On November 6, 2015, The George Washington Law Review hosted its annual symposium, this year entitled “Hacking into the Computer Fraud and Abuse Act: The CFAA at 30.” The CFAA is the acronym for 18 U.S.C § 1030, the Computer Fraud and Abuse Act. The CFAA was created thirty years ago to help combat a new wave of computer crimes that was beginning to become more prevalent as technology became an increasingly integral part of our society. David Bitkower, Principal Deputy Assistant Attorney General of the Criminal Division at the Department of Justice offered opening remarks.
Mr. Bitkower’s opening remarks focused on three separate components of CFAA scholarship: why we need the CFAA, how law enforcement and the courts use the CFAA, and how the CFAA can be improved now that it has remained largely unchanged for the past three decades even though computers, and computer crimes, have made vast advancements. The structure of the opening remarks parallels with the panels that were hosted during the remainder of the day.
First, Mr. Bitkower addressed why we need the CFAA, noting that there are twelve new victims of cyber crime every second. Congress created the CFAA, Mr. Bitkower proffered, with the intention of providing clearer statutory guidelines both to law enforcement and potential hackers regarding what types of computer crimes are prohibited to either unauthorized users or users who exceed their authorized access of certain machines. The topic of unauthorized access was the subject of the first two panels of the session, entitled “What is Unauthorized Access? Part 1 and Part 2.” During the first panel, the panelists discussed a norm-based theory of authorization as well as drew comparisons between property law, general criminal law, and the CFAA. The first panelist, Matthew Kugler, discussed his research in surveying Americans to determine how far the limits of their beliefs of authorization stretched. Secondly, Josh Goldfoot and Aditya Bamzai presented their article. Mr. Bamzai presented first, drawing a comparison between physical trespass onto another’s property and the CFAA, as demonstrated by Congress’ borrowing of property trespass language when constructing the CFAA. Mr. Goldfoot then went on to discuss the mens rea component of the CFAA: intent. He supports Mr. Kugler’s supposition that a normative-based approach to authorization is most appropriate, positing that it is unauthorized access if a defendant understands the fact that she is meant to be excluded from accessing the computer.
In contrast to the normative, psychological-based approach taken by the first panel, the second panel put forth a much more quantitatively focused discussion. The first panelist, Professor Patricia Bellia, advocated for a much more narrow, code-based approach to authorization, whereby only if someone bypassed a technical restriction to access would they be an unauthorized user of a machine. Professor Michael Madison drew parallels between the CFAA and copyright law. Finally, Professor James Grimmelmann slightly departed from the first two panelists’ views, encouraging instead the idea that the courts’ jobs are not just to interpret the statute, but also to construct. He put forth the idea that the issue of access and authorization cannot be solved simply by the doctrinal tools of interpretation, but also requires a level of judicial construction on behalf of the courts. Regardless of the approach adopted by courts of the normative versus code-based authorization, these two panels make clear that Mr. Bitkower’s remarks hold true: the CFAA recognizes the basic expectation that computer users and operators have to control access to their machine.
Second, Mr. Bitkower addressed how the law enforcement system uses the CFAA. His remarks focused on the use of the CFAA as a criminal statute, although a civil cause of action is included as well. While the CFAA is used by the Department of Justice as a criminal statute to prosecute hackers, there have also been instances where the Department of Justice has attempted to convict so called “insider jobs,” which has resulted in a circuit split. Perhaps the most notable of cases concerning an employee who used his access to a computer to obtain information and use it in a way not intended by his employer is the case of United States v. Nosal, a case decided by the Ninth Circuit sitting en banc and the subject of Panel 3. In Nosal, an employee who was planning to quit his job and start his own competing business took a substantial amount of information from his then-employer’s database including client data and industry knowledge. While the government argued that his access and use of the information exceeded what he was authorized to do and was in violation of the CFAA, the Ninth Circuit ultimately agreed with Nosal. Nosal had countered that even though he may have violated his employer’s contractual use and disclosure policy, he was not in violation of the CFAA. In its ruling, the court remarked that Congress had intended for the statute to punish hackers, not insiders such as disloyal employees. Panelist Jonathan Mayer agreed with Nosal’s interpretation of the legislative history, and focused his presentation on how courts have used Nosal to limit the scope of the CFAA since that case. Conversely, panelist William Hall of the Department of Justice read a series of quotations from the Congressional record and attempted to show that the Nosal decision was in fact contrary to what Congress had in mind when passing the CFAA. Because of the ambiguity of the statute along with the circuit split that has occurred since Nosal, the next topic of both the final panel as well as Mr. Bitkower’s opening remarks centered around the reformation of the CFAA.
Finally, Mr. Bitkower remarked on two primary areas where the CFAA should be changed, one of which is the activity at issue in Nosal: insider access. Mr. Bitkower proposed that the CFAA should make it illegal, but perhaps only in aggravated incidents, the act of intentionally accessing information in excess of intended authorization. He also addressed the issue of botnets, which are elaborate webs of computers that can be used to forward transmissions such as viruses to a multitude of computers and then retreat undetected. As the CFAA is currently interpreted, people who rent and sell access to botnets cannot be prosecuted under the Act. In order to fix this, Mr. Bitkower argues, the Act should be amended to make expressly illegal trafficking of means of access, which would eliminate the loophole currently being used by those selling and renting botnet use.
The fourth and final panel of the day expanded on Mr. Bitkower’s ideas, discussing additional ways in which the CFAA could be changed. Co-host of the Symposium and Professor Orin Kerr argued for new sentencing guidelines under the CFAA, where the crime is punished not based on the monetary value of how the victim chooses to remedy the harm, but rather is based on the loss of privacy similar to the way in which a trespass crime is sentenced. Professor Ric Simmons suggested that the few crimes that, absent the CFAA, wouldn’t be covered by any other criminal statute should be regulated by an administrative agency. Next, Michael Levy, Chief of the Computer Crimes Section of U.S. Attorney’s Office for the Eastern District of Pennsylvania proposed an amendment that echoed sentiments from earlier panels: an amendment that dealt with the intent of user who exceeded access to a computer. Lastly, Professor Paul Ohm suggested that a single, unifying act could be established to help remedy what he referred to as a thicket of regulations that govern the coding world.
Each session, including the opening remarks, concluded with a robust question and answer session facilitated by the panel’s moderator. In concluding the opening remarks, Mr. Bitkower remarked that while the Department of Justice isn’t necessarily worried about an imminent occurrence that would be a type of “Pearl Harbor moment”, as worded by an audience member, he did remark that the CFAA is an important tool in preventing such an event and reinforced the importance of it’s reformation and continued place of importance in legal scholarship.
Thank you to all of the panelists and participants in this year’s Symposium, Hacking into the Computer Fraud and Abuse Act: The CFAA at 30. The George Washington Law Review team looks forward to next year’s administrative law issues and the next annual Symposium!
This post was authored by Law Review member and On the Docket Fellow, Talya Bobick.