Recent DOJ Policy for Charging Cases under the Computer Fraud and Abuse Act: Fair or Foul?

Event Video

Listen & Download

The Justice Department recently announced the issuance of a revised internal policy for charging cases brought under the Computer Fraud and Abuse Act (CFAA), our nation's main computer crime statute.  This revised policy was issued in the wake of the Supreme Court case of United States v. Van Buren, which held that the CFAA’s “exceeds authorized access” provision does not cover those who have improper motives for obtaining information that is otherwise available to them.  Additionally, the new DOJ policy for the first time directs federal prosecutors that good-faith security research should not be charged under the CFAA, but also acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith.

 

Does the new DOJ charging policy strike a reasonable balance between privacy and law enforcement interests?  Do its protections for security research go far enough, or do they extend too far?  In the wake of Van Buren and this policy, does the federal government have adequate tools to address insider threats, especially where such threats are focused on invasions of privacy and confidentiality instead of being motivated by financial gain?

 

Join us as our panel of experts break down these questions.

 

Featuring:

  • Prof. Orin Kerr, Willam G. Simon Professor of Law, University of California, Berkeley School of Law 
  • Prof. Michael Levy, Adjunct Professor of Law, Penn Carey Law, University of Pennsylvania 
  • [Moderator] John Richter, Partner, King & Spalding

*******

As always, the Federalist Society takes no position on particular legal or public policy issues; all expressions of opinion are those of the speaker.

Event Transcript

[Music]

 

Dean Reuter:  Welcome to Teleforum, a podcast of The Federalist Society's Practice Groups. I’m Dean Reuter, Vice President, General Counsel, and Director of Practice Groups at The Federalist Society. For exclusive access to live recordings of Practice Group Teleforum calls, become a Federalist Society member today at fedsoc.org.

 

 

Chayila Kleist:  Hello and welcome to The Federalist Society's webinar call. Today, November 17, 2022, we discuss "Recent DOJ Policy for Charging Cases under the Computer Fraud and Abuse Act: Is it Fair or Foul?" My name is Chayila Kleist, and I am an Assistant Director of Practice Groups here at The Federalist Society. As always, please note that all expressions of opinion are those of the experts on today's call as The Federalist Society takes no position on particular legal or public policy issues.

 

In the interest of time, I'll keep my introductions of our speakers brief, but if you'd like to know more, you can access their full bios at FedSoc.org. Today, we are fortunate to have with us Professor Orin Kerr, who's a Law Professor at the University of California's Berkeley School of Law. He specializes in criminal procedure and computer crime law, and he's also taught courses on criminal law, evidence, and professional responsibility. Additionally, he's a former trial attorney in the Criminal Division at the U.S. Department of Justice.

 

Next, we have Professor Michael Levy, who's an Adjunct Professor of Law at Penn Carey Law School at the University of Pennsylvania. Before coming to Penn Carey, Mr. Levy was an Assistant United States Attorney in the Eastern District of Pennsylvania for more than 37 years. And from September 2001 to September 2017, he was Chief of Computer Crimes at the United States Attorney's Office.

 

Lastly, we have as our Moderator John Richter, who is a Trial and Investigations Partner at King & Spalding in the Special Matters and Investigations Practice Group. Mr. Richter previously served as Acting Assistant Attorney General in charge of the Criminal Division at the U.S. Department of Justice and as the U.S. Attorney for the Western District of Oklahoma.

 

One final note, as we go through the webinar, if you have any questions, please submit them to the question-and-answer feature so that our speakers will have access to them for when we get to that portion of the webinar.

 

With that, thanks for being with us today. Mr. Richter, the floor is yours.

 

John C. Richter:  Well, thank you very much and good afternoon to everyone.

 

Today, we're going to be covering an important policy pronouncement from the Department of Justice involving the Computer Fraud and Abuse Act. And the Justice Department recently announced a revised internal policy for charging cases that revises policy that was originally promulgated in 2014. The policy was issued in the wake of a Supreme Court case called United States v. Van Buren, which held that the Computer Fraud and Abuse Act “exceeds authorized access” provision does not cover those who have improper motives for obtaining information that is otherwise available to them.

 

      Additionally, the new DOJ policy for the first time directs federal prosecutors that good faith security research may not be charged under this statute but also acknowledges that claiming to be conducting security research is not a free pass for those acting in good faith. I've had an opportunity to review some of the online commentary about the CFAA, and it appears to be a mixed bag with some people arguing that it is a big change and an important change and others arguing that it is over-hyped.

 

      Let me turn to you first, Professor Kerr, and if you could give a quick overview of the statute, how the Van Buren decision played, and how this DOJ guidance is instructive or how it pertains to the exercise of prosecutorial authority and discretion in this context. 

 

Professor Orin S. Kerr:  Yeah, sure. First, happy to join you, John, and my friend Mike Levy. It's a pleasure to see you as well on the Zoom call. Great to be here.

 

      So the Computer Fraud and Abuse Act is a 1980s era statute. It's basically the federal hacking statute. And the key idea is that it prohibits unauthorized access to a computer, which is divided into access without authorization and exceeding authorized access to a computer. And it's a very broad statute.

 

So it covers at its broadest point, which is 18 USC 1030(a)(2), it prohibits any unauthorized access to a protected computer, which is basically any computer, and thereby obtaining information and that can include just seeing information. So any computer hacking or any unauthorized access at all is potentially, or it would seem to be at least a misdemeanor violation of the statute, and then their felony enhancements which make the low-level misdemeanor a five-year felony including hacking to obtain money, hacking that's in violation of some other law like any federal state crime or tort and the like.

 

      So the basic idea is misdemeanor liability for any sort of unauthorized access, basic trespass, and then felony liability which can come pretty quickly because the rationales for felony liability -- I guess I should mention one more for the value of the information is more than $5,000. That can also be a felony enhancement.

 

And then there are a bunch of different provisions in the statute. I just covered Section 1030(a)(2). There's also Section 1030(a)(4) which is the Computer Fraud statute. It's basically wire fraud plus some unauthorized access. And there's Section 1030(a)(5) which is the computer damage provision, really two different provisions. One, unintentionally damaging a protected computer without authorization and the other, accessing a computer without authorization and causing damage. Damage defined as impairing the availability or integrity of information. Basically, classic examples would be hacking that takes a network offline or causes some sort of financial damage or a denial of service attack would be an example of that first kind in 30(a)(5)(A). So that's basically what the statute’s doing.

 

      The real uncertainty and the reason why this charging policy exists is what does unauthorized access mean? And the reason why it's uncertain is you can come up with a lot of different theories for what unauthorized access is. Does that mean unauthorized access in the sense of hacking in or breaking in -- John, you might want to mute yourself.

 

John C. Richter:  How do I do that?

 

Prof. Orin S. Kerr:  No, no problem. So is that hacking like breaking some sort of technological barrier like if I guessed your email account password and read your email? Or like the technological barrier is -- the password requirement is keeping me out and then I could come in? That's one possibility.

 

      Another possibility is that I'm merely told, “Don't do this,” or the terms of service, for example, tell me you're not allowed to use this computer for a certain reason, and I do that anyway. Is that unauthorized access? And last, it might just be there's some sort of computer use that you just -- you're supposed to know you're not supposed to do that. Maybe information is available on a URL line that is hidden in a sense of no one published it, and you'd be surprised if you found it. And so but you do find it and then maybe that's unauthorized just because you're just supposed to know that's not for you.

 

      So there is always uncertainty leading up to the Van Buren case about what unauthorized access means, and there was an earlier iteration of the DOJ charging policy, which I believe came out in 2014, which was designed to basically deal with this uncertainty. There had been a bunch of congressional hearings about okay, what does unauthorized access mean, and the Justice Department, as a matter of law, was taking the view that unauthorized access could be any of the above. DOJ didn't want to, just as a matter of policy position, take a view that the statute couldn't apply to these situations.

 

And members of Congress were pretty concerned about this and there were proposals to amend the statute and basically, there's been a push towards making this more of a real hacking statute that is sort of breaking in as compared to visiting a website when the person doesn't want you to visit their public website but exactly how to do that has been the uncertainty.

 

So we had this 2014 policy which was basically like, hey, before you proceed on one of these kind of broader theories of what the statute means, come to the Computer Crime and Intellectual Property Section, which was my former section at the Justice Department, and talk to us. Consult with us and we'll take you through Mr. AUSA or Ms. AUSA, we'll take you through the challenges here and make sure you're aware of what you're about to walk into. That was the gist of the earlier policy.

 

      Well, fast forward to last year, the U.S, Supreme Court hands down its first case interpreting the Computer Fraud and Abuse Act, Van Buren. And this was a case in which there had been a circuit split on this question of what do you do with employees, in particular government employees, with access to sensitive data bases that are told as a condition of their employment, you're not allowed to access this database for personal reasons. You can only access the database for official reasons. Van Buren being a police officer who looks up personal information in a computer database only available to law enforcement, and he does this for a few thousand dollars that he's paid by an outsider. So that was not an official reason. It was a personal reason, that is to basically accept a bribe. And he's charged and convicted in the lower court of violating the CFAA.

 

      The U.S. Supreme Court then takes this and says this is not a CFAA violation. The CFAA does not apply to a situation where someone's been granted access. So Van Buren had been given a username and password to access this account. He had just been told, “Don't do it” for a certain reason, but that don't do it had not interfered with his means of accessing the account.

 

And the Van Buren opinion is not a model of clarity. The Court is trying to rule narrowly, but the suggestion in the case is that either the statute is or at least might be limited to only -- if it's not just technological barriers, maybe it's technological barriers and some other limited category of cases. But it's not a broad statute where just violating terms of service or violating any sort of words, essentially, on access would trigger liability.

 

      So that's the setup. And then the Justice Department amends its policy, its charging policy or consultation policy, which to some extent, I gather, they kind of had to because some of their guidance was inconsistent with what Van Buren had then held. And so it's a little weird for DOJ to have a policy that's like here are the cases we'll charge; The U.S. Supreme Court has said you can't. And so the real question is what's DOJ's new position in the charging policy? And I'll offer my take and then pass it back to you, John, and I look forward to hearing Michael's take.

 

      But my take is that they didn't really say very much in the new charging policy. A lot of the language that they're taking leaves open that they might charge certain cases, tracks the language of Van Buren, suggests that they're not going to go beyond current case law. But it's kind of a summary of the uncertainty of current case law and just says this is what we'll do. And so for the most part, with one exception I'll get to in a second, for the most part, they're pretty much just saying they're sticking to current law, and it's just an update of the charging policy to recognize Van Buren and also some of the Ninth Circuit case law like Power Ventures, which dealt with cease-and-desist letters. If you receive a cease-and-desist letter, does that mean you can't access the site after you've received the cease-and-desist letter? And do you treat that as differently from the employment policy in Van Buren? It's uncertain, but DOJ basically, as I read the charging memo -- not charging memo but policy memo, they're not really taking a position on this. They're leaving it open.

 

      And then the one thing they do that's different that has gotten some attention is there's -- the policy states that they will decline prosecution in cases involving good faith security research. That is if you're a white hat hacker or you are trying to improve the security of systems and you really genuinely are just acting in good faith to try to improve the security of networks, you won't be charged for this good faith security research. You're not trying to break in for bad reasons. You're really just trying to help, essentially.

 

      Now, there are two caveats to this. One caveat is that as far as I know, I'm not aware of any case in which the Justice Department has previously charged a good faith security researcher criminally under the CFAA. So there's a part of this new policy that says we're not going to prosecute these cases. It's not that they used to and they're changing their view. They're just making clearer that there's a certain kind of case that they don't plan to bring. So this is maybe more a matter of good relations with the white hat hacker community or something like that and just giving people sort of an understanding of what actual practices are, they won't bring that kind of case, rather than necessarily a new withdrawal of authority. So that's part of it.

 

The other part of it is there's a long tradition in CFAA cases and computer hacking cases of defendants or suspects insisting that they are white hat hackers. And this goes back, actually, to I think the first federal computer crime statute -- computer crime prosecution before the CFAA was a case called The United States v. Seidlitz from the Fourth Circuit and it was decided in 1978. And Seidlitz had used the username and password of his employer after he left the company to go in and he was caught downloading a massive database that he was suspected of then going to then try to use to form a competitor company. In fact, I don't know what you've seen like many times in decades since. And of course, Seidlitz said no, no, no, I wasn't trying to download this valuable software to start a competitor business, I just wanted to show my former employer just how bad their computer security is. And I just hadn't gotten to that point where I just came forward with all this information. Sure.

 

      So this is a common claim and the policy is not saying you can't -- it's not about whether you claim it, it's whether it's true. So I don't think this means that someone can just come forward and come up with a story about how they're a good faith white hat hacker. Rather, this is sort of really, what are they doing, not just kind of what are they saying. So that's my sense.

 

      Essentially, the policy updates the law after Van Buren, has this express treatment of white hat hackers that weren't prosecuted anyway, and it doesn't so much alter practices as much as explain the current DOJ mindset on these questions. And one last thing I think maybe is worth pointing out. Before Van Buren, DOJ was prosecuting, ballpark, like 100 CFAA cases a year. And a decent number of those -- there was an empirical study by Jonathan Mayor a few years ago, and I think something like half roughly of the CFAA prosecutions were brought against insiders like Van Buren. And if Van Buren then says you can't bring those cases, maybe the total number of outsider hacker, like "real hacking cases," would be maybe 50 a year.

 

So we're not talking about a massive number of cases as it is. And I think Van Buren cut back a lot of concerns about liability under the statute being super broad as a whole. So between the charging policy and Van Buren, I think a significant degree of fears that the Justice Department was going to run amuck with the CFAA have been to some extent addressed. And there's a lot of civil litigation over what Van Buren means and how broad the statute goes but we're not right now, I think, dealing with a lot of concerns about criminal prosecution, at least as much as we used to. 

 

John C. Richter:  All right, Michael.

 

Prof. Michael Levy:  Sure.

 

John C. Richter:  Yeah. Professor Levy, please chime in here. I guess one of the -- obviously, Professor Kerr packed a lot into that 17 minutes. What I'm -- obviously interested in your take on it, but what is the implication on the fact that you have some very broad language in this statute that seems to be constrained by the United States Supreme Court to a degree without certainty as to that constraint and then obviously then still room for interpretation as Professor Kerr indicates necessarily remains open for discussion. What does that do? What are the implications of that, both from a prosecution perspective, from a private enforcement perspective? And how do you see that striking the appropriate balance between enforcement interests and privacy and interests?

 

Prof. Michael Levy:  Well, I agree mostly with what Professor Kerr said. A lot of this is just updating the guidance and saying don't charge anything that Van Buren says you can't charge, which is not necessarily a bad thing because it's good to have in writing in a policy something that people are going to look at as opposed to letting him go do research on a statute and maybe or maybe not stumble across Van Buren.

 

      To some degree, a lot of the things they say you shouldn't charge were never going to get charged anyway. One of the things listed in there is putting false information in your dating profile. You're actually 6'2" when you're really only 5'10". And now, I think what's never going to happen because I told -- from a personal -- I'm going to talk personal and then institutional points of view.

 

From a personal point of view, prosecutors want to win cases. And to win a case, you have to have the jury have a feeling that there's some kind of moral wrong here. And whenever a defense attorney can pitch a case to a jury saying you and I have probably done stuff like this, from a prosecutor's point of view, you're likely to lose that case. I've tried a lot of cases over my career, both as a prosecutor and a defense attorney. I've won them and I've lost them. Winning feels better, and I think that's probably true for most people. So you don't want to lose cases.

 

      On an institutional perspective, though, most offices, certainly the large offices, require that you get approval from a supervisor which requires writing a prosecution memorandum that outlines your case, outlines what the issues are in the case. So you're going to have some other person taking a look at it. What I think this guidance adds now is not just consultation with CCIPS, Computer Crime and Intellectual Properties Section, but if the office that wants to charge a case decides it's not going to do it, you've got to go all the way upstairs to the deputy attorney general and notify the deputy attorney general. And, John, you were the assistant AG for the Criminal Division, what are the chances that the deputy attorney general is going to overrule CCIPS and back some line assistant in the middle of nowhere on one of these things? So there are a number of built-in checks that make sure this statute is not going to be misused.

 

Now, after the Nosal case, which was the Ninth Circuit decision in 2012 which started this chain of unauthorized access does not apply to data you have access to but get to -- but access it for a bad purpose, the Solicitor General issued guidance that basically said unless you're in the Fifth or Eleventh Circuits, the two circuits that allowed that theory, don't charge that theory. So I'm not sure where the statistics came from that Professor Kerr cited, but I'm going to guess that a large number of them were in the Fifth and Eleventh Circuits.

 

      A couple things that I -- as to the good faith research thing, I think this is kind of an outreach kind of thing. Somewhere after 2012-2013, Leonard Bailey, who was the head of the cyber security unit at CCIPS started an outreach to the white hat hacker community. He showed up with some at our conferences, was greeted with a certain amount of hostility to begin with. But eventually, he got and won the confidence of enough people that I remember shortly before I retired in 2019 at one of the computer crimes conferences, he brought in a panel of white hat hackers to talk about what they do, why they do it, how they do it, which educated the cybercrime prosecutors across the country about what their purposes are. And I kind of know a little bit about this, but there were parts of it that were eye-opening, and I think very useful to understand. So this, I think, is designed to give some assurance to tell prosecutors if that's what you think you have, you got troubles but also to give assurance to the white hat hacker community.

 

      There are also assurances to equal rights testers. There's the Sandvig v. Barr case out of the D.C. District Court where some people wanted to do testing on renting houses saying they were black or white and seeing what the results were and were afraid that in making misrepresentations about themselves, they could violate the act and this guidance that gives, I think, pretty clearly some assurance to those people as well.

 

      The two areas I think that are interesting is one, where exceeds authorized access as a department, I think, makes pretty clear that they want some kind of technological barrier because they say that it's got to be off limits. It's delimited by code and not by contract which to me means that God's commandment to Adam and Eve that you can't eat of the fruit of the tree of knowledge is not going to be a basis for saying unauthorized access under the exceeding authorized access under the act. So they're going to look for -- it's got to be you access some part of the computer that was separate, either by folders or by some kind of a code that was clear.

 

      It's also clear that there's no automatic withdrawal of authorization by misconduct which was the theory of the disloyal employee. There are a couple of questions I have in my mind. What does it do for the employee who gets fired or quits and gets into the computer before they can delete their credentials? There are a couple of cases out there, one from the Sixth Circuit and one from the Eastern District of Pennsylvania where the courts basically used, what I would say is one of the standards that we all accept and if once you're fired or once you quit, you're not supposed to be coming back onto the property of the company and you certainly should not be logging back in the computer. So that, to me, is open.

     

      And the other one that is open is one that Professor Kerr referred to which was what's going to happen -- what is it going to take to say that you don't have access, that your access has been revoked. There are a couple of cases in the Ninth Circuit with cease-and-desist letters. There's one with a cease-and-desist letter in our IP Blog and it's not clear where that's going. And this guidance doesn't say what the Department's going to do. I read it to say we're going to sit and watch how these cases develop and then we'll decide what we're going to do.

 

      I think that's not a bad idea because they're going to not only want to see what the law is but also see what the facts of a particular case are before they authorize prosecution. 

 

John C. Richter:  So as two law professors here, obviously extolling primarily the virtues of this, from a defense standpoint, does the state of play of this statute provide fair notice at this point at the margins? Or would a legislative fix or increased, further statements on the issue help clarify these questions? Because obviously not knowing what the law is notwithstanding language of a statute generally is considered problematic.

 

Prof. Michael Levy:  I've looked at some of the proposed amendments that were around 2014-2015, and I found they were more confusing and gave less guidance than the existing law. I read them and go, I don't know what that means. And I'm the one that's supposed to figure out how to charge it. So it would be nice to get more guidance, but I have not seen a draft that gives what you want as advising a client: yes, you should do this or no, you shouldn't do this but does it in a way that makes that clear. Orin, what are your thoughts on that? 

 

Prof. Orin S. Kerr:  Yeah. So I've been arguing for narrower interpretations of the CFAA for 20 plus years, so for a long time. And my own view is that the CFAA should basically just be limited to the bypassing technological barriers, which could be physical barriers as well but some sort of actual barriers not just words as just an overarching theory of the statute.

 

      And I think for a while there, the courts were embracing very broad interpretations and I thought the way to get to narrow interpretations was through legislation. And then the courts started adopting more narrow interpretations and my attitude towards legislation shifted. It's just, stop, just let the courts play this out because they're getting there. And so Van Buren, I think, is a hugely important narrowing -- I don't think it's a narrowing of the statute so much as a correct narrow interpretation, but there's uncertainty there which lower courts trying to figure out what Van Buren means to have, to my mind, been interpreting Van Buren appropriately as imposing a major change.

 

      And a key case here you got to, I think, mention, the Ninth Circuit's ruling in May, the same month that the DOJ guidance comes out in HiQ Labs v. LinkedIn. And this is essentially considering whether visiting a public website is necessarily protected when it's a public website. In that case, they had a cease-and-desist letter issued to HiQ Labs and they tried technological blocks on access, IP blocking and the like. And HiQ Labs just went in a different IP address and ignored the cease-and-desist letter.

 

      And the Ninth Circuit ruled that for a public facing website, you can't withdraw authorization. Once you publish it to the world, you publish it to the world, and it's authorized to access that. And so under that scraping, generally, is going to be not a CFAA violation and so that I think is just a hugely important step forward.

 

      And there are a lot of wrinkles that come along with this in ways of maybe looking at it differently and the like. But I think courts are getting it. You can always say they get it when they agree with you, right? But I think courts are taking what, to my mind, is an appropriately narrow interpretation.

 

      And the basic idea is that this is a computer hacking statute, yeah. If someone broke into a computer, if somebody broke into a private place, that should be a crime. It's a computer trespass but visiting a public website or violating terms of service, that's just not what the statute -- that's not culpable conduct that should be a crime in the physical world and shouldn't be either in the digital equivalent.

 

      So I think courts are getting there, and Congress is likely to stay out of this and just let the courts figure out where they are. Once the courts come to a really clear position, you can start thinking about what reforms might be needed but we're not, I think, quite there yet.

 

      One last thing I did want to talk about is I would've expected after Van Buren that the Justice Department would propose some fix for what I think of as the insider problem. That is especially in the sensitive government database context of what do you do with a Van Buren who, granted, is being prosecuted for bribery as well. But let's just take a typical case that you see often: government employee who has access to a sensitive database for personal nefarious reasons accesses that database to get all sorts of info. And then the government, quite appropriately, wants to prosecute that person for being a rogue employee who's violating peoples' privacy, and they can fire the person but it makes a lot of sense that there should also be some sort of criminal liability.

 

      The government used to try to do that under the CFAA, and I think the Supreme Court was right to say you can't do that. But there's a good case that there should be a new criminal statute for government employees who access these databases for improper reasons. And I've been kind of waiting for DOJ to make that proposal and they haven't, at least yet. I don't know, Michael, if you have thoughts as to why that might -- I don't think that's appropriate but.

 

Prof. Michael Levy:  As you know because you had me invited to a symposium at George Washington about seven years ago on the CFAA, and I guess it was its 30th birthday. And I wrote an article called, "The Proposed Amendment to 18 U.S.C. 1030—The Problem of Employee Theft." And at that point, and this was before -- it was after Nosal before Van Buren. I was arguing we need, what I was referring to as an access on the tend to steal statute.

 

But the question shouldn't be are you authorized to access the data but what's your intent when you do it? Because I'd go beyond the government employee. I would once a month, once every two months, I would get a call either from a business directly or from outside counsel for a business saying we have this problem. And the problem was somebody was leaving the company, and they were just downloading all kinds of data. And the first question I would ask was did they download after they left? Because if they downloaded after they left, then it was unauthorized access. If they downloaded before they left, then I couldn't charge anything.

 

      And there were times where maybe it was a theft of a trade secret. Not everything they steal is a trade secret. And the problem with charging trade secret statute is sometimes you have to put the whether not the thing they stole, is it trade secrets are now the thing that the person wants to keep secret now has to be turned over to experts for the other side who can now defend well, this isn't as secret. This was obvious. Somebody could've figured this out. So there was no good way to charge the disloyal employee who was stealing stuff on their way out the door. And I agree with Orin, we need a fix for that.

 

John C. Richter:  So, I guess, let's go back and I'll date myself. Obviously, we've got a number of famous cases over the years in which in the name of doing good for the larger good, there have been thefts of information. Obviously, the Pentagon Papers cases were important cases back in the '70s on that coin. Since that time, obviously, there are certainly occasions more recently in which individuals or groups had accessed information available in various databases. Sometimes, obviously, we don't necessarily always know exactly how they got it but it seems pretty clear that they didn't have official authorization or if they got authorization, it was through means of someone, an insider, who allowed them or passed on information that they had obtained and passed on.

 

      Are there particular gaps? And, obviously, one person's terrorism sometimes turns out to be the other side's freedom fighter. In this kind of context, are there gaps? Are there vulnerabilities here from an insider threat standpoint that can be addressed, whether it is within the rubric of 1030 or with a neighboring companion kind of statute that would address that in this larger context of the access of state government information or inside information that poses a national security loss, even if it's not "secret information" but is nonetheless government information that we'd prefer our enemies not to have? 

 

Prof. Orin S. Kerr:  So I can offer some thoughts. The basic approach of current law has been for, kind of what I think of as information misuse statutes or statutes which are about sharing information you're not supposed to share, distributing information you're not supposed to distribute, but to really be focused on specific kinds of information, sensitive information. So it'd be classified information, national security information. It could be misusing -- there's a misdemeanor statute on misusing the tax database for example.

 

And then in the closely related to CFAA setting, you'll have theft of trade secrets. So if the information that the employee takes is a trade secret, that would be one situation where the insider could be prosecuted for using the trade secret without authorization from the trade secret owner.

 

      And so the, I think, the challenge of the CFAA and the challenge of this area is that there's no general information misuse statute. You did something with some information that someone didn't want, whatever the information is, and the CFAA basically created the possibility of that for all information on a computer, period. And then there was no narrow way to do it, so I think people kind of oh, well, intuitively, that seems like an appropriate thing to prosecute if it's particularly sensitive information. But that was not a category under the CFAA, at least as to misdemeanor liability.

 

      So I think the way forward is for Congress to think carefully about what are the different kinds of information and what are the different ways that information can be misused and to have more -- make sure there's coverage of all the different, particular sensitive kinds of information without having a statute that inadvertently, in this context, applies to all information categorically no matter whether it's sensitive or non-sensitive.

 

      Under the broad interpretation of the CFAA that the Justice Department sometimes took or at least didn't back off of was any term of service violation, even if it's completely frivolous and silly, still technically that was an unauthorized access. So I think the goal should be really to focus on the sensitive kinds of information rather than the fact that some information was obtained that someone didn't want to have happen.

 

Prof. Michael Levy:  You're muted, John.

 

John C. Richter:  Let's turn to one aspect of it and that is the private enforcement side of this. Obviously, this DOJ guidance only applies to criminal prosecutors but of course civil causes of action and while civil enforcement doesn't take away one's liberty, it can be exceedingly expensive. And so how is that do you think, if it is influenced by this DOJ guidance, if it is at all, does this help the courts also construe properly the language in the statute in the context of private civil enforcement? And then secondly, how does it deal with any of the copycat baby statutes, if you will, at the state level that may be seeking to criminalize conduct similar to what is found in the federal statute? 

 

Prof. Michael Levy:  At least on the civil side, certainly if I were defending someone, I would cite this and if I thought this was outside the realm of what the Department would bring, I would certainly bring this to the attention of the court because the statute prohibits certain conduct and gives civil as well as criminal remedies. So there ought to be some uniformity in interpretation of the law and looking at what the Department of Justice says that prosecutors ought to follow, I think it can be persuasive. Certainly, it's an argument I would raise if I were defending someone. How far that goes? I don't know how successful you'll be.

 

      One of the things I remarked on when I first started working in this area is so many of the early CFAA cases were civil cases and they gave incredibly broad interpretations to the law without any thought that this was a criminal statute. And I compared that to the statute I started to look at very early in my career in the 1980s which was the RICO statute which the government had used and prosecutors very successfully. And then prosecutors went out into private practice, and they said heck to their partners and associates, hey, there's this statute in Title XVIII that's really cool that we can use. And the courts hated civil RICO, and they did everything they could to cut it apart.

 

      And from my point of view as a prosecutor, I didn't like them doing that because they were going to tie my hands in some ways. I saw the opposite on this side, of courts giving incredibly broad interpretations and now, this parade of horribles of what can happen with a statute. So I think it'd be useful if there's some convergence in the interpretation of both civil and criminal.

 

      In terms of guidance for the states, again, it's persuasive but there's nothing that says that the states have to follow this guidance. And there are states like California that do have the equivalent of an access on attempt to steal statute, so they have a remedy for the disloyal employee. 

 

John C. Richter:  Orin, you indicated that the number of cases brought annually by the Department of Justice in this context is relatively small by comparison. Obviously, the near fact, I'm sure for the 50 defendants, it didn't seem so small. Do you have any sense of how this compares to enforcement at the state level for similarly situated statutes? Is it even less common there? More common? What do you know about that?

 

Prof. Orin S. Kerr:  Yeah. Even less common at the state level. It's kind of remarkable to look at the overall picture of unauthorized access statute enforcement. You've got a very small number of federal criminal prosecutions. You've got almost zero state criminal prosecutions, incredibly small number. In fact, the California equivalent of the unauthorized access statute, CFAA equivalent, California Penal Code Section 502, has been mostly interpreted in the context of Ninth Circuit case law, so on the federal side. So you just, you don't have that many -- especially, part of it is it's very difficult at the state level to investigate online hacking. How do you gather the evidence state to state, internationally? It requires a lot of resources, and the states usually don't have it.

 

      So you've got a lot of state statutes where there's zero cases reported or maybe one or two cases reported, just not many. And sometimes they follow the federal statute, sometimes they don't. I think it's interesting that the Van Buren decision from the U.S. Supreme Court interpreting the CFAA is written in very close textual language. There's pages and pages focusing on the word so in the definition of impeding authorized access.

 

      And if you read Van Buren and you've got a statute that has different words at the state level, I can imagine just saying well, there's really nothing in this for me here because it's just so specific to the federalist statute. So it just hasn’t come up as much at the state level.

 

      And I do think the real action right now is going to be federal civil cases, the context of business-to-business litigation in particular, which in a lot of ways, as Michael pointed out, is kind of the reason -- this is the problem in the beginning because you get totally different mindsets in a business-to-business litigation case you would get in a criminal case.

 

And I think, actually, this is, to be a little bit academic, I think the whole idea of having civil remedies under the CFAA was just a mistake. I think the rationale going back to the early 1990s as I understood it was the people in the Justice Department thinking well, gosh, computer hacking is becoming so common. That means there's going to be so many cases. There's no way that the U.S. Department of Justice is going to be able to prosecute all of these CFAA cases. They're going to overrun the Justice Department. We need to allow for civil enforcement too so the victims of hacking can sue the hackers.

 

      And it turned out that was just not a problem. We never got more than about 100 prosecutions a year. Incredible amounts of hacking, it's just so hard to catch the hackers. You don't actually have the problem. And then hackers themselves are going to be judgment proof most of the time even if they're caught and DOJ declined. So I think the whole thing about having civil liability together with criminal liability as in the RICO setting, it just causes -- it just, the settings are so different. Judges' instincts are so different, and you end up with weird interpretations of the law that get misused in the opposite context. And so I think it hasn't worked out all that well, but right now, it's the civil cases that are really where the action is.

 

Prof. Michael Levy:  John, the only thing I'd jump in on to state is to add -- and you were out in Western Oklahoma. Once you got out, how many detectives in Oklahoma City were able to do computer investigations? And once you got outside of Oklahoma City, police officers are basically peace officers. You may have one or two detectives who probably rely on the state police to do a lot of patrolling. So there's just not the expertise on the state level to handle these things.

 

John C. Richter:  Yeah. Ironically, Michael, I actually had a case after I left the Department in which I pitched on behalf of basically a theft of inside information by an insider who had left and taken a bunch of information. I pitched it to the U.S. Attorney's Office. They were concerned about unauthorized access language in the Tenth Circuit and making bad case law. They declined to pursue the matter. I handed my investigative file on behalf of my client to the Oklahoma County District Attorney's Office, and they prosecuted and successfully convicted the defendant. But point being is obviously, we handed them -- it took outsiders in this case, the victim company investigation that had the means to do that investigation to present the evidence that allowed the matter to be brought. So it can be done.

 

      One of the criticisms I hear about the current guidance is well, it can be undone and what's the chance -- and I guess the question is what are, really, the chances of that given the underlying case law that has developed in the area? Is this an area where in a new administration, it can be undone in a way that essentially returns things to the past, or is this guidance essentially really merely stating what is effectively the floor right now given the more recent court decisions?

 

Prof. Michael Levy:  This isn't -- administrations change and policies change, but this is not really much of a political issue between democrats and republicans. And this kind of states this is where the law is today. I don't see in three years, if we get a change in administration, big changes to this. And the only way I see changes coming is whole new sets of facts developing that we just don't anticipate today, and with computers, that can certainly happen. And then there may be the need to revise the guidance to deal with what the situation is on the ground in 2026 or 2030, whenever that happens to be.

 

John C. Richter:  Another area that I think of late has gotten a lot of media scrutiny is various times in which government information has evidently made its way into the public domain. We've seen reports in the media of sensitive tax information that's provided about certain high-earners or wealthy individuals in the United States that somehow made its way into the public domain. Obviously, the promulgators of that information certainly come at it presumably with the motive that they believe this is information that is worthy of the public knowing about. But our tax laws would seemingly say otherwise.

 

      Likewise, we know that in any political season, which seems to be every day of the week, all year long, in any given year, there seems to be a great deal of effort to dig up information on your political opponent, depending. And some of that information would seemingly not come from the word of mouth but rather come from obtaining information that may have been obtained through some person who may have had technically authorized access, meaning that they had credentials or legal ability to authorize the information where it was found but then have passed it on, obviously, to someone who should have no right to that information and clearly, is that a vulnerability? Is that a gap that exists as a result of Van Buren? And if so, are there other means that federal law enforcement authorities have to shore that -- to fill that gap with the use of other statutes? How do you see those kinds of scenarios that get reported publicly in terms of what the options are?  

 

Prof. Michael Levy:  With the scenario, the first scenario you posed, the tax returns of somebody, the tax laws are pretty clear that releasing them is a criminal violation and it doesn't matter -- in fact, it's directed at people who have authorized access to the information. The hard part is going back and figuring out who got it. And it gets out in the press and the newspaper reporter is going to claim that it's privileged and he doesn't have to disclose his sources. You've got a Supreme Court decision in the wiretap statute, Bartnicki v. Vopper which says First Amendment protects certain things even if they were obtained illegally if they're of great public interest. So there's going to be some problems in dealing with this.

 

      There are other areas where people get embarrassing information on people, an opposition research. And the question is do they just find an old YouTube video somewhere that they now dreg up, a thing that the Daily Show used to do all the time, picking up news reels from 15 years ago and playing it to repeat, to embarrass some politician with words they said 15 years ago that are completely different from what they say today. That's fair game. But if you get into somebody's private account, it's probably not.

 

John C. Richter:  Orin or Professor Kerr, how do you see this intersection between the First Amendment and this unauthorized access and use of this information, recognizing that obviously we live in a free and open society to some degree but where there is obviously a need sometimes to protect information for legitimate reasons?

 

Prof. Orin S. Kerr:  Yeah, I agree completely with Michael's take on the law. The reporters themselves are going to have the First Amendment claim under Bartnicki and then the person who engaged in the wrongdoing initially is probably going to protect themselves from being observed. And it all just depends on how clever they were in hiding their tracks and how serious the investigation is. And you see this across the board.

 

      An example of this same issue is the leak of the Dobbs opinion, who someone leaked the Dobbs opinion. Who was it? Well, there's only a certain number of people that might've had access to it. But how many resources are actually being spent to try to figure this out? Are they pulling phone records? Are they interviewing people? Are they interrogating people down at the police station? I mean, if you really, really want to know and you've got a limited set of suspects, you could make it a top priority and maybe have a chance at it. But if folks are hiding their tracks relatively well and the investigation is not super intensive, a lot of times, you're just never going to know who did it.

 

      So I think this is not a criminal law, substantive law problem as much as it's an enforcement challenge and an evidence gathering problem. And so that I think of is usually just a byproduct of how clever was the original wrongdoing in hiding his or her tracks and what resources is the government bringing to bear in its investigation. It's not a question of substantive law like the CFAA.

 

John C. Richter:  Well, let me remind the audience that if they have questions, certainly, you can submit them through the chat box. I think I've tried to address the one question that was posed in the chat box which is obviously asking the question about sensitive info and whether that may include, as this writer said, "sins of politicians that may hurt them politically." If there are other questions, please submit them. I will be happy to try to get to them here during our remaining few minutes.

 

      Let me, I guess, go now to where this is going. This statute was passed back at a time when the internet didn't really exist and the kind of information that we're used to having access to now was just different. It's been amended a number of times, and there have been a number of additions and changes. But where do you see this going? As you prognosticate, not just in terms of a legal development but in terms of thinking about how information is shared and gathered, are we in a fairly stable environment in which the existing statute such as it is, notwithstanding its weaknesses and strengths, is enough? Or can we anticipate technological change in the offing that is likely to mean that Congress should act even though right now there may not be the kind of gap or there may not be an easy solution?

 

Prof. Orin S. Kerr:  I guess I'll take that. I think we're in a point now or getting to the point where the statute is in the ballpark of okay. There are lots of ways I would fiddle with it if I had the pen and could do it. But the huge problem that the CFAA might make everyone in the United States who goes online a criminal because the statute was drafted so broadly, I think we're past that now.

 

      And the number of cases brought is so small that I think, really, it's the enforcement that's going to make a bigger difference going forward. And think about if you connect the computer to the internet, it's going to start getting attacked right away. And so the problem -- we have bad security and the statute punishing breaches of that security is in some sense only a small part of our worries. We need to have better security and block the intrusions rather than think about is the law there in the right place for when somebody does breach these security protocols and gain access to information.

 

      So it's going to be, I think, enforcement and the security picture generally rather than the CFAA that probably makes the biggest difference going forward.

 

Prof. Michael Levy:  John, the only thing I'd add is 20 years ago, we didn't have Facebook, we didn't have Twitter, we didn't have any of these social media things, and that certainly has changed the whole paradigm of what we're litigating. And who knows what's going to come down the road next week that's suddenly become the big thing of the 2020s. That may change how we look at computer hacking.

 

      So it's kind of hard to adjust a statute to technology when we haven't caught up to the technology from 20 years ago, and it's going to change next week. But I agree with Orin that criminal law is like the boy with a string around the dike and if we don't figure out ways how to shore up the dike, like better computer security and keeping hackers out of computers, then there's no hope.

 

John C. Richter:  Well, I want to thank both of you. I think we've covered the subject fairly well in the time that we have. I'm not seeing other questions coming across, but I'll check with our organizer here. Chayila, is there any other questions that we missed? Otherwise --

 

Chayila Kleist:  That's it. 

 

John C. Richter:  Yeah. Otherwise, I want to thank you, Professor Levy, and you, Professor Kerr, for what I think was a very interesting discussion on this statute and really appreciate you giving the time and your expertise to this teleforum today.

 

Chayila Kleist:  Absolutely. I'll second that on behalf of The Federalist Society. I thank our experts for their valuable time and our audience for joining and participating. We welcome listener feedback at [email protected]. And as always, keep an eye on our website and your emails for announcements about upcoming virtual events. Thank you all for joining us today. We're adjourned.

 

[Music]

 

 

Dean Reuter:  Thank you for listening to this episode of Teleforum, a podcast of The Federalist Society’s practice groups. For more information about The Federalist Society, the practice groups, and to become a Federalist Society member, please visit our website at fedsoc.org.