DOJ Finally Releases Its Internal, Mostly-Vague CFAA Prosecution Guidelines
from the DOJ-knows-'unauthorized-access'-when-it-sees-it,-apparently dept
The government often engages in very dubious CFAA prosecutions, but it takes a lawsuit to get it to talk about how it decides what cases are worth pursuing.
[T]hanks to a legal challenge to the CFAA, the Department of Justice is for the first time releasing its 2014 guidelines on how prosecutors should charge computer crimes — when someone exceeds “authorized” access on a computer. (First Look Media, the publisher of The Intercept, is a plaintiff in the case.)
The Department of Justice acknowledges that “laws addressing the misuse of computers have not kept pace uniformly with developments in technology and criminal schemes” though it maintains that the law remains “important” in prosecuting cybercrimes.
I’d imagine the DOJ is more concerned about crafty cybercriminals beating them in the tech arms race than it is about legislators’ inability to reform the CFAA (something the DOJ routinely opposes). The “Intake and Charging Policy” memo [PDF] for the DOJ’s prosecution of cybercrimes lists a number of factors to be considered before pursuing federal charges.
The first key is the sensitivity of the information or system accessed “without authorization,” followed by national security considerations and economic impact. Public safety is also a factor. The document points out that information obtained without authorization can be deployed to stalk and harass officials and lower level members of the general public.
But the definition of “unauthorized access” isn’t explored adequately in the legal memo, leaving this to be answered on a case-by-bad case basis. The prosecutions of Aaron Swartz and Andrew “Weev” Auernheimer suggest the DOJ allows this definition to be set by the complainant rather than by policy. When MIT or AT&T complain, the government listens.
Also of note is the DOJ’s willingness to turf questionable cases to the local boys if that seems more likely to result in a conviction.
Where criminal activity risks these broad harms or has a substantial effect in several parts of the country, federal prosecution may be warranted. In other circumstances, if the effect of a violation is geographically focused and limited, deference to state or local authorities may be warranted, where they have the legal tools and resources to act.
The DOJ also reserves the right to take local prosecutions federal.
Where an offense causes particularly significant harm to a single District or community, federal prosecution may be warranted.
And then there’s this part, which is what worries security researchers and white hat hackers:
[F]ederal prosecution may be warranted even where the offender did not actually obtain any such information; in other words, in certain aggravated circumstances, mere access to a computer system that stores these types of sensitive information may weigh in favor of prosecution.
On the plus side, the DOJ memo does make it clear that it would rather have evidence of malicious intent than mere “unauthorized access” to work with. It also states that it should take more than violations of Terms of Service or other “contracts” with websites/service providers to trigger federal prosecution.
Unfortunately, the law is still outdated (30 years old this month!) and “unauthorized access” prosecutions are still being handled inconsistently. The DOJ is prone to letting victims steer prosecutions, resulting in completely ridiculous outcomes like the two-year prison sentence handed to Matthew Keys for a 40-minute website defacement he didn’t even perform.
The memo somewhat ominously concludes with the statement that this legal memo — pried out of its hands by litigation — isn’t intended to be “all inclusive.” Given the law hasn’t aged terribly well and is predicated on a slippery term like “unauthorized access,” the DOJ will likely be pursuing questionable edge cases for years to come.
Filed Under: cfaa, doj, guidelines, prosecution
Comments on “DOJ Finally Releases Its Internal, Mostly-Vague CFAA Prosecution Guidelines”
the DoJ, like all US security forces, is only interested in getting an arrest that leads to a successful prosecution and jail sentence. it matters not to them in the slightest that the person arrested my well be innocent, and even if that becomes obvious, to get out of an abhorrent jail term for doing nothing wrong, the accused has to take a ‘plea deal’ of a lesser sentence just to allow the DoJ to ‘save face’ and for the accused to get out of the line of fire and a myriad of trumped up charges! disgraceful way to act considering we are supposed to live in a country that represents ‘the land of the free, home of the brave’!
Defining laws
Vague laws and well defined laws are very different. A well defined law allows the government to enforce it in a consistent way, as well as lets the public know what it can and can not do. A vague law does not accomplish either of these.
If this law is interpreted vaguely enough that violating the terms and conditions is enough to break the law, then it becomes useless for what most people think is the purpose of law. It becomes impossible to arrest someone for merely violating the law because almost everyone is guilty. A law that is vague can only be enforced selectively.
A vague law can only be used for two purposes. The first one is to add extra charges to someone who broke other laws. This appears to be how the CFAA is used a lot of the time. The other way a vague law can be used is to punish someone who broke no other laws, but the government doesn’t like. To do this, they take the vague law and interpret it in a way that makes it sound less vague, instead of saying the law make almost everything illegal, the government only says that the law makes a few things, including the specific actions of the ‘guilty’ person illegal.
one more new law!
It is illegal to act TOO American or NOT American enough. If the DOJ determines if a suspect has been engage in insufficient or excessive amounts of being American they will be prosecuted within the fullest extent of the law!
When MIT or AT&T complain, the government listens.
High court, low court.
Which is exactly how it should be. Or do you somehow think that the DOJ has a better idea than the owner of private property regarding who is and who is not trespassing on that property without the authorization of the owner?
Are you seriously suggesting that laws wear out from old age and need to be done away with? How about throwing these ones out, then? They’re even older!
Re: Re:
Your first point primarily allows powerful people to use the law to pursue a vendetta against those they do not like. Also such an approach allows law enforcement to steer complainants towards modifying the complaint to allow them to take action not justified by the initial complaint.
Re: Re:
They can say who is or isn’t authorized, but they should not be told you need to pad your damages to X level so we can do it more. The penalty should fit the crime, not the tortured imaginations of corporations who want the ‘hackers’ to suffer for making them look foolish.
Laws don’t wear out, laws become stupid over time.
We still have laws on the books about telegraphs and carrier pigeons, because just bolting on new things and pretending the new works like the old is easier than actually having the laws reflect reality.
Weev found something that made ATT look completely stupid, and went to prison because ATT faces no law requiring them to secure their systems. So we punish people who stumble over something left exposed by a corp who saved some cash by not following security procedures.
Aaron had the entire weight of the government dropped on him to make an example of him… his ‘crime’ had no actual cash value and actually benefited society.
Laws should not be to allow corporations to save face for being stupid & shouldn’t be used to send a message not to mess with the Feds or else. This law is flawed in the current structure, I mean where were the CFAA charges for the Smart Tv that went and scanned the entire home network it was connected to and send out file names to the mothership?
Nom nom selling us out to a bad actor VPN…
Regarding the Computer Fraud and Abuse Act, Leonard Bailey of the DoJ told an audience at BSides Las Vegas 2016 that the DoJ has a policy that now mandates any CFAA charges must have a consultation from DoJ headquarters before being official.
This was stated at https://bsideslv2016.sched.org/event/7aPa/shall-we-play-a-game-30-years-of-the-cfaa.
https://youtu.be/NzDGJk8C5Fc around 56:30.
everyone is a criminal because they get kickbacks to the more people put into for profit prisons.
Steve Jobs and Steve Wozniak were phreakers. Steve Jobs got his start selling Woz’s blue boxes used to hack the phone system to make toll-free calls in the ’70s and stated in interviews that if not for the blue boxes, there would have been no Apple. Wozniak is now worth $100 million and Jobs died a multi-billionaire. Never prosecuted.
Aaron Swartz died in a jail cell at 26 years of age facing the threat of 50 years in prison and $1 million in fines for exploiting MIT’s own policies and license agreements with JSTOR to download as many research articles (research mostly paid for with publicly funded grants) as he could to make available to the public that already paid for the research. CFAA used to prosecute despite no other laws or legal agreements broken. JSTOR, the "wronged" party, didn’t even want to prosecute.
We will never know what Swartz could have created if not for the CFAA or his prosecution at the hands of the DOJ and MIT.
We do know that Apple, Macintosh, the iPod/iPad/iPhone, iTunes, Pixar, etc. would never have existed if Jobs and Wozniack had been prosecuted under the CFAA, which did not exist at the time, or any laws actually broken that did exist. Job even called his LSD experiences around that same decade "one of the two or three most important things [he had] done in [his] life."
This is the price we pay for the never ending pursuit of criminalization.