If you are reading this on a computer at work, the Obama administration wants to make you a cybercriminal.
In the hype preceding the president’s State of the Union address, the White House proposed changes to the Computer Fraud and Abuse Act (CFAA) that would criminalize computer use that involves obtaining or altering information for a purpose that you know isn’t authorized by the computer’s owner.
Yes, that’s right. The same government that used a chemical-weapons treaty to prosecute a dispute between romantic rivals in Bond v. United States thinks it should be able to send you to jail if you watch too much Netflix on your work computer.
Although the administration spun this aspect of its proposal as part of a larger (and necessary) strategy to combat rising national and international threats to information security, it is actually deeply flawed. If this proposal becomes law, Congress will have once again criminalized conduct that can be addressed without federal prison time. To understand why, let’s take a closer look at the two types of computer intrusions addressed by the CFAA, the outsider and the insider.
The stereotypical outsider threat goes something like this, at least in Hollywood: Unscrupulous hacker-for-hire penetrates security perimeter of victim organization, hacker downloads sensitive data, hacker passes data to the villain, villain blows up Los Angeles. The outsider has no authority to access the victim’s computer; the owner hasn’t authorized access to the computer or has prohibited the outsider from accessing it. The outsider is essentially a trespasser, albeit an electronic one.
The insider threat, by contrast, has (or had) authority to use the targeted computer but oversteps it, thereby “exceeding” authorized access: Nosy IRS employee logs in to agency mainframe with his own username and password; despite posted warnings, notices, and repeated instructions from supervisors, employee reads tax returns of rival employees. Insider crimes can range from the seriously damaging to mere nuisance: An insider could sell identification information to identity thieves, steal trade secrets, or change the records of all company employees to have the name “Fleetwood Mac.” All would be criminal.
The difference between insider and outsider intrusions is intuitive, but the difference between lawful and unlawful insider activity is a bit more difficult. The practical question is this: If you’re an employee, how do you know where authorized access ends and thus begins to exceed authorization?
Courts have struggled to come up with a coherent answer. In 2003, nearly 20 years after Congress first defined a federal computer trespassing crime, George Washington University law professor Orin Kerr wrote that when the courts interpreted the meaning of the CFAA’s authorization provision, they were usually doing it for a civil lawsuit where only money was at stake. “It is one thing to say that a defendant must pay a plaintiff for the harm his action caused; it is quite another to say that a defendant must go to jail for it,” he wrote.
With less-drastic punishments at stake in most of these cases, courts looked far and wide to find ways that an action might violate the CFAA, which in turn encouraged courts to interpret “exceeds authorization” violations as a breach of contract, employee misconduct, or even abuse of a software designer’s social norms. As a result, Kerr noted, courts tend to redefine “authorization” based on the amount of harm done to the owner rather than any clear idea of what “authorization” means:
The reasoning seems to go something like this: Use of a computer that causes harm to its owner is use that the owner would not want; use that an owner would not want is access that the owner implicitly has forbidden; and access that an owner implicitly forbids is access without authorization. Once again, the law has failed to create workable standards to guide courts. Instead, courts have interpreted the ambiguous legal standards to reach results that seemed correct given the facts of the particular case.
With so many ways to commit a crime, it’s no wonder that the CFAA has stretched. The administration now wants to ratify the stretching through legislation.
But that’s exactly why the administration’s proposal is so dangerous. The White House is seeking to make an already-broad statute still broader, making authorization depend on whether the user and the owner agree on the “purpose” of the access.
#page#Oddly enough, redefining authorization this way presents conscientious employees with a Catch-22. Because the difference between criminal and noncriminal conduct depends on knowledge about “purpose,” you’re actually more likely to be committing a crime if you learn more about your employer’s preferences for computer use. The employee who tries to follow the law carefully is utterly dependent on the employer’s ability (or willingness) to articulate clear expectations about the “purpose” of company computing resources. That means that if your employer gives you vague instructions about what use is permitted, you will be less certain that you are obeying the law.
Worse still, company policies that permit “reasonable” or “moderate” personal use could be used to show that an employee was violating company policy, when in fact they merely had a different interpretation about what use was “reasonable.” Will supervisors generally have a stricter interpretation about “reasonable” use from their employees? Obviously yes.
To its credit, the White House seems to recognize how much authority it is seeking and tries to assuage these concerns by, for example, limiting the crime to situations where the information obtained from the computer has a “value” exceeding $5,000. But as the Department of Justice’s computer crime manual puts it, “Any reasonable method can be used to establish the value of the information obtained,” including research, development, and manufacturing costs. With such a lenient definition, it wouldn’t be hard for a typical employee to quickly rack up $5,000 of downloaded value. For instance, the cost of producing a movie often runs into the tens of millions of dollars. Downloading a lawfully rented movie onto a work computer against company rules could quickly exceed the $5,000 threshold, thereby triggering criminal liability.
None of this, of course, suggests that employees should have impunity when it comes to company property. Of course not. But this pedestrian sort of employment dispute hardly seems, well, criminal. And that’s one of the fundamental problems with the White House’s proposal: It federalizes and criminalizes conduct that, although hardly admirable, would otherwise be an employment dispute or a civil lawsuit. The government is now proposing that such matters be defined as federal crimes right alongside terrorism, money laundering, and bank robbery.
In the meantime, organized criminals and overseas crime syndicates loot American consumers and businesses with impunity. Is punishing employment disputes really the best use of federal law-enforcement resources?
— Jonathan Keim is counsel for the Judicial Crisis Network. He is a former federal judicial clerk, criminal litigator, and information-systems professional.