April 21, 2011 | By Marcia Hofmann

Court Rejects Argument That All First-Time Email Hacking Offenses Are Felonies

Over the past few years, prosecutors have tried to stretch the Computer Fraud and Abuse Act (CFAA) in troubling ways through cases like United States v. Drew. This week, a federal appeals court rebuffed another attempt to expand the CFAA, finding that prosecutors can't double-count computer crime charges to turn misdemeanors into felonies.

Under the CFAA, it's generally a misdemeanor to access a computer in a way that is unauthorized or exceeds authorization. If someone violates the CFAA "in furtherance" of breaking another law, the crime turns from a misdemeanor into a felony. A different law, the Stored Communications Act (SCA), prohibits getting unauthorized access to someone else's email stored with an ISP. Since breaking into an email account stored with an ISP necessarily involves unauthorized access to the ISP's computer, the government can normally prosecute a first-time offense as a misdemeanor under the CFAA or the SCA.

Yet in United States v. Cioni, the government argued that a woman who broke into other people's email accounts violated the CFAA "in furtherance" of violating the SCA, double-counting the computer crime violations to convict her on felony charges.

This kind of double-counting punishes the defendant twice for the same thing, which is unconstitutional under the Fifth Amendment. If the appeals court affirmed Cioni’s conviction, that would mean that every unauthorized access to email stored with an ISP would be a felony. It's clear that Congress didn't want that, since it put misdemeanor punishments in the SCA. And while EFF takes email privacy very seriously, we think it's important for courts to apply computer crime laws cautiously.

So last fall, we partnered with the National Association of Criminal Defense Lawyers to file an amicus brief in the Cioni case. We argued that government's double-counting amounted to double jeopardy. We also said that the government's approach wasn't consistent with congressional intent or cases interpreting similar language in another computer crime law, the Wiretap Act. The Fourth Circuit agreed, finding that Cioni's two felony CFAA convictions should be reduced to misdemeanors.

The court got it right. It's clear that Congress meant for most first-time computer crimes to have less severe punishments, and not significant prison time.

For more analysis of this case, read Professor Orin Kerr's blog post here.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Illinois drone task force would have 22 members, mostly cops and industry reps, but not a single privacy advocate https://eff.org/r.6isf

Jun 29 @ 3:53pm

The Supreme Court's refusal to hear the API copyright case Oracle v. Google could be bad news for interoperability https://eff.org/r.68fa

Jun 29 @ 2:33pm

Do you want to fight for the user? EFF has a position open on our activism team: https://eff.org/r.6u3s

Jun 29 @ 1:56pm
JavaScript license information