High court should clarify scope of CFAA

OCTOBER 2017 TERM

The U.S. Supreme Court will soon decide whether to review the United States v. Nosal, and its decision will have critical implications for entrepreneurs, innovators, computer security professionals, employees, and, at bottom, all of us who use the internet. Nosal addresses the scope of the Computer Fraud and Abuse Act, and how it’s sometimes misused to allow large internet companies and employers to essentially write the law it can later accuse someone of violating. The case is an opportunity to put an end to abuse of the CFAA’s notoriously vague language and usher this outdated law into the 21st century. The Supreme Court should take it.

The CFAA — passed in 1986, when there were only about 2,000 computers connected to the internet — makes it a crime to access a computer connected to the internet “without authorization.” But the law fails to explain what this means. This has proven problematic in today’s interconnected world, where we access someone else’s computer anytime we visit a website or use a phone app. The statute was intended to outlaw serious computer break-ins, like that depicted in the 1983 techno-thriller “WarGames.” A Senate report cited the film, in which Matthew Broderick breaks into a U.S. military supercomputer programmed to predict nuclear war outcomes and unwittingly almost starts World War III, as “a realistic representation of the automatic dialing and access capabilities of the personal computer.” But as a direct result of its vague language, the statue has metastasized in some jurisdictions into a tool for both law enforcement and private parties to police Internet use and enforce terms of service. In these jurisdictions, courts consider violations of a computer owner’s preferences, expectations, and policies relevant for determining whether an individual has accessed a computer “without authorization.” In Nosal, the 9th U.S. Circuit Court of Appeals joined this set of courts.

While others jurisdictions rightly recognize that a law intended to criminalize computer “hacking” shouldn’t be applied to violations of computer use policies, the disagreement in the lower courts has caused a great deal of confusion and uncertainty. It’s hard to know what types of computer use would count as criminal. This is exactly what the Rule of Lenity is supposed to protect against.

In Nosal, the 9th Circuit found that it was a crime under the CFAA for an ex-employee to access a proprietary corporate database with a current employee’s login credentials, with that employee’s knowledge and permission, after his own credentials were revoked. The court got there by importing the company’s implicit ban on sharing passwords into its own definition of authorization. The court held that authorization under the CFAA can only come from a computer owner (such as an employer or website owner), not a computer user or account holder. But the statute doesn’t make this distinction, and under this reasoning anyone who has ever used someone else’s password with the approval of an account holder but without the approval of the computer owner is at risk of prosecution. The court doesn’t differentiate ordinary password sharing — logging into someone’s account when they are ill to help with a mundane task, like getting a boarding pass — in a way that anyone can safely rely upon.

In other cases, courts have found that accessing a computer in violation a corporate computer use policy is enough for a CFAA violation. Under this reasoning, registering a Facebook account with a fake name could be grounds for a conviction.

This uncertainty has chilled security researchers and innovators alike. And understandably so: The CFAA’s penalties are draconian. First time offenses are punishable by up to five years in prison (10 years for repeat offenses), plus fines, with no possibility for a misdemeanor.

The combination of legal uncertainty and exorbitant penalties also makes the CFAA perfect fuel for abusive cease and desist letters. In one infamous C&D from this summer, Zillow cited the CFAA in list of various other laws the McMansion Hell blogger “may” have broken. (The letter unleashed a wave of negative publicity, and Zillow decided against moving forward with legal action.) The law is also cited in letters from websites demanding that competing services refrain from legal uses of publicly available data on their sites. This very practice is at issue in a case pending in the Northern District of California, HiQ Labs, Inc. v. LinkedIn Corporation. HiQ — one of many to have received a cease and desist letter from LinkedIn in the last year citing the CFAA — proactively sought clarification from the court as to whether automated access of publicly available data on LinkedIn’s website, in violation of LinkedIn’s terms of services, constituted a CFAA violation. The court recently issued a preliminary injunction order in hiQ’s favor, expressing doubt that the CFAA can be invoked “to punish hiQ for accessing publicly available data” and concern over the implications LinkedIn’s position could have on the open internet. LinkedIn is appealing the decision.

LinkedIn certainly isn’t the only company that has used the CFAA to stomp out innovation and competition. And the misuse has dangerous implications for us all. The CFAA is first and foremost a criminal statute. Efforts by private companies to expand the reach of the CFAA in the civil context — where judges may not be as scrupulous in applying the Rule of Lenity — directly shape the law’s reach in criminal cases. Using the CFAA to knock out a competitor in one case can land someone in jail in the next.

Companies and employers may have legitimate reasons for enforcing terms of use. But using a federal criminal law with draconian penalties to do so is not the answer. Common sense changes, like clarifying that terms of service violations cannot give rise to federal criminal liability, are needed — both to rein in prosecutorial discretion and stop companies from using the CFAA as a scare tactic. The Supreme Court should take up Nosal and clarify that the CFAA, a law meant to prosecute malicious actors who break into computers to steal data or cause damage, must be limited to its purpose.