In September of last year, Congress amended the Computer Fraud and Abuse Act (CFAA) as part of a larger bill dealing with identity theft.
Unfortunately, the amendments broaden the already extensive reach of the law, and fail to clarify the most vexing question about the statute, the definition of “unauthorized access”. However, they do shed some light on the issue of what constitutes the necessary element of “damage”, showing that several cases holding that mere unauthorized viewing of data is sufficient for a CFAA claim were wrongly decided. As a result, the new amendments may give internet innovators, researchers and speakers some arguments that could keep search engines, vulnerability reporting and other legitimate uses of computer systems legal.
IN GENERAL: SUMMARY OF THE 2008 AMENDMENTS
As part of the recent amendments, Congress struck language that defendants may have been able to use to argue that some portions of the CFAA do not apply to purely intra-state computer attacks. Congress also made conspiring to do a computer crime a crime, though it was certainly already unlawful under the conspiracy statute. The amendments specify additional circumstances under which computer crime related threats are unlawful. Furthermore, the amendments did away with the requirement that the government show $5000 worth of loss, if it can show that 10 or more computers are damaged within a one-year period.
THE BAD: BROADER REACH, JUST AS VAGUE
Congress clearly broadened the reach of the statute, but it failed to address the most difficult question of how to distinguish legal from illegal activity online. The amendments give no further guidance on the question of when access is “unauthorized” or “exceeds authorization”. This legal confusion underlies the misguided criminal prosecution of Lori Drew for violating the MySpace terms of service, the discredited investigation of Boston College student Riccardo Calixte for allegedly sending a prank email about his former roommate to other college students, the 2003 conviction of Bret McDanel for sending an email warning customers of his former employer about a security flaw in the product, the investigation of aides to California gubernatorial candidate Phil Angelides for obtaining audio recordings of incumbent Arnold Schwartznegger that were posted on the Governor’s web server, just to name a few.
Congress could have vastly improved the CFAA by specifying, as some state statutes do, that unauthorized access occurs when someone circumvents security measures to gain access, as opposed to a terms of service, or other harmless but unwanted use.
THE GOOD: CLARIFYING THE DEFINITION OF DAMAGES
However, the amendments may have provided some much needed clarity on the definition of damage, another important element in some CFAA violations.
Damage is defined as “any impairment to the integrity or availability of data, a program, a system, or information”, but there has been no consensus on what “damage” includes. The common sense meaning is that a computer system fails to operate properly because the attacker broke it, or deleted or otherwise corrupted data.
But some courts took a more expansive view of damage, which was that any access whatsoever “impaired the integrity” of the data, program, system or information either by virtue of it no longer being absolutely trustworthy, or because the data was no longer entirely under the system owner’s control. See e.g. H & R Block E. Enter., Inc. v. J & M Secs., LLC, No. 05-1056, 2006 WL 1128744, at *4 (W.D. Mo. Apr. 24, 2006) (allegations that the defendant’s “unauthorized access and use of ... confidential customer information” caused the plaintiff to suffer at least $5,000 in damages survive motion to dismiss); HUB Group, Inc. v. Clancy, No. 05-2046, 2006 WL 208684, at *3-4 (E.D.Pa. Jan. 25, 2006) (integrity of the plaintiff's computer database was damaged under CFAA by the defendant’s unauthorized access to confidential information). In one case where I represented the defendant on appeal, the trial court had agreed with the government’s argument that sending truthful information that a computer system was insecure impaired the integrity of that system because now it was easier for outsiders to access the system, and the company decided to fix the problem. (U.S. v. McDanel, Ninth Circuit Court of Appeals No. 03-50135, See Government’s Motion for Reversal of Conviction, pp. 5-6 (pdf)). These cases hold that no harm is required beyond that the defendant viewed information, which will be true is almost every case.
The current amendments move away from this expansive view, perhaps providing some useful guidance for courts and litigants dealing with the question of “damage”. New section (a)(7) prohibits:
“with intent to extort from any person any money or other thing of value, [transmitting] in interstate or foreign commerce any communication containing any--
(A) threat to cause damage to a protected computer; (B) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access; or (C) demand or request for money or other thing of value in relation to damage to a protected computer …
By its very terms, new section (a)(7) separates a threat to cause “damage” from threats to obtain information and from a threat to impair the confidentiality of information. If merely obtaining information or viewing it so that it was no longer confidential was “damage”, Congress would not have needed to amend the statute to add subsections (B) and (C). These would have already been subsumed in the existing prohibition on threats to cause “damage” as already set forth in the former (a)(7). Thus, merely obtaining or viewing information does not constitute damage under the CFAA. Damage, defined and impacts to the “integrity and availability” of a system or data must mean corrupting or deleting the data, or causing the system to stop working so that the data or service is inaccessible to authorized users.
For felony prosecutions, the only kind that the federal government is really interested in, the government must prove damage (or access to national security information, impairment of medical data, physical injury or other special enumerated kinds of harm). Civil litigants must also prove damage (though some cases have found a valid civil cause of action may be based on a showing of economic loss rather than damage.) So if there is no damage, there should not be any successful adverse legal action.
How might this apply to search engines, security researchers and others who may use internet-based information in useful ways, but without the permission of the server owner? Let’s take the example of an airline fare search tool. Merely obtaining information about webfares and schedules would not “damage” the computer system or data, and thus an airline could not prevent such “scraping”. As another example, there would be no argument whatsoever that sending an email in the normal manner caused “damage” regardless of whether the content of that email violated a provision in the terms of service. So retention of and clarification of the damage element may be a way of avoiding the difficult question of “authorization” while limiting legal action under the Computer Fraud and Abuse Act to those computer accesses that actually constitute fraud and abuse.