March 16, 2015
Courtesy of Leslie R. Caldwell, Assistant Attorney General for the Criminal Division
In a series of recent posts, we’ve been discussing the need for the Administration’s current cybersecurity proposals and discussing how they have been drafted in a careful and targeted way to enable us to protect privacy and security without ensnaring harmless or legitimate conduct. Reaching this balance is important in many parts of the criminal law, but it is particularly important in the law that protects the privacy and security of computer owners and users — the Computer Fraud and Abuse Act (CFAA). This law applies both to the hackers who gain access to victim computers without authorization from halfway around the world, and to those who have some authorization to access a computer — like company employees entitled to access a sensitive database for specified work purposes — but who intentionally abuse that access. Yet the CFAA needs to be updated to make sure that the statute continues to appropriately deter privacy and security violations. The Administration has proposed an amendment that maintains the law’s key privacy-protecting function while ensuring that trivial violations of things like a website’s terms of service do not constitute federal crimes.
As noted, in addition to prohibiting unauthorized access to victim computers by outside hackers, the CFAA also covers the conduct of insiders who have a right to access a system but who abuse that right and access sensitive or valuable information for their own purposes. This part of the CFAA is, for example, the tool that department prosecutors have used to charge police officers who took advantage of their access to confidential criminal records databases in order to look up sensitive information about a paramour, sell access to those records to others, or even provide confidential law enforcement information to a charged drug trafficker [external link].
We’ve also used this statute to prosecute [external link] an employee of a health insurer who used his access to the company’s sensitive databases to improperly obtain the names and Social Security numbers of hundreds of thousands of current and former employees (as well as information about how much his colleagues were being paid).
Unfortunately, recent judicial decisions have limited the government’s ability to prosecute such cases. As a result of these decisions, insiders may be effectively immunized from punishment even where they intentionally exceed the bounds of their legitimate access to confidential information and cause significant harm to their employers and to the people — often everyday Americans — whose data is improperly accessed.
The restrictive judicial interpretation of the term “exceeds authorized access” in the CFAA stemmed from the concern that the statute potentially makes relatively trivial conduct a federal crime. For example, a federal court feared that the statute could be construed to permit prosecution of a person who accesses the internet to check baseball scores at lunchtime in violation of her employer’s strict business-only internet use policy. Or, similarly, where a member of the public accesses a dating website but lies about his physical fitness in violation of the site’s terms of service that require users to provide only accurate information.
We understand these concerns. The Department of Justice has no interest in prosecuting harmless violations of use restrictions like these. That’s why we’ve crafted proposed amendments to the CFAA to address these concerns — while still preserving the law’s application to those who commit serious thefts and privacy invasions.
To accomplish this, the proposal does two things. First, it addresses the recent judicial decisions that have prevented important prosecutions. It does this by clarifying that the definition of “exceeds authorized access” includes the situation where the person accesses the computer for a purpose that he knows is not authorized by the computer owner. This clarification is necessary to permit the prosecution of, for example, a law enforcement officer who is permitted access to criminal records databases, but only for official business purposes. Second, at the same time, the proposal adds new requirements that the government must meet to make clear that trivial conduct does not constitute an offense. In order to constitute a crime under the new wording, not only must an offender access a protected computer in excess of authorization and obtain information, but the information must be worth $5,000 or more, the access must be in furtherance of a separate felony offense, or the information must be stored on a government computer.
These changes will empower the department to prosecute and deter significant threats to privacy and security, but make sure that the CFAA doesn’t inadvertently cover trivial conduct.
Next time: how can we deter the harms caused by the proliferation of botnets?