To many who conduct work or research related to digital security, the legislation meant to protect against computer crimes has morphed into something harmful. The 1986 law, the U.S. Computer Fraud and Abuse Act, has been repeatedly described as vague and ineffectual — allowing overzealous prosecutors to saddle hacktivists and low-level criminals with excessive sentences.
Now, thanks to a legal challenge to the CFAA, the Department of Justice is for the first time releasing its 2014 guidelines on how prosecutors should charge computer crimes — when someone exceeds “authorized” access on a computer. (First Look Media, the publisher of The Intercept, is a plaintiff in the case.)
The Department of Justice acknowledges that “laws addressing the misuse of computers have not kept pace uniformly with developments in technology and criminal schemes” though it maintains that the law remains “important” in prosecuting cybercrimes.
Some of the prosecutions under the CFAA have proved controversial. Aaron Swartz, a well-known internet activist who downloaded academic journals en masse, faced years of grueling legal trials under the CFAA before he committed suicide. And Andrew Auernheimer was found guilty of conspiracy to violate the CFAA by uncovering AT&T customer data exposed on the company website.
The central cybercrime law is based around access to online systems or data “without authorization,” though it’s never been clear what that means. Committing a crime could include handing over a password to a hacker — something that Matthew Keys, a former Reuters journalist, did in 2010, when he provided Anonymous with access to the LA Times’s website. He was sentenced earlier this year to two years in prison for his role in defacing the newspaper’s website. He maintains his innocence.
Or it could threaten the livelihood of legitimate security researchers and penetration testers, who poke and prod at online systems to test their fortitude — in order to repair holes or flaws. “What we don’t know, and we’ve never known, is what ‘authorization’ means,” Nate Cardozo, senior staff attorney at the Electronic Frontier Foundation, told Dark Reading, an information security blog on the law’s 30th birthday this month.
There have been several unsuccessful attempts to reform the law in recent years.
According to the memorandum, titled “Intake and Charging Policy for Computer Crime Matters,” attorneys “contemplating charges” should consider as a matter of policy eight different conditions before proceeding.
First, the prosecutor should consider how “sensitive” the computer or information contained on the computer was — referring to classified or personal information like Social Security numbers or intellectual property. The prosecutor should determine if the digital intrusion endangered “national security” or other pillars of society — public health, market integrity, foreign affairs, or major infrastructure. If the hack was a part of an organized criminal effort, or posed possible physical harm to the target, those factors should be taken into consideration. And if charging the suspect might “deter” future crime, or if there was a large “impact” on a community, the prosecutor should also weigh those concerns.
Intention is also important, when it comes to prosecuting someone for exceeding their authorized access to a device or online system, like an email account or website. “The attorney for the government must be prepared to prove that the defendant knowingly violated restrictions on his authority to obtain or alter information stored on a computer,” reads the memorandum.
The list of conditions, according to the document, is “not intended to be all inclusive.”