The Computer Fraud and Abuse Act has largely frustrated security researchers, hackers and the broader cybersecurity community for years due to its vague language. Earlier this week, the Justice Department released new guidelines — drafted in 2014 — for prosecutors involved in cases where the CFAA may be applicable.
The now public document, written by the U.S. Attorney General’s office, offers a window into how computer crimes are prosecuted and defined by the federal government. A recent legal challenge to the CFAA caused the DOJ to release the aforementioned guidelines.
“In my mind we’re really dealing with a problem of interpretation,” Orin Kerr, Research Professor at The George Washington University Law School, said during a panel discussion at New America earlier this month. “The concept of a computer trespass statute makes a lot of sense, the hard question is what counts as a computer trespass … the reason the CFAA is controversial is because courts have really struggled to figure out what [unauthorized access] means.”
Central to the CFAA is what constitutes unauthorized access to a computer, network or other internet-connected system. However, as Kerr noted, circuit courts have consistently differed in their definition of access without authorization.
The CFAA could be violated, for example, in a case where an individual hands over a password to a hacker, as was the case of former Reuters journalist Matthew Keys, or if a security researcher reveals customer data that is already sitting exposed on a public domain — evident in the Andrew Auernheimer case.
Another significant issue often discussed by the law’s critics has been with regard to sentencing, which follow the framework for economic fraud, which requires an assessment of economic loss, but that indicator is sometimes irrelevant in computer intrusion cases.
As part of the memorandum, which is titled “Intake and Charging Policy for Computer Crime Matters,” the DOJ acknowledged that the “laws addressing the misuse of computers have not kept pace uniformly with developments in technology and criminal schemes.”
Even so, the department believes the CFAA remains an “important” tool in prosecuting cybercrimes, the memorandum states.
Over the last several years, there has been several unsuccessful attempts to reform the CFAA. Aaron’s Law, a bipartisan bill to make changes to the CFAA introduced into the House of Representatives in June 2013, stalled. It was again reintroduced in 2015 by Rep. Zoe Lofgren, D-Calif., and Sen. Ron Wyden, D-Ore. The bill, which was named after an internet activist that committed suicide while standing trial for violating terms of the CFAA, remains stuck in legislative limbo.
The U.S. government brings approximately 100 CFAA cases to court per year, according to Kerr — a figure that is limited because it is “very hard to catch people.”
These 2014 guidelines are significant because they effectively recommend for prosecutors to determine charges based on, among other things, the sensitivity of information stored on a breached computer; calling on lawyers to consider the impact of an intrusion and to investigate the hacker’s intent. The list of conditions provided in the memorandum are “not intended to be all inclusive.”