Should prosecutors have the ability to take advantage of unclear laws to bring charges for behavior far beyond the problem Congress was trying to address? We don’t think so. When not carefully limited, criminal laws give prosecutors too much power to go after innocent individuals for innocuous behavior, like violating a website's terms of use by using a partner’s password to post something for them or print out a boarding pass. And that’s terrifying. It’s also contrary to a long-held constitutional rule requiring vague criminal statutes to be interpreted narrowly—called the Rule of Lenity—intended to ensure that people have clear and unambiguous notice in the letter of the law itself of what behavior could land them in prison.
But recently released federal guidelines for prosecutions under the Computer Fraud and Abuse Act (CFAA), intended to assist prosecutors in deciding when to bring charges under the notoriously vague federal statute targeting computer break-ins, demonstrate that prosecutors have far too much discretion in applying the CFAA. What’s more, the guidelines all but condone use of the CFAA to prosecute cases for political gain, under the guise of “deterrence.”
The CFAA was enacted back in 1986. Amazingly enough, it was prompted in part by fear generated by a fictional movie—the 1983 technothriller WarGames, starring Matthew Broderick. The law’s text makes it illegal to intentionally access a “protected computer”—which includes any computer connected to the Internet—“without authorization” or in excess of authorization. But the CFAA does not define “without authorization.” This has given overzealous prosecutors broad discretion to bring criminal charges against individuals for behavior that goes far beyond WarGames’ break-in of a government nuclear weapons control system. Indeed, the government now maintains that the CFAA can be violated merely by doing something on a computer network that the owner doesn't like and has prohibited in its one-sided terms of service. And this is important, because a violation of the law comes with severe penalties. We’re not talking jaywalking here.
Three federal courts of appeal—the Second Circuit, Fourth Circuit, and Ninth Circuit, the three most recent circuit courts to address the issue—have rejected the government’s broad interpretation of the statute. In the context of corporate computer use restrictions, they’ve held that merely disobeying those restrictions cannot give rise to CFAA liability. Each of these courts, along with numerous district courts across the country, have expressed deep concern about the constitutionality of the government’s attempts to use the CFAA to prosecute violations of computer use restrictions.
Despite widespread concern among courts, the recently released guidelines demonstrate that the Department of Justice isn’t listening. Instead, it seems intent on pursuing an overbroad and constitutionally suspect interpretation of the statute in any jurisdiction that hasn’t yet explicitly rejected it.
In fact, the government submitted the guidelines in a pending ACLU lawsuit, challenging the CFAA on First Amendment grounds, as “evidence” that the government won’t abuse the broad discretion conferred to it under its overbroad reading of the law. But the guidelines actually demonstrate the opposite—they confirm the breadth of discretion the government thinks it has under the CFAA.
First, these are “guidelines.” They do absolutely nothing to reign in prosecutorial discretion under the law. These guidelines merely suggest factors that prosecutors “should consider,” not factors that they must consider, before charging a case. Even if prosecutors were required to consider the listed factors (read: they are not), nothing in the guidelines limits their ability to file charges. The guidelines also offer no help to those prosecuted; they expressly state that defendants cannot rely on them to argue that a prosecutor has gone too far.
Second, the government has already abused its discretion under the CFAA, time and time again. Prosecutors used the law’s harsh maximum punishments as a ploy to capture the public’s attention and induce a plea bargain in their tragic case against Aaron Swartz. Aaron, facing up to 35 years in prison under 13 counts for downloading articles from an academic journal database, took his own life.
Prosecutors also tried to use the CFAA to make an example out of Lori Drew in its campaign against “cyberbullying,” despite that it is far beyond the reach of the statute to construe MySpace’s terms of service, which prevented lying about your age and identity, as the basis for a criminal violation. A California court overturned her conviction, but not until three years later.
Prosecutors again used the law’s draconian penalties to bring public attention to its prosecution of journalist Matthew Keys, a case involving what essentially amounted to Internet vandalism of a single Los Angeles Times article by a third party suspected of having ties to hacktivist group Anonymous. (The changes to the article were live for only about 40 minutes, and the government presented no evidence at trial to suggest that anyone actually saw it.) Keys, who was convicted of three counts of violating the CFAA, faced up to 25 years in prison and was sentenced to two years, essentially for the 40-minute defacement of the article.
The recently released guidelines seem to condone the use of the CFAA for such political ends—i.e., to draw public attention to cases and make examples out of defendants. Indeed, the guideline suggest that prosecutors consider, when deciding whether to file charges, the “increased need for deterrence” given advancements in technology. When the government mentions “deterrence,” it really means the ability to make an example out of people. Indeed, the government fails to include any evidence that CFAA prosecutions have any true deterrent effect. That’s because the evidence increasingly points the other way—“that lengthy prison sentences and mandatory minimum sentencing [like that imposed by the CFAA] cannot be justified on deterrence.”
Perhaps most disturbing, the guidelines suggest that advancements in technology generally weigh in favor of more federal prosecutions—and more serious prosecutions. Under this logic, we’ll be seeing more abuse of prosecutorial discretion under the CFAA, not less.
As the Second Circuit recognized last year in rejecting the government’s broad interpretation of the CFAA, “[w]hile the Government might promise that it would not prosecute an individual for checking Facebook at work, we are not at liberty to take prosecutors at their word in such matters. A court should not uphold a highly problematic interpretation of a statute merely because the Government promises to use it responsibly.” We hope other courts feel the same way and continue rejecting the government’s highly problematic interpretation of the CFAA. Otherwise, it’s clear that prosecutors will continue to use the outdated statute in truly scary ways.
This article was originally entitled "What We’re Scared About This Halloween: Prosecutorial Discretion Under Notoriously Vague Computer Crime Statute."