Fort Belvoir, Virginia—The Electronic Frontier Foundation (EFF) asked a U.S. Army Court of Criminal Appeals Wednesday to overturn Chelsea Manning’s conviction for violating the Computer Fraud and Abuse Act (CFAA), arguing that the law is intended to punish people for breaking into computers systems—something Manning didn’t do.
Manning is serving a 35-year sentence for her role in the release of approximately 700,000 military and diplomatic records to Wikileaks. She was convicted of 19 counts in all, including one under the CFAA. Her CFAA conviction stems from using unauthorized software to access a State Department database, which was prohibited by the database’s acceptable use policy.
The CFAA makes it illegal to intentionally access a computer connected to the Internet without authorization, but it doesn’t specify what “without authorization” means. Although the CFAA is aimed at computer break-ins, data theft, and destruction of computer systems, overzealous prosecutors have taken advantage of the law’s vague language to bring criminal charges that go beyond Congress’s anti-“hacking” purpose.
"Congress intended to criminalize the act of accessing a computer that you aren’t authorized to access, such as breaking into a corporate computer to steal user data or trade secrets or to spread viruses. The law should not be used to turn a violation of an employer’s computer use restrictions into a federal crime. That’s what happened here," said EFF Legal Fellow Jamie Williams.
In an amicus brief filed Wednesday, EFF told the U.S. Army Court of Criminal Appeals that violating a written policy, which restricted Manning from using unauthorized software to access a State Department database, is not a crime under the CFAA. Because most employers impose one-sided computer use policies on their employees, such an interpretation would potentially turn millions of Americans into criminals on the basis of innocuous activities, like browsing Facebook or viewing online sports scores at work in violation of company policy.
"Three federal circuit courts have recognized that violating computer use policies isn’t a crime under the CFAA, and we’re urging the Army court to follow suit,” said EFF Staff Attorney Andrew Crocker. “We have also urged Congress to adopt Aaron’s Law, named after late programmer and activist Aaron Swartz, who faced CFAA charges. The law which would ensure that people won't face criminal liability for violating terms of service agreements or other solely contractual agreements.”
The Center for Democracy & Technology and the National Association of Criminal Defense Lawyers joined EFF in filing the brief.
For our amicus brief:
Correction: an earlier version of this press release misstated the number of documents leaked. It's approximately 700,000 records.