The Computer Fraud and Abuse Act, the law that's been at the heart of almost every controversial hacking case of the past decade, is in the news again this month.
Prosecutors recently used the law to convict journalist Matthew Keys on felony hacking charges, drawing rounds of condemnation on the web. Edward Snowden, for one, derided the harsh penalty Keys now faces—a maximum possible sentence of 25 years.
But charging Keys with felonies for his role in a crime that critics say should have been considered a misdemeanor—the minor defacement of a Los Angeles Times article—is not an anomaly for the feds. It's just one among a growing list of contentious cases that critics say illustrate how prosecutors have been overstepping in their use of the CFAA.
The government first used the federal anti-hacking statute in 1989, three years after its enactment, to indict Robert Morris, Jr., son of the then-chief scientist at the NSA's National Computer Security Center. Morris Jr., a graduate student at Cornell University at the time, was charged with creating and unleashing the now-infamous Morris worm. The Morris offspring ultimately fared better than most who have been convicted under the law; he was sentenced to three years probation and 400 hours of community service. He's now a tenured professor at MIT.
Since his conviction, the CFAA has been used to prosecute hundreds of other high- and low-level hackers, often to much controversy.
The law, in its simplest form, prohibits unauthorized access—or exceeding authorized access—to protected computers and networks. That seems straightforward enough, but because the law was so broadly written, creative prosecutors have stretched the interpretation of unauthorized access far beyond what lawmakers likely intended. For example, it was used to criminally prosecute Andrew Auernheimer for accessing unprotected data that was freely available on an AT&T website.
Another disturbing and growing trend is how prosecutors use the law to criminally charge employees and ex-employees for exceeding authorized access. In 1994, the CFAA was amended to allow civil actions to be brought under the statute. This opened a path for corporations to sue workers who steal company secrets in violation of their authorized access. But instead of using this civil recourse, companies have, in several cases, worked with the government to criminally charge employees who violate work contracts.
"It's a poorly written statute that doesn't effectively define the main thing it seeks to prohibit," says Tor Ekeland, a New York-based defense attorney who has worked on a number of controversial CFAA cases. "There are ambiguities surrounding that definition that allow prosecutors wide latitude to bring charges under theories that shock computer people in the infosec community. Combine that with the fact that there is this general paranoia about hackers—it's a sort of hysteria that's on par with the hysteria about witchcraft."
Civil liberty and legal advocacy groups have called on lawmakers to reform the CFAA to prevent zealous prosecutors from punishing conduct that many feel doesn't truly constitute a computer crime. Calls for reform grew particularly loud in 2013 after internet activist Aaron Swartz committed suicide following his indictment on charges related to downloading academic papers.
But as critics have pushed to limit CFAA prosecutions, the government has simultaneously sought to further strengthen and increase the law's scope by calling on lawmakers to both increase the maximum sentence for hacking crimes (.pdf) and expand the definition of unauthorized access.
In the interest of tracking how the law has been used, we've compiled a list of some of the most bizarre and controversial cases prosecuted under it. With most of these examples, how the government used the CFAA was often as much on trial as the defendants who were charged.
Internet activist Aaron Swartz's CFAA prosecution is one of the leading reasons critics want to reform the law. Swartz was indicted in 2011 after allegedly connecting to an MIT network and downloading 2.7 million academic papers that were freely available to any campus visitor through the JSTOR service. JSTOR didn't pursue a complaint, but the Justice Department prosecuted anyway, saying Swartz violated the terms of service by downloading the documents with an intent to distribute them off-campus. "Stealing is stealing," US Attorney Carmen Ortiz said.
Prosecutors charged Swartz with four felony counts, but later increased this to 13 counts by delineating each date he downloaded documents and turning them into separate counts, thereby increasing the maximum sentence he faced to 50 years and his potential fines to $1 million. Prosecutors offered Swartz a plea deal that would have had him serve six months in prison, but he rejected it because he didn't want any prison time, or a felony conviction on his record. Three months before his trial, Swartz committed suicide, which his family blamed in part on the overzealous prosecution.
Andrew Auernheimer (aka "weev"), a self-professed internet troll, was hardly a sympathetic figure when the government brought hacking charges against him and friend Daniel Spitler in 2011. The two discovered a hole in AT&T’s website that allowed them to obtain the email addresses of AT&T iPad users. When iPad users accessed AT&T's website, the site recognized their device ID and displayed their email address. Spitler and Auernheimer wrote a script that managed to harvest about 120,000 email addresses by modeling the behavior of thousands of iPads with unique IDs contacting the website. The government insisted that accessing unprotected emails that AT&T didn't want anyone to access was criminal hacking.
Auernheimer was convicted and sentenced to three and a half years in prison. His conviction, however, was vacated on appeal over the issue of venue—the court ruled that New Jersey, where the case was tried, had no business charging him since none of his crimes occurred in that state. Unfortunately, this meant that the more significant issue addressed by his attorneys on appeal—challenging the government's claim that accessing data on a public website qualified as hacking—never got resolved.
By the government's own admission, Matthew Keys' hacking crime was minor. But prosecutors inflated the victim's losses to elevate the charges from misdemeanors to three felonies, according to his attorneys.
Keys had been a web producer for KTXL FOX-40 TV in Sacramento before his job ended in October 2010, following a dispute with managers. Later, in an online chatroom frequented by members of Anonymous, he disclosed the username and password for a server owned by the Tribune Company—parent company to Fox-40 and the Los Angeles Times newspaper—and encouraged members to use the credentials to "go fuck some shit up."
A hacker known as "Sharpie" used the credentials to superficially alter an LA Times news story. The breach was discovered within an hour, and the article restored, seemingly causing little damage. Prosecutors didn't charge Keys with conspiracy to gain unauthorized access, however. They charged him with, among other things, conspiracy to cause unauthorized damage to a computer, then proceeded to work with the victim to elevate the damages. They did this by calculating activity that involved no damage to computers. For example, they counted as damage the amount of time Fox-40 workers spent responding to emails Keys allegedly sent them after leaving his job and responding to complaints from viewers that came in after Keys allegedly obtained a viewer email list and sent spam to them. Keys was recently convicted on three felony charges and is awaiting sentencing.
Fidel Salinas, a 28-year-old with ties to Anonymous, faced what may be the most schizophrenic hacking prosecution of all time: In 2012, he was charged with 44 felony counts of computer fraud and abuse, each one carrying a potential 10-year prison sentence. (Salinas claims that the 440 years of prison time was intended to coerce him into hacking targets on behalf of the FBI, which he refused to do.)
His defense attorneys challenged the prosecutorial overreach, which had included adding a new charge for every time Salinas had merely entered text into an unnamed victim’s website over the course of minutes. Under scrutiny, the prosecutors’ case quickly crumbled. By the end of 2014, the mountain of charges against Salinas had been reduced to a single misdemeanor: slowing down a state government website by repeatedly querying it with vulnerability-scanning software. He was sentenced to six months in prison and a $10,600 fine.
The government stretched the borders of the CFAA to new dimensions in charging a middle-aged Missouri mother named Lori Drew with hacking in 2008. Prosecutors charged Drew not for breaching a computer, but for violating MySpace's terms of service after she conspired with three others to open a phony MySpace account as a nonexistent teen named Josh Evans. Drew and her associates used "Evans" to bully a teen girl who had fallen out with Drew’s daughter.
After the girl, who had a history of depression, killed herself, the public pressured authorities to charge Drew with a crime, any crime. There was no law against cyberbullying, so prosecutors charged Drew with unauthorized access to MySpace’s computers because she violated the site's user agreement. MySpace required that registrants provide factual information about themselves when signing up and also refrain from using information obtained from the site to harass anyone. Prosectors argued that by violating this contract, Drew had committed the same crime as any hacker. The jury agreed. But the judge ultimately vacated the conviction, on grounds that the government's interpretation of the CFAA was constitutionally vague and "would convert a multitude of otherwise innocent Internet users into misdemeanant criminals."
David Nosal had worked for executive search firm Korn/Ferry International. After leaving, he talked former colleagues into accessing a company database and giving him trade secrets to help him launch a competing business. Instead of Korn/Ferry suing him for theft of trade secrets, however, prosecutors charged him under the CFAA for inducing Korn/Ferry workers into accessing data they were authorized to access but forbidden to divulge under the terms of their work contract.
Nosal was convicted in 2013, but not before his case took two side trips to the Ninth Circuit Court of Appeals to address the unusual circumstances. The first time, the circuit judges ruled that someone didn't have to actually hack something to be charged as a hacker under the CFAA. The second time the judges ruled on a finer point, concluding that employees could not be prosecuted under the CFAA for simply violating their employer’s computer use policy. Other CFAA charges were left to stand, however, stemming from allegations that in at least one case ex-employees used the credentials of a current employee to access Korn/Ferry data and pass information to Nosal. Nosal was convicted and sentenced to one year and a day. The case is currently on appeal.
Sergei Aleynikov was a programmer for Goldman Sachs who helped develop its high-speed trading software. Shortly before leaving his job, he downloaded code he'd written for the company. In 2009, prosecutors charged him with unauthorized access under the CFAA, as well as with theft of trade secrets under the Economic Espionage Act and with interstate transport of stolen property. For his defense, Aleynikov asserted that he'd only intended to download open source software files on which he had worked; his collection of a small amount of proprietary code in addition to that had been inadvertent. His attorneys moved to dismiss the CFAA charge and the court agreed, ruling that “an employee with authority to access his employer’s computer system does not violate the CFAA by using his access privileges to misappropriate information.”
The other charges were left to stand, however, and Aleynikov was convicted in 2011. Although a federal appeals court later reversed the conviction, ruling in part that Aleynikov had been wrongly charged with espionage, the district attorney’s office in Manhattan then found state laws under which to bring new charges for the “unlawful use of secret scientific material” and the “unlawful duplication of computer related material.” Aleynikov was convicted under the first charge but acquitted of the second.
Additional reporting by Andy Greenberg.
