Court Rejects Argument That All First-Time Email Hacking Offenses Are Felonies
Over the past few years, prosecutors have tried to stretch the Computer Fraud and Abuse Act (CFAA) in troubling ways through cases like United States v. Drew. This week, a federal appeals court rebuffed another attempt to expand the CFAA, finding that prosecutors can't double-count computer crime charges to turn misdemeanors into felonies.
Under the CFAA, it's generally a misdemeanor to access a computer in a way that is unauthorized or exceeds authorization. If someone violates the CFAA "in furtherance" of breaking another law, the crime turns from a misdemeanor into a felony. A different law, the Stored Communications Act (SCA), prohibits getting unauthorized access to someone else's email stored with an ISP. Since breaking into an email account stored with an ISP necessarily involves unauthorized access to the ISP's computer, the government can normally prosecute a first-time offense as a misdemeanor under the CFAA or the SCA.
Yet in United States v. Cioni, the government argued that a woman who broke into other people's email accounts violated the CFAA "in furtherance" of violating the SCA, double-counting the computer crime violations to convict her on felony charges.
This kind of double-counting punishes the defendant twice for the same thing, which is unconstitutional under the Fifth Amendment. If the appeals court affirmed Cioni’s conviction, that would mean that every unauthorized access to email stored with an ISP would be a felony. It's clear that Congress didn't want that, since it put misdemeanor punishments in the SCA. And while EFF takes email privacy very seriously, we think it's important for courts to apply computer crime laws cautiously.
So last fall, we partnered with the National Association of Criminal Defense Lawyers to file an amicus brief in the Cioni case. We argued that government's double-counting amounted to double jeopardy. We also said that the government's approach wasn't consistent with congressional intent or cases interpreting similar language in another computer crime law, the Wiretap Act. The Fourth Circuit agreed, finding that Cioni's two felony CFAA convictions should be reduced to misdemeanors.
The court got it right. It's clear that Congress meant for most first-time computer crimes to have less severe punishments, and not significant prison time.
For more analysis of this case, read Professor Orin Kerr's blog post here.