, the publisher of The Intercept, is a plaintiff in the case.)

The Department of Justice acknowledges that “laws addressing the misuse of computers have not kept pace uniformly with developments in technology and criminal schemes” though it maintains that the law remains “important” in prosecuting cybercrimes.

I'd imagine the DOJ is more concerned about crafty cybercriminals beating them in the tech arms race than it is about legislators' inability to reform the CFAA (something the DOJ routinely opposes). The "Intake and Charging Policy" memo [PDF] for the DOJ's prosecution of cybercrimes lists a number of factors to be considered before pursuing federal charges.

The first key is the sensitivity of the information or system accessed "without authorization," followed by national security considerations and economic impact. Public safety is also a factor. The document points out that information obtained without authorization can be deployed to stalk and harass officials and lower level members of the general public.

But the definition of "unauthorized access" isn't explored adequately in the legal memo, leaving this to be answered on a case-by-bad case basis. The prosecutions of Aaron Swartz and Andrew "Weev" Auernheimer suggest the DOJ allows this definition to be set by the complainant rather than by policy. When MIT or AT&T complain, the government listens.

Also of note is the DOJ's willingness to turf questionable cases to the local boys if that seems more likely to result in a conviction.

Where criminal activity risks these broad harms or has a substantial effect in several parts of the country, federal prosecution may be warranted. In other circumstances, if the effect of a violation is geographically focused and limited, deference to state or local authorities may be warranted, where they have the legal tools and resources to act.

The DOJ also reserves the right to take local prosecutions federal.

Where an offense causes particularly significant harm to a single District or community, federal prosecution may be warranted.

And then there's this part, which is what worries security researchers and white hat hackers:

[F]ederal prosecution may be warranted even where the offender did not actually obtain any such information; in other words, in certain aggravated circumstances, mere access to a computer system that stores these types of sensitive information may weigh in favor of prosecution.

On the plus side, the DOJ memo does make it clear that it would rather have evidence of malicious intent than mere "unauthorized access" to work with. It also states that it should take more than violations of Terms of Service or other "contracts" with websites/service providers to trigger federal prosecution.

Unfortunately, the law is still outdated (30 years old this month!) and "unauthorized access" prosecutions are still being handled inconsistently. The DOJ is prone to letting victims steer prosecutions, resulting in completely ridiculous outcomes like the two-year prison sentence handed to Matthew Keys for a 40-minute website defacement he didn't even perform.

The memo somewhat ominously concludes with the statement that this legal memo -- pried out of its hands by litigation -- isn't intended to be "all inclusive." Given the law hasn't aged terribly well and is predicated on a slippery term like "unauthorized access," the DOJ will likely be pursuing questionable edge cases for years to come.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cfaa, doj, guidelines, prosecution


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 1 Nov 2016 @ 5:00am

    the DoJ, like all US security forces, is only interested in getting an arrest that leads to a successful prosecution and jail sentence. it matters not to them in the slightest that the person arrested my well be innocent, and even if that becomes obvious, to get out of an abhorrent jail term for doing nothing wrong, the accused has to take a 'plea deal' of a lesser sentence just to allow the DoJ to 'save face' and for the accused to get out of the line of fire and a myriad of trumped up charges! disgraceful way to act considering we are supposed to live in a country that represents 'the land of the free, home of the brave'!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Nov 2016 @ 5:40am

    Defining laws

    Vague laws and well defined laws are very different. A well defined law allows the government to enforce it in a consistent way, as well as lets the public know what it can and can not do. A vague law does not accomplish either of these.

    If this law is interpreted vaguely enough that violating the terms and conditions is enough to break the law, then it becomes useless for what most people think is the purpose of law. It becomes impossible to arrest someone for merely violating the law because almost everyone is guilty. A law that is vague can only be enforced selectively.

    A vague law can only be used for two purposes. The first one is to add extra charges to someone who broke other laws. This appears to be how the CFAA is used a lot of the time. The other way a vague law can be used is to punish someone who broke no other laws, but the government doesn't like. To do this, they take the vague law and interpret it in a way that makes it sound less vague, instead of saying the law make almost everything illegal, the government only says that the law makes a few things, including the specific actions of the 'guilty' person illegal.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Nov 2016 @ 6:35am

    one more new law!

    It is illegal to act TOO American or NOT American enough. If the DOJ determines if a suspect has been engage in insufficient or excessive amounts of being American they will be prosecuted within the fullest extent of the law!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Nov 2016 @ 6:48am

    When MIT or AT&T complain, the government listens.

    High court, low court.

    link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 1 Nov 2016 @ 7:01am

    But the definition of "unauthorized access" isn't explored adequately in the legal memo, leaving this to be answered on a case-by-bad case basis. The prosecutions of Aaron Swartz and Andrew "Weev" Auernheimer suggest the DOJ allows this definition to be set by the complainant rather than by policy.

    Which is exactly how it should be. Or do you somehow think that the DOJ has a better idea than the owner of private property regarding who is and who is not trespassing on that property without the authorization of the owner?

    Unfortunately, the law is still outdated (30 years old this month!)

    Are you seriously suggesting that laws wear out from old age and need to be done away with? How about throwing these ones out, then? They're even older!

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Nov 2016 @ 8:13am

      Re:

      Your first point primarily allows powerful people to use the law to pursue a vendetta against those they do not like. Also such an approach allows law enforcement to steer complainants towards modifying the complaint to allow them to take action not justified by the initial complaint.

      link to this | view in chronology ]

    • icon
      That Anonymous Coward (profile), 1 Nov 2016 @ 8:30am

      Re:

      They can say who is or isn't authorized, but they should not be told you need to pad your damages to X level so we can do it more. The penalty should fit the crime, not the tortured imaginations of corporations who want the 'hackers' to suffer for making them look foolish.

      Laws don't wear out, laws become stupid over time.
      We still have laws on the books about telegraphs and carrier pigeons, because just bolting on new things and pretending the new works like the old is easier than actually having the laws reflect reality.

      Weev found something that made ATT look completely stupid, and went to prison because ATT faces no law requiring them to secure their systems. So we punish people who stumble over something left exposed by a corp who saved some cash by not following security procedures.

      Aaron had the entire weight of the government dropped on him to make an example of him... his 'crime' had no actual cash value and actually benefited society.

      Laws should not be to allow corporations to save face for being stupid & shouldn't be used to send a message not to mess with the Feds or else. This law is flawed in the current structure, I mean where were the CFAA charges for the Smart Tv that went and scanned the entire home network it was connected to and send out file names to the mothership?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Nov 2016 @ 8:12am

    Nom nom selling us out to a bad actor VPN...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Nov 2016 @ 8:43am

    Regarding the Computer Fraud and Abuse Act, Leonard Bailey of the DoJ told an audience at BSides Las Vegas 2016 that the DoJ has a policy that now mandates any CFAA charges must have a consultation from DoJ headquarters before being official.

    This was stated at https://bsideslv2016.sched.org/event/7aPa/shall-we-play-a-game-30-years-of-the-cfaa.

    https://youtu.be/NzDGJk8C5Fc around 56:30.

    link to this | view in chronology ]

  • icon
    Padpaw (profile), 1 Nov 2016 @ 9:37am

    everyone is a criminal because they get kickbacks to the more people put into for profit prisons.

    link to this | view in chronology ]

  • identicon
    Zonker, 1 Nov 2016 @ 11:55am

    Steve Jobs and Steve Wozniak were phreakers. Steve Jobs got his start selling Woz's blue boxes used to hack the phone system to make toll-free calls in the '70s and stated in interviews that if not for the blue boxes, there would have been no Apple. Wozniak is now worth $100 million and Jobs died a multi-billionaire. Never prosecuted.

    Aaron Swartz died in a jail cell at 26 years of age facing the threat of 50 years in prison and $1 million in fines for exploiting MIT's own policies and license agreements with JSTOR to download as many research articles (research mostly paid for with publicly funded grants) as he could to make available to the public that already paid for the research. CFAA used to prosecute despite no other laws or legal agreements broken. JSTOR, the "wronged" party, didn't even want to prosecute.

    We will never know what Swartz could have created if not for the CFAA or his prosecution at the hands of the DOJ and MIT.

    We do know that Apple, Macintosh, the iPod/iPad/iPhone, iTunes, Pixar, etc. would never have existed if Jobs and Wozniack had been prosecuted under the CFAA, which did not exist at the time, or any laws actually broken that did exist. Job even called his LSD experiences around that same decade "one of the two or three most important things [he had] done in [his] life."

    This is the price we pay for the never ending pursuit of criminalization.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.