Our final panel looked beyond the question of authorization in order to propose reforms to the Computer Fraud and Abuse Act (CFAA) and discuss its broader regulatory consequences. We featured the following distinguished panelists: Orin Kerr, Fred. C. Stevenson Research Professor of Law, The George Washington University Law School; Ric Simmons, Chief Justice Thomas J. Moyer Professor for the Administration of Justice and Rule of Law, Ohio State Law School; Michael Levy, Chief, Computer Crimes Section, U.S. Attorney’s office for the Eastern District of Pennsylvania; and Paul Ohm, Professor of Law, Georgetown Law.
Trespass, Not Theft: Rethinking Sentencing Under the Computer Fraud and Abuse Act
Professor Orin Kerr, who is a nationally recognized scholar of criminal procedure and computer crime law (and co-host of the Symposium), was the first to present. Before joining the faculty at GW Law, Professor Kerr was a trial attorney in the Computer Crime and Intellectual Property Section at the U.S. Department of Justice. This extensive experience with computer crimes at the trial level was reflected in his presentation: Trespass, Not Theft: Rethinking Sentencing Under the Computer Fraud and Abuse Act.
In this work, Professor Kerr argues for a new sentencing guideline under the CFAA. Currently, the sentences for these crimes are calculated under U.S. sentencing guidelines as a subset of theft offenses with the option of heightening the punishment for fraud. Professor Kerr calls this the “fraud-plus” approach. Instead, Professor Kerr posits that CFAA crimes are trespass crimes because they concern an actor breaking into a private space. Therefore, these crimes must be punished proportionately.
There are definitive problems with the current sentencing structure. First, the fraud plus approach has broad liability for consequential harms with extra punishments depending on the context. As a result of the theft misclassification mentioned above, losses are calculated not by wrongful gains on the part of the defendant, but rather by how the victim chooses to remedy the losses. Specifically, sentences are based on victim losses calculated by multiplying victim hours spent responding to the offense by the employee hourly rate. The problem with calculating the losses in this manner is that victims may respond and attempt to remedy the losses in different, perhaps inefficient manners. This removes the defendant’s conduct as a part of the sentencing calculation, in favor of the victim’s choice.
While CFAA crimes can cause economic loss like theft or fraud, they are more likely to affect the integrity or confidentiality of a victim’s data. In other words, the main theme of CFAA crimes is the loss of privacy, not theft. Although Professor Kerr does believe the Commission should account for consequential losses in drafting new guidelines, he also believes the Commission should correct the current Guidelines’ exaggerated focus on these losses. The consequential damages here are distinct from a typical fraud calculation. Unlike fraud, in hacking crimes the victim’s response to the harm (and in fact the harm itself) is beyond the perpetrator’s control. Along this same line of reasoning, the rule for unforeseeable consequential losses should also be abandoned.
The Impossible Task of the Computer Fraud and Abuse Act: Time to Take a New Approach to Regulating Computer Crime
Professor Ric Simmons’s presentation took stock of the CFAA from its 1984 infancy to its present-day operation as a case study on the regulation of criminal activity involving technology. Using the rubric of whether the law addressed any new criminal activity related to tech inventions not already covered by existing laws, Professor Simmons determined that: 1) most of the crimes described in the CFAA would be better regulated by pre-existing criminal statutes that cover the underlying manifestations of computer crimes (such as theft, fraud, and damage), and 2) only the concepts of unauthorized access—using a computer to trespass into private information and/or using a computer to damage data by manipulating, modifying, or destroying the data—were not already addressed by existing law.
Professor Simmons notes that where a new type of criminal activity is identified, legislators must be sure to discover the best manner in which to prohibit the behaviors it foresees to be unique to the technology. In reviewing the overly broad definitions (and undefined terms such as unauthorized access) in the CFAA, Professor Simmons argues that this new criminal activity was not getting its best treatment under the Act in that it failed to define crucial terms, and then failed to update the law to keep pace with the technological advances modifying the criminal activity.
Instead, Professor Simmons argues that new technological, criminal activity would be better regulated by an administrative agency serving a traditional a rule-making function in a manner similar to the Securities and Exchange Commission or the Food and Drug Administration. By creating enabling legislation, Congress could set out broad principles that allow it to delegate some of responsibility of keeping up with new innovations to an agency that is faster and has specialized knowledge that the Congress does not have. This solution may also be more transparent and dynamic in that the agency could have notice and comment periods during which interest groups could provide feedback on the proposed rules.
A Proposed Amendment to 18 U.S.C. 1030 — The Problem of Employee Theft
Chief of the Computer Crimes Division, Mr. Michael Levy, next presented a proposal to amend the CFAA to account for crimes of “unauthorized access” resulting in the theft of information by disloyal employees. Mr. Levy notes that there is a circuit split on the interpretation of 18 U.S.C. § 1030(a)(2) over whether an employee is liable under the CFAA when they take data on their way out of their current employment.
Drawing upon his extensive CFAA experience at the United States Attorney’s Office of the Eastern District of Pennsylvania, Mr. Levy notes that this lack of uniformity in federal law has caused complications and arbitrariness in the prosecution of these crimes nation-wide. Further, this split also robs victims of their relief where trade secret laws fail to address the wrongs not covered under the CFAA. Mr. Levy makes it clear that not all materials stolen by employees are trade secrets. He uses the example of a list of customers and their contact information to illustrate how an competitive (and soon to be former) employee might steal company information while avoiding liability both under the CFAA and under trade secret liability. As such, Mr. Levy proposes an amendment for a business community that he argues “needs an answer yesterday.”
This presentation, like the others already mentioned, goes beyond authorization. Instead of focusing on that controversial and much-debated question, Mr. Levy hones in on the issues by highlighting the victim’s fears: employees accessing computers with the intent to steal information. Indeed, Mr. Levy notes that Citrin, Nosal, and Rodriguez all involve employees using their employee status to misuse an employer’s data. This amendment thus removes the problem of the circuit split by taking the focus away from the question of whether an employee’s access was “unauthorized,” and asking instead what the employee’s underlying intent reveals.
The Children of the CFAA: The Expanding Regulation of Code under Federal Law
Professor Paul Ohm presented work that will be co-authored by himself and Blake E. Reid. These scholars look past the specific debates concerning unauthorized access and its definition by focusing on the ways in which the CFAA affects other regulatory efforts to constrain code and coders. During the presentation, Professor Ohm noted the grand shifts in the American regulatory landscape that strike at the very heart of this symposium. He began with a visual representation of new idea inputs in invention, as represented by categories of American patents. By looking at the trajectory of patent invention, Professor Ohm noted a clear movement from innovation that was dominated by electrical and chemical inventions, to health-care related patents, to the present-day spike in inventions related to computers and communications. Professor Ohm posits that this massive shift represents unchartered ground for regulatory regimes—the future of regulation is invariably linked to this wellspring of activity.
Next, Professor Ohm presented an example of this shift through the FCC’s Telecommunication Act power under 47 U.S.C. § 333 to police the willful or malicious interference of “any radio communications of any station licensed or authorized by or under this chapter or operated by the United States Government.” Previously, this was understood by the hacking community to mean the FCC had the power to police hardware and users that caused interference.
However, this dynamic shifted with the invention of software defined radio, which is hardware that can only be reconfigured by software. Specifically, the FCC’s Office of Engineering and and Technology released a memo in March of 2015, titled “Software Security Requirements for U-NII Devices,” which called for caution on the part of users of devices operating in the unlicensed 5 GHz band to reduce the risk of harmful interference. This memo, Professor Ohm argues, signaled to hackers that the FCC was commenting on software—a move considered as going far beyond its traditional regulation territory.
In looking at the regulation of code, Professor Ohm also noted the other federal laws involving coders, such as the Digital Millennium Copyright Act, the Telecommunications Act Regarding Harmful Interference, and the Wiretap Act’s Inception Prohibition. These various implications of code, he argues, could create a regulation thicket (a patchwork of overlapping code regulations in various federal laws) analogous to the current patent law thicket. This thicket could perhaps be remedied by a general, unifying act. Lastly, the thicket may also result in the rise of “turf wars” among various regulatory agencies. Professor Ohm points to the example of the Federal Trade Commission and the Federal Communications Commission’s policing of wireless providers.
Conclusion
Our final panel stressed that the rise of code and hacking activity fundamentally altered (and continues to transform) the modern regulatory landscape of the nation. Whether discussing administrative agencies, amendments to existing CFAA provisions, or the aftershocks of the CFAA throughout other federal entities, these panelists allowed our audience to peer into the next stage of innovation both in the law and in technology. We thank the panelists for their phenomenal contributions to the current scholarship and commend them for a timely, fascinating symposium.
This summary was authored by Law Review member Melika Hadziomerovic.