Broken.

• Author: Matwyshyn, Andrea M.

TABLE OF CONTENTS I. INTRODUCTION 481 II. DEBUGGING REQUIRED: THE LIMITATIONS OF THE COMPUTER FRAUD AND ABUSE ACT 483 A. The Problem of "Double Whammy" Conduct: Doctrinal Limitations 484 1. Void for Vagueness 484 2. Damaging Contract 487 B. The Problem of Doctrinal Swapping: Harms to Innovation and National Security 492 C. The Problem of Contagion: Botnets and Malware 497 1. Post-Morris Malware and the Need for Security Epidemiology 498 2. Public-Private Malware Outbreak Management 502 III. THE NEXT RELEASE: A SECURITY EPIDEMIOLOGY MODEL AND THE NEW COMPUTER INTRUSION AND ABUSE ACT ("CIAA") 508 A. The CIAA 510 1. The Trespass Fixation 510 2. Technical Harms + Intent + Consent 514 a. Technical harms 515 b. Defendant intent 517 c. Consent: Kerr's Paradox and Grimmelmann's Resolution 519 i. Kerr's Trespass Norms and Grimmelmann's Consent 520 ii. Consent Dualism: Factual versus Legal Consent 522 iii. Why the Consent Dualism Distinction Matters 524 3. The New Language 526 a. Change 1: 1030(a)(1) - Criminal Computer Intrusion 527 b. Change 2: 1030(a)(2) - Criminal Impersonation with a Credential 536 c. Change 3: 1030(a)(3) - Abuse of Government Position of Trust 540 d. Change 4: 1030(a)(4) - Epidemic Malware 541 e. Change 5: Elimination of the Civil Provisions 552 B. How the CIAA Would Work in Practice 558 1. Hypothetical #1: The Malicious Third-Party Intruder 558 2. Hypothetical #2: The Infrastructure Disrupter 559 3. Hypothetical #3: The Security Researcher 559 4. Hypothetical #4: The Scared Consumer 561 5. Hypothetical #5: The Script Kiddie 562 6. Hypothetical #6: The DDoS Participants 563 7. Hypothetical #7: The Fibbing Consumer 563 8. Hypothetical #8: The Artful CAPTCHA Dodger 564 9. Hypothetical #9: The Grabby User 564 10. Hypothetical #10: The Nosy Aggregator 565 11. Hypothetical #11: The (Un)Advanced Persistent User 566 12. Hypothetical #12: The Competitor Aggregator 567 13. Hypothetical #13: The Rogue Corporate Insider 568 14. Hypothetical #14: The Password Sharer 570 15. Hypothetical #15: The Rogue Government Insider 571 16. Hypothetical #16: Bots for Tots, Silver Spears, and Research Recon 572 17. Hypothetical #17: The Silverphishing Botnet Harpoon 573 IV. CONCLUSION 573 I. INTRODUCTION

Sometimes the "secret ingredient" is a dash of typhoid fever. In an (in)famous moment in the dramatic history of epidemiology, a cook named Mary Mallon, whose hygiene practices were allegedly suboptimal, accidentally transmitted typhoid fever to diners through the meals she prepared. Mallon, better known to history as "Typhoid Mary," was a single carrier of typhoid fever. (2) By the time she was identified as the source of the New York City outbreak, Mallon had allegedly infected approximately a dozen other individuals with typhoid fever between 1900 and 1907. (3) But by doing so, she also spurred the evolution of modern epidemiology as a discipline in the United States. (4)

Just as Mallon's transmissions of typhoid fever revealed the need for a rigorous study of epidemiology in the U.S., so too do the relentless security compromises of public and private sector organizations today signal the need to revisit our current legal paradigms for computer intrusion. Our traditional criminal law paradigms have proven inadequate to stem the tide of computer intrusion crimes in the U.S. In particular, a fatal flaw in the law lies in a conceptual disconnect: our existing approach to computer intrusion and our attempts at encouraging prophylactic security conduct to prevent malware infections are not effectively working in tandem.

Specifically, our definitive computer intrusion statute, the Computer Fraud and Abuse Act ("CFAA"), belies its last-century crafting, as it strains under the new threat vectors leveraged by this century's formidable attackers. Thousands of pages of jurists' opinions and scholars' law review articles have pointed out the CFAA's doctrinal limitations and struggled to interpret the statute's core provisions. (5) The CFAA has generated heated policy debate, (6) circuit splits, (7) and much public outcry, (8) but, alas, none of the attempted solutions have successfully remedied its flaws over thirty years' time.

This Article admits defeat. It argues that the CFAA as currently written is unsalvageable and thus requires a rewrite of its core provisions. Then, shifting paradigms to an approach driven by principles from computer security and epidemiology theory, this Article offers an attempted rewrite of the CFAA in a manner more attuned to the current security reality.

Part II explains three core problems plaguing current CFAA interpretation--"double whammy" conduct, doctrinal swapping, and contagion. Part III offers an entirely new paradigm--the Computer Intrusion and Abuse Act ("CIAA"). Borrowing lessons from the field of computer security and epidemiology theory, the CIAA eliminates the CFAA's undefined core terms of "authorized access" and "exceeding authorized access" and replaces them with a three-pronged approach that assesses: (1) the existence of technologically demonstrable harms, i.e., impairment of the computer security properties of confidentiality, integrity, and availability; (2) the intent of the alleged intruder; and (3) the consent of the system or machine owner. The new CIAA approach then further buttresses protection for security research with an affirmative defense. Part III also advocates for the elimination of the current civil provisions of the CFAA, returning the new statute to the CFAA's original exclusively criminal statutory form. Finally, Part III advocates for the creation of three targeted CIAA provisions: one addressing criminal impersonation using a credential, one addressing violations by government employees in positions of trust, and one addressing epidemic malware. It ends with a series of hypotheticals demonstrating how the statute would function in practice. Part IV concludes.

2. DEBUGGING REQUIRED: THE LIMITATIONS OF THE COMPUTER FRAUD AND ABUSE ACT

   The first prosecution under the CFAA (9) was the case of Robert Morris Jr. In 1988, Morris, a graduate student at MIT, lost control of a worm (10) he had created as a proof of concept. (11) While Morris intended his worm to self-replicate across systems by exploiting a security vulnerability, (12) he had made an unfortunate mathematical error that resulted in a bug: the worm self-replicated at a disastrously fast rate. (13) Much like Typhoid Mary's infections, Morris' worm caused unintended harm. It substantially slowed down approximately ten percent of the (admittedly few) machines on the Internet at the time--machines whose availability was negatively impacted because the worm usurped their computing power. (14) Thus was born the first known self-replicating malware and the first CFAA prosecution--with an infection and a bug. (15)

   During the thirty years since the Morris worm, both the reach of the Internet and the sophistication of attacks have substantially expanded. So too have the types of cases brought under the CFAA. Yet, despite Congress's best intentions, the statute and its subsequent case law have, unfortunately, aged suboptimally. Three problems in particular have arisen: the problem of "double whammy" conduct, the problem of doctrinal swapping, and the problem of contagion.

   Recurring doctrinal limitations have confused courts, defendants, and legal scholars alike, and the broad scope of the CFAA has begun to erode the traditional boundaries between criminal law and contract (16)--a problem that might be known as the problem of "double whammy" conduct. Moreover, because the statute's civil and criminal case law has been used interchangeably by courts, civil litigants' frivolous CFAA civil claims can cause criminal law doctrine "creep" as courts use CFAA criminal and civil precedent interchangeably. This dynamic of judicial use of CFAA civil and criminal precedent as equally precedential for each other might be called the problem of doctrinal swapping. Doctrinal swapping has begun to impact potentially both innovation and national security negatively. Finally, as attacks and malware are becoming progressively more virulent and contagious, the CFAA does not provide adequate statutory authority and oversight in situations where public-private cooperation is required to stop ongoing attacks--the problem of contagion. These three concerns are discussed in the sections that follow.

   1. The Problem of "Double Whammy" Conduct: Doctrinal Limitations

      A focal point of the CFAA's interpretational uncertainty involves two primary areas: first, the statute's two core terms of "without authorization" and "exceeding authorized access"--terms that are never expressly defined in the CFAA--and, second, the statute's relationship to contract law. This uncertainty, in turn, has led courts to identify vagueness concerns and has triggered the undesirable blending of criminal law principles with those of contract breach doctrines.

      1. Void for Vagueness

         One of the main and longstanding criticisms of the CFAA is that, due to a number of amendments added over time, it has become "extraordinarily broad"--so broad that, as applied in certain circumstances, it may violate the void for vagueness doctrine. (17) Rooted in the Due Process Clause, the void for vagueness doctrine addresses two concerns: (1) providing fair notice of what activity the law criminalizes and (2) establishing minimum guidelines for law enforcement so that statutes are not applied with discriminatory intent. (18)

         Applications of the CFAA can raise void for vagueness concerns due to a combination of vague language meant to define the statute's core concepts of criminality coupled with a jurisdictional reach that essentially covers any computer or networked device in the world. (19) Violations of the CFAA often concern accessing a protected computer "without authorization" or accessing a protected computer in a way that "exceed[s] authorized access." (20) As...