Advertisement

DOJ reveals guidelines for how lawyers should prosecute hackers

The Computer Fraud and Abuse Act has largely frustrated security researchers, hackers and the broader cybersecurity community for years due to its vague language. Earlier this week, the Justice Department released new guidelines​ — drafted in 2014 — for prosecutors involved in cases where the CFAA may be applicable.

The Computer Fraud and Abuse Act has largely frustrated security researchers, hackers and the broader cybersecurity community for years due to its vague language. Earlier this week, the Justice Department released new guidelines — drafted in 2014 — for prosecutors involved in cases where the CFAA may be applicable.

The now public document, written by the U.S. Attorney General’s office, offers a window into how computer crimes are prosecuted and defined by the federal government. A recent legal challenge to the CFAA caused the DOJ to release the aforementioned guidelines. 

“In my mind we’re really dealing with a problem of interpretation,” Orin Kerr, Research Professor at The George Washington University Law School, said during a panel discussion at New America earlier this month. “The concept of a computer trespass statute makes a lot of sense, the hard question is what counts as a computer trespass … the reason the CFAA is controversial is because courts have really struggled to figure out what [unauthorized access] means.”

Central to the CFAA is what constitutes unauthorized access to a computer, network or other internet-connected system. However, as Kerr noted, circuit courts have consistently differed in their definition of access without authorization.

Advertisement

The CFAA could be violated, for example, in a case where an individual hands over a password to a hacker, as was the case of former Reuters journalist Matthew Keys, or if a security researcher reveals customer data that is already sitting exposed on a public domain — evident in the Andrew Auernheimer case.

Another significant issue often discussed by the law’s critics has been with regard to sentencing, which follow the framework for economic fraud, which requires an assessment of economic loss, but that indicator is sometimes irrelevant in computer intrusion cases.

As part of the memorandum, which is titled “Intake and Charging Policy for Computer Crime Matters,” the DOJ acknowledged that the “laws addressing the misuse of computers have not kept pace uniformly with developments in technology and criminal schemes.”

Even so, the department believes the CFAA remains an “important” tool in prosecuting cybercrimes, the memorandum states.

Over the last several years, there has been several unsuccessful attempts to reform the CFAA. Aaron’s Law, a bipartisan bill to make changes to the CFAA introduced into the House of Representatives in June 2013, stalled. It was again reintroduced in 2015 by Rep. Zoe Lofgren, D-Calif., and Sen. Ron Wyden, D-Ore. The bill, which was named after an internet activist that committed suicide while standing trial for violating terms of the CFAA, remains stuck in legislative limbo.

Advertisement

The U.S. government brings approximately 100 CFAA cases to court per year, according to Kerr — a figure that is limited because it is “very hard to catch people.”

These 2014 guidelines are significant because they effectively recommend for prosecutors to determine charges based on, among other things, the sensitivity of information stored on a breached computer; calling on lawyers to consider the impact of an intrusion and to investigate the hacker’s intent. The list of conditions provided in the memorandum are “not intended to be all inclusive.”

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts